FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 07-24-2011, 09:25 AM
"Anthony G. Basile"
 
Default SElinux tests

Hi Nick,

Thanks for the report, but would you be so kind as to open up bug
reports for each of the issues at https://bugs.gentoo.org/

--Tony

On 07/23/2011 04:46 PM, Nick Kossifidis wrote:
> Hello all and thanks a lot for your work on hardened gentoo ;-)
>
> Last time I tried setting up a default hardened gentoo + SElinux setup
> was in 2009 so I gave it a shot again a few weeks ago and it seems
> there are still some bugs that result denials in avc logs etc ( sorry
> for the long mail :-( ):
>
> 1) For start check out /lib/rc/sh/init.sh, in svcdir_restorecon() it
> tries to run /usr/sbin/selinuxenabled but in case /usr is on a
> different partition it won't work (and rc_svcdir will remain
> mis-labeled, resulting extra avc denials) because it gets called
> before mount. It seems weird that packages like
> sys-apps/policycoreutils, sys-libs/libselinux etc are located under
> /usr, after all they are linked with libraries under /lib not /usr/lib
> and are system tools, not user-related. In my case I solved this one
> by just checking if /sbin/restorecon exists (it's what udev-mount also
> does), I don't know if it's the correct solution but it works so far.
>
>
> 2) In order for restorecon to relabel rc_svcdir the following rule is needed
> allow setfiles_t initrc_t:dir relabelto;
> or else I get this:
> avc: denied { relabelto } for pid=979 comm="restorecon" name="/"
> dev=tmpfs ino=2054 scontext=system_u:system_r:setfiles_t
> tcontext=system_ubject_r:initrc_t tclass=dir
>
>
> 3) Even with the correct labels I still got denials for rc operations
> on rc_svcdir:
> can't mount tmpfs under rc_svcdir...
> avc: denied { associate } for pid=979 comm="restorecon" name="/"
> dev=tmpfs ino=2054 scontext=system_ubject_r:initrc_t
> tcontext=system_ubject_r:tmpfs_t tclass=filesystem
> avc: denied { associate } for pid=13300 comm="rc" name="krunlevel"
> scontext=system_ubject_r:initrc_t tcontext=system_ubject_r:tmpfs_t
> tclass=filesystem
>
> and various other operations under rc_svcdir (removed duplicates)...
> avc: denied { write } for pid=980 comm="cp" name="/" dev=tmpfs
> ino=2054 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=dir
> avc: denied { add_name } for pid=980 comm="cp" name="depconfig"
> scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=dir
> avc: denied { create } for pid=980 comm="cp" name="depconfig"
> scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=file
> avc: denied { setattr } for pid=980 comm="cp" name="depconfig"
> dev=tmpfs ino=2066 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=file
> avc: denied { create } for pid=960 comm="rc" name="starting"
> scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=dir
> avc: denied { remove_name } for pid=960 comm="rc"
> name="rc.stopping" dev=tmpfs ino=42
> scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=dir
> avc: denied { unlink } for pid=2129 comm="rc" name="local"
> dev=tmpfs ino=4514 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=file
> avc: denied { rmdir } for pid=1935 comm="rc" name="rc.starting"
> dev=tmpfs ino=3842 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=dir
> avc: denied { unlink } for pid=13455 comm="rc" name="local"
> dev=tmpfs ino=4077 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:initrc_t tclass=lnk_file
>
> the following rules should fix that:
> allow initrc_t tmpfs_t:filesystem associate;
> allow initrc_t self:dir { write remove_name create add_name rmdir };
> allow initrc_t self:file { create unlink setattr };
> allow initrc_t self:lnk_file { create unlink };
>
>
> 4) More rc stuff under /tmp /var/lib /var/log /var/run...
> avc: denied { setattr } for pid=1538 comm="chmod" name="/" dev=sda5
> ino=2 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:tmp_t tclass=dir
> avc: denied { create } for pid=1550 comm="mkdir" name=".test.1403"
> scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:var_log_t tclass=dir
> avc: denied { rmdir } for pid=1551 comm="rmdir" name=".test.1403"
> dev=sda6 ino=210166 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:var_log_t tclass=dir
> avc: denied { add_name } for pid=1556 comm="runscript.sh"
> name="unicode" scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:lib_t tclass=dir
> avc: denied { create } for pid=1556 comm="runscript.sh"
> name="unicode" scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:lib_t tclass=file
> avc: denied { write } for pid=1556 comm="runscript.sh"
> name="unicode" dev=sda2 ino=80888 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:lib_t tclass=file
> avc: denied { write } for pid=1424 comm="rm" name="console"
> dev=sda2 ino=80915 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:lib_t tclass=dir
> avc: denied { remove_name } for pid=1424 comm="rm"
> name="default8x16.psfu.gz" dev=sda2 ino=80899
> scontext=system_u:system_r:initrc_t tcontext=system_ubject_r:lib_t
> tclass=dir
> avc: denied { unlink } for pid=1424 comm="rm"
> name="default8x16.psfu.gz" dev=sda2 ino=80899
> scontext=system_u:system_r:initrc_t tcontext=system_ubject_r:lib_t
> tclass=file
> avc: denied { create } for pid=1425 comm="mkdir" name=".test.1418"
> scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:var_run_t tclass=dir
> avc: denied { unlink } for pid=1534 comm="rm" name="syslog-ng.ctl"
> dev=sda6 ino=80809 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:devlog_t tclass=sock_file
>
> the following rules should be ok:
> allow initrc_t tmp_t:dir setattr;
> allow initrc_t lib_t:dir { write remove_name add_name };
> allow initrc_t lib_t:file { write create unlink };
> allow initrc_t var_log_t:dir { create rmdir };
> allow initrc_t var_run_t:dir create;
> allow initrc_t devlog_t:sock_file unlink;
>
>
> 5) Fuser-related (ran by bootmisc and rc-mount.sh), I don't know why
> this runs under initrc_t but getattr is not a big deal I guess, I'm
> not sure however about the execmod:
> avc: denied { execmod } for pid=1433 comm="fuser" path="/bin/fuser"
> dev=sda2 ino=185930 scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:bin_t tclass=file
> avc: denied { getattr } for pid=1492 comm="fuser"
> path="socket:[2273]" dev=sockfs ino=2273
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t
> tclass=unix_stream_socket
> avc: denied { getattr } for pid=1493 comm="fuser"
> path="socket:[2274]" dev=sockfs ino=2274
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t
> tclass=netlink_kobject_uevent_socket
> avc: denied { getattr } for pid=1526 comm="fuser"
> path="/sys/kernel/debug" dev=debugfs ino=1
> scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:debugfs_t tclass=dir
>
> the following rules hide this but I'm not sure if it's the correct
> approach, maybe we should modify bootmisc/rc-mount.sh:
> allow initrc_t bin_t:file execmod;
> allow initrc_t debugfs_t:dir getattr;
> allow initrc_t udev_t:netlink_kobject_uevent_socket getattr;
> allow initrc_t udev_t:unix_stream_socket getattr;
>
>
> 6) Udhcp-related (ran by udhcpc-hook.sh and net), again I'm not sure
> what's the right thing to do here, I think dhcp client shouldn't run
> under initrc_t:
> avc: denied { create } for pid=1844 comm="busybox"
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=rawip_socket
> avc: denied { ioctl } for pid=1844 comm="busybox"
> path="socket:[33897]" dev=sockfs ino=33897
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=rawip_socket
> avc: denied { name_bind } for pid=1844 comm="busybox" src=68
> scontext=system_u:system_r:initrc_t
> tcontext=system_ubject_r:dhcpc_port_t tclass=udp_socket
> avc: denied { node_bind } for pid=1844 comm="busybox" src=68
> scontext=system_u:system_r:initrc_t tcontext=system_ubject_r:node_t
> tclass=udp_socket
>
> the following rules clean it up
> allow initrc_t self:rawip_socket { create ioctl };
> allow initrc_t dhcpc_port_t:udp_socket name_bind;
> allow initrc_t node_t:udp_socket node_bind;
>
> switching to dhclient instead results these denials:
> avc: denied { name_bind } for pid=1825 comm="dhclient" src=65059
> scontext=system_u:system_r:dhcpc_t tcontext=system_ubject_rort_t
> tclass=udp_socket
> avc: denied { read write } for pid=1827 comm="ifconfig"
> path="socket:[3855]" dev=sockfs ino=3855
> scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:dhcpc_t tclass=udp_socket
> avc: denied { read write } for pid=1845 comm="hostname"
> path="socket:[3767]" dev=sockfs ino=3767
> scontext=system_u:system_r:hostname_t
> tcontext=system_u:system_r:dhcpc_t tclass=udp_socket
>
> this runs under dhcpc_t so the first one seems ok and ifconfig /
> hostname are meant to tweak network settings (instead of initrc_t) so
> I stayed with dhclient and there are the rules to hide the above and
> get a working dhcp:
> allow dhcpc_t port_t:udp_socket name_bind;
> allow ifconfig_t dhcpc_t:udp_socket { read write };
> allow hostname_t dhcpc_t:udp_socket { read write };
>
>
> 7) Udev-related
> avc: denied { read } for pid=1056 comm="udevd" name="30" dev=tmpfs
> ino=2727 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=lnk_file
> avc: denied { unlink } for pid=1309 comm="udevd" name="30"
> dev=tmpfs ino=2727 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=lnk_file
> avc: denied { open } for pid=1309 comm="udevd" name="root"
> dev=tmpfs ino=2707 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { relabelto } for pid=1055 comm="udevd" name=".udev"
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { search } for pid=1055 comm="udevd" name=".udev"
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { write } for pid=1055 comm="udevd" name=".udev"
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { add_name } for pid=1055 comm="udevd" name="queue.tmp"
> scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { remove_name } for pid=1055 comm="udevd"
> name="queue.tmp" dev=tmpfs ino=2231 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { getattr } for pid=1056 comm="udevd" path="/dev/.udev"
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { create } for pid=1056 comm="udevd" name="data"
> scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { read } for pid=1089 comm="udevadm" name=".udev"
> dev=tmpfs ino=158 scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=dir
> avc: denied { create } for pid=1103 comm="udevd" name="4"
> scontext=system_u:system_r:udev_t
> tcontext=system_ubject_r:udev_tbl_t tclass=lnk_file
>
> these seem ok since they are marked as udev_tbl_t so these rules should be ok
> allow udev_t udev_tbl_t:dir { search read create write getattr
> relabelto remove_name open add_name };
> allow udev_t udev_tbl_t:lnk_file { read create unlink };
>
>
> 8) Cron-related, these come from logrotate.cron and makewhatis
> avc: denied { read } for pid=7385 comm="syslog-ng"
> path="pipe:[21161]" dev=pipefs ino=21161
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:crond_t tclass=fifo_file
> avc: denied { use } for pid=7385 comm="syslog-ng" path="/dev/null"
> dev=tmpfs ino=154 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:logrotate_t tclass=fd
> avc: denied { create } for pid=11730 comm="mkdir"
> name="whatis.tmp.dir.11727"
> scontext=system_u:system_r:system_cronjob_t
> tcontext=system_ubject_r:tmp_t tclass=dir
> avc: denied { rmdir } for pid=11778 comm="rm"
> name="whatis.tmp.dir.11727" dev=sda5 ino=7825
> scontext=system_u:system_r:system_cronjob_t
> tcontext=system_ubject_r:tmp_t tclass=dir
>
> makewhatis looks ok since it works on tmp_t and it seems ok I think
> for syslogd_t to have read access to cron's fifo_file but I'm not sure
> for logrotate_t file descriptor, anyway here are the rules for this:
> allow system_cronjob_t tmp_t:dir { create rmdir };
> allow syslogd_t crond_t:fifo_file read;
> allow syslogd_t logrotate_t:fd use;
>
>
> 9) Sendmail-related, these come from sendmail when trying to put mail
> on user's home folder
> avc: denied { append } for pid=5240 comm="sendmail"
> name="dead.letter" dev=sda2 ino=161795
> scontext=system_u:system_r:system_mail_t
> tcontext=rootbject_r:user_home_t tclass=file
> avc: denied { open } for pid=5240 comm="sendmail"
> name="dead.letter" dev=sda2 ino=161795
> scontext=system_u:system_r:system_mail_t
> tcontext=rootbject_r:user_home_t tclass=file
> avc: denied { getattr } for pid=5240 comm="sendmail"
> path="/root/dead.letter" dev=sda2 ino=161795
> scontext=system_u:system_r:system_mail_t
> tcontext=rootbject_r:user_home_t tclass=file
>
> I think open getattr and append are ok (no create/write) so these
> rules should do it:
> allow system_mail_t user_home_t:file { getattr open append };
>
>
> 10) Apache2 tries to open a tcp port to communicate with the client
> and this is what happens:
> avc: denied { name_connect } for pid=5279 comm="apache2" dest=18083
> ipaddr=x.x.x.x scontext=system_u:system_r:httpd_t
> tcontext=system_ubject_rort_t tclass=tcp_socket
>
> the following should be ok:
> allow httpd_t port_t:tcp_socket name_connect;
>
>
> 11) Finaly i get denials similar to this one from syslog:
> avc: denied { syslog } for pid=1948 comm="syslog-ng" capability=34
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:syslogd_t tclass=capability2
>
> and this rule should fix them:
> allow syslogd_t self:capability2 syslog;
>
> but i get an error when i try to load it using semodule -i...
>
>
> I also got a few more denials related to su and newrole and I'm trying
> to figure out if it's my mistake or bad policies, I'll let you know.
>
>
> Again thanks a lot for your work and if there is anything I can do to
> help let me know ;-)
>
>


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 

Thread Tools




All times are GMT. The time now is 04:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org