Switching hardened amd64 to SELinux
Hi,
in the first place I am newbie on selinux. I have installed new machine using http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml . Everything was in order. But when I restart in "full function SELinux" in permissive mode in my log are following avc errors. I think, I forgot to install something, or turn on. Errors from dmesg: type=1400 audit(1329556527.347:3): avc: denied { read write } for pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t tclass=chr_file type=1400 audit(1329556527.356:4): avc: denied { rlimitinh } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process type=1400 audit(1329556527.365:5): avc: denied { siginh } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process type=1400 audit(1329556527.374:6): avc: denied { noatsecure } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process type=1400 audit(1329556527.385:7): avc: denied { getattr } for pid=1 comm="init" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t tclass=filesystem type=1400 audit(1329556527.419:8): avc: denied { search } for pid=1 comm="init" name="var" dev="sda3" ino=260609 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=dir type=1400 audit(1329556527.452:9): avc: denied { rlimitinh } for pid=615 comm="rc" scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=process type=1400 audit(1329556527.463:10): avc: denied { siginh } for pid=615 comm="rc" scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=process .... type=1400 audit(1329552931.276:64): avc: denied { rlimitinh } for pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:lvm_t tclass=process type=1400 audit(1329552931.276:65): avc: denied { siginh } for pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:lvm_t tclass=process type=1400 audit(1329552931.276:66): avc: denied { noatsecure } for pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:lvm_t tclass=process type=1400 audit(1329552931.555:67): avc: denied { setattr } for pid=7 comm="kdevtmpfs" name="dm-0" dev="devtmpfs" ino=1365 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=blk_file type=1400 audit(1329552931.591:68): avc: denied { rlimitinh } for pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:lvm_t tclass=process type=1400 audit(1329552931.592:69): avc: denied { siginh } for pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:lvm_t tclass=process type=1400 audit(1329552931.592:70): avc: denied { noatsecure } for pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:lvm_t tclass=process type=1400 audit(1329552932.032:71): avc: denied { read } for pid=711 comm="udevd" name="15" dev="tmpfs" ino=1182 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file type=1400 audit(1329552932.032:72): avc: denied { unlink } for pid=896 comm="udevd" name="15" dev="tmpfs" ino=1182 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file type=1400 audit(1329552932.095:73): avc: denied { open } for pid=896 comm="udevd" name="diskx2fby-idx2fata-Maxtor_7Y250M0_Y652ABXE-part5" dev="tmpfs" ino=1173 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir .... type=1400 audit(1329552936.309:104): avc: denied { read } for pid=1297 comm="ip" name="console" dev="tmpfs" ino=308 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:console_device_t tclass=chr_file type=1400 audit(1329552936.309:105): avc: denied { rlimitinh } for pid=1297 comm="ip" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:ifconfig_t tclass=process type=1400 audit(1329552936.309:106): avc: denied { siginh } for pid=1297 comm="ip" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:ifconfig_t tclass=process type=1400 audit(1329552936.309:107): avc: denied { noatsecure } for pid=1297 comm="ip" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:ifconfig_t tclass=process .... type=1400 audit(1329552936.600:108): avc: denied { write } for pid=1394 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir .... type=1400 audit(1329552937.232:109): avc: denied { use } for pid=1519 comm="dhcpcd" path="/dev/console" dev="tmpfs" ino=308 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:init_t tclass=fd type=1400 audit(1329552937.232:110): avc: denied { read } for pid=1519 comm="dhcpcd" path="/dev/console" dev="tmpfs" ino=308 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:console_device_t tclass=chr_file type=1400 audit(1329552937.232:111): avc: denied { rlimitinh } for pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:dhcpc_t tclass=process type=1400 audit(1329552937.232:112): avc: denied { siginh } for pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:dhcpc_t tclass=process type=1400 audit(1329552937.232:113): avc: denied { noatsecure } for pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:dhcpc_t tclass=process .... type=1400 audit(1329552945.165:115): avc: denied { read write } for pid=1562 comm="hostname" path="socket:[2866]" dev="sockfs" ino=2866 scontext=system_u:system_r:hostname_t tcontext=system_u:system_r:dhcpc_t tclass=unix_stream_socket type=1400 audit(1329552945.165:116): avc: denied { rlimitinh } for pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hostname_t tclass=process type=1400 audit(1329552945.165:117): avc: denied { siginh } for pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hostname_t tclass=process type=1400 audit(1329552945.165:118): avc: denied { noatsecure } for pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hostname_t tclass=process type=1400 audit(1329552945.221:119): avc: denied { execute } for pid=1571 comm="rc-service" name="rc" dev="sda3" ino=390958 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file type=1400 audit(1329552945.221:120): avc: denied { read open } for pid=1571 comm="rc-service" name="rc" dev="sda3" ino=390958 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file type=1400 audit(1329552945.221:121): avc: denied { execute_no_trans } for pid=1571 comm="rc-service" path="/sbin/rc" dev="sda3" ino=390958 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file type=1400 audit(1329552945.225:122): avc: denied { getattr } for pid=1571 comm="rc" path="/etc/init.d/ntpd" dev="sda3" ino=765 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:initrc_exec_t tclass=file type=1400 audit(1329552945.244:123): avc: denied { execute } for pid=1573 comm="rc" name="ntpd" dev="sda3" ino=765 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:initrc_exec_t tclass=file type=1400 audit(1329552945.244:124): avc: denied { read open } for pid=1573 comm="rc" name="ntpd" dev="sda3" ino=765 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:initrc_exec_t tclass=file Thanks -- Tomas Dobrovolny |
Switching hardened amd64 to SELinux
On Sat, Feb 18, 2012 at 11:13:36AM +0100, Tomáš Dobrovolný wrote:
> I have installed new machine using > http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml . > Everything was in order. But when I restart in "full function SELinux" > in permissive mode in my log are following avc errors. I think, I forgot > to install something, or turn on. [...] From the denials and your kernel configuration, I think you are using an initrd or initramfs system. Currently, we do not support SELinux when using initrd/initramfs because the suckers don't play well. There's an open bug on it, and I hope I can get us with a working initramfs soon. But for the mean time, either drop the initramfs/initrd system, or boot in permissive mode and switch to enforcing during the boot-up (for instance through an init script in the boot runlevel). Wkr, Sven Vermeulen |
Switching hardened amd64 to SELinux
Dne 19.2.2012 09:55, Sven Vermeulen napsal(a):
> On Sat, Feb 18, 2012 at 11:13:36AM +0100, Tomáš Dobrovolný wrote: >> I have installed new machine using >> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml . >> Everything was in order. But when I restart in "full function SELinux" >> in permissive mode in my log are following avc errors. I think, I forgot >> to install something, or turn on. > [...] > > From the denials and your kernel configuration, I think you are using an > initrd or initramfs system. Currently, we do not support SELinux when using > initrd/initramfs because the suckers don't play well. There's an open bug on > it, and I hope I can get us with a working initramfs soon. > > But for the mean time, either drop the initramfs/initrd system, or boot in > permissive mode and switch to enforcing during the boot-up (for instance > through an init script in the boot runlevel). > > Wkr, > Sven Vermeulen > > I have had enabled initrd/initramfs parts in my kernel configuration, but I don't use it to boot my system. I try to disable it completely and I will see. Thanks -- Tomas Dobrovolny |
Switching hardened amd64 to SELinux
On Sun, Feb 19, 2012 at 10:07:26AM +0100, Tomáš Dobrovolný wrote:
> I have had enabled initrd/initramfs parts in my kernel configuration, > but I don't use it to boot my system. I try to disable it completely and > I will see. In that case, your /dev/console is mislabeled, and you are currently running with dontaudits disabled (the many rlimitinh and other privilege attempts that are by default not audited by SELinux are shown), which might cause some confusion on the denials. Relabel the system, also relabel your /dev when /dev isn't mounted (there's a part about setfiles in the SELinux installation instructions just for that) and enable dontaudits again (semodule -B). Wkr, Sven Vermeulen |
Switching hardened amd64 to SELinux
Dne 19.2.2012 21:51, Sven Vermeulen napsal(a):
> On Sun, Feb 19, 2012 at 10:07:26AM +0100, Tomáš Dobrovolný wrote: > In that case, your /dev/console is mislabeled, and you are currently running > with dontaudits disabled (the many rlimitinh and other privilege attempts > that are by default not audited by SELinux are shown), which might cause > some confusion on the denials. > > Relabel the system, also relabel your /dev when /dev isn't mounted (there's > a part about setfiles in the SELinux installation instructions just for > that) and enable dontaudits again (semodule -B). > > Wkr, > Sven Vermeulen > I think, that /dev/console has correct label (on --bind / /mn/gentoo) - crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20 01:34 /mnt/gentoo/dev/console You are right, I have had dontaudits disabled, I enable it and denials more then less. But for now I have one avc denials -- the /etc/init.d/sysctl cannot set kernel parameters, but direct calling of syctl -p can. avc error is: avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=capabilty and audit2allow -w said: Missing type enforcement (TE) allow rule. Is this rule really missing in base policy, or I forgot to emerge some policy module. -- Thanks Tomas Dobrovolny |
Switching hardened amd64 to SELinux
On Mon, Feb 20, 2012 at 07:17:02AM +0100, Tomáš Dobrovolný wrote:
> I think, that /dev/console has correct label (on --bind / /mn/gentoo) - > > crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20 > 01:34 /mnt/gentoo/dev/console Weird, your previous denial logs showed the following: type=1400 audit(1329556527.347:3): avc: denied { read write } for pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t tclass=chr_file Either the mislabeling then was already solved, or the /dev on your root file system isn't the same as the one that init found back then. Can you check if /dev/console has inode 99? > But for now I have one avc denials -- the /etc/init.d/sysctl cannot set > kernel parameters, but direct calling of syctl -p can. avc error is: > avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21 > scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t > tclass=capabilty Hmm... for some reason, refpolicy has explicitly disabled the sys_admin capability for the initrc_t domain: allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:capability ~{ sys_admin sys_module }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this I'll need to check the commit history to see if there was a particular reason why it is explicitly not set. Wkr, Sven Vermeulen |
Switching hardened amd64 to SELinux
Dne 20.2.2012 18:22, Sven Vermeulen napsal(a):
> On Mon, Feb 20, 2012 at 07:17:02AM +0100, Tomáš Dobrovolný wrote: >> I think, that /dev/console has correct label (on --bind / /mn/gentoo) - >> >> crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20 >> 01:34 /mnt/gentoo/dev/console > Weird, your previous denial logs showed the following: > > type=1400 audit(1329556527.347:3): avc: denied { read write } for > pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 > scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t > tclass=chr_file > > Either the mislabeling then was already solved, or the /dev on your root > file system isn't the same as the one that init found back then. Can you > check if /dev/console has inode 99? On my root fs /dev/console has inode 260611. Inode 99 is /etc/init.d/udev. with system_u:object_r:initrc_exec_t I try again turn off dontaudit semodule -DB, reboot and the errors are still the same (same place, same inodes, same files): VFS: Mounted root (ext4 filesystem) readonly on device 8:3. Freeing unused kernel memory: 416k freed grsec: mount of proc to /proc by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 grsec: unmount of proc by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 grsec: mount of selinuxfs to /selinux by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 type=1404 audit(1329775199.304:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 SELinux: 2048 avtab hash slots, 25193 rules. SELinux: 2048 avtab hash slots, 25193 rules. SELinux: 6 users, 6 roles, 1368 types, 80 bools SELinux: 81 classes, 25193 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev sda3, type ext4), uses xattr type=1403 audit(1329775199.361:3): policy loaded auid=4294967295 ses=4294967295 type=1400 audit(1329775199.365:4): avc: denied { read write } for pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t tclass=chr_file type=1400 audit(1329775199.374:5): avc: denied { read write } for pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t tclass=chr_file type=1400 audit(1329775199.384:6): avc: denied { read write } for pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t tclass=chr_file type=1400 audit(1329775199.393:7): avc: denied { rlimitinh } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process type=1400 audit(1329775199.404:8): avc: denied { siginh } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process type=1400 audit(1329775199.415:9): avc: denied { noatsecure } for pid=1 comm="init" scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=process type=1400 audit(1329775199.427:10): avc: denied { getattr } for pid=1 comm="init" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t tclass=filesystem Is it correct, that rootfs is mounted without seclabel? /proc/mounts: rootfs / rootfs rw 0 0 /dev/root / ext4 rw,seclabel,relatime,user_xattr,acl,barrier=1,data =ordered 0 0 >> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set >> kernel parameters, but direct calling of syctl -p can. avc error is: >> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21 >> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t >> tclass=capabilty > Hmm... for some reason, refpolicy has explicitly disabled the sys_admin > capability for the initrc_t domain: > > allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; > allow initrc_t self:capability ~{ sys_admin sys_module }; > dontaudit initrc_t self:capability sys_module; # sysctl is triggering this > > I'll need to check the commit history to see if there was a particular > reason why it is explicitly not set. > > Wkr, > Sven Vermeulen > Maybe to allow it to all init scripts is too strong. It will be better to allow it only for specialized scripts ... only one /etc/init.d/sysctl ;-) -- Thanks Tomas Dobrovolny |
Switching hardened amd64 to SELinux
On Mon, Feb 20, 2012 at 10:05:22PM +0100, Tomáš Dobrovolný wrote:
> Maybe to allow it to all init scripts is too strong. It will be better > to allow it only for specialized scripts ... only one /etc/init.d/sysctl ;-) There's little choice here. Either the script runs as initrc_t, or we transition when we call sysctl (to sysctl_t or so). Individual initrc_t domains (like sysctl_initrc_t) we don't support (yet). Wkr, Sven Vermeulen |
| All times are GMT. The time now is 05:58 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.