Hi,

in the first place I am newbie on selinux.

I have installed new machine using
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml .
Everything was in order. But when I restart in "full function SELinux"
in permissive mode in my log are following avc errors. I think, I forgot
to install something, or turn on.

Errors from dmesg:
type=1400 audit(1329556527.347:3): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_ubject_r:root_t
tclass=chr_file
type=1400 audit(1329556527.356:4): avc: denied { rlimitinh } for
pid=1 comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329556527.365:5): avc: denied { siginh } for pid=1
comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329556527.374:6): avc: denied { noatsecure } for
pid=1 comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329556527.385:7): avc: denied { getattr } for pid=1
comm="init" name="/" dev="selinuxfs" ino=1
scontext=system_u:system_r:init_t tcontext=system_ubject_r:security_t
tclass=filesystem
type=1400 audit(1329556527.419:8): avc: denied { search } for pid=1
comm="init" name="var" dev="sda3" ino=260609
scontext=system_u:system_r:init_t tcontext=system_ubject_r:file_t
tclass=dir
type=1400 audit(1329556527.452:9): avc: denied { rlimitinh } for
pid=615 comm="rc" scontext=system_u:system_r:init_t
tcontext=system_u:system_r:initrc_t tclass=process
type=1400 audit(1329556527.463:10): avc: denied { siginh } for
pid=615 comm="rc" scontext=system_u:system_r:init_t
tcontext=system_u:system_r:initrc_t tclass=process

....

type=1400 audit(1329552931.276:64): avc: denied { rlimitinh } for
pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:lvm_t tclass=process
type=1400 audit(1329552931.276:65): avc: denied { siginh } for
pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:lvm_t tclass=process
type=1400 audit(1329552931.276:66): avc: denied { noatsecure } for
pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:lvm_t tclass=process
type=1400 audit(1329552931.555:67): avc: denied { setattr } for pid=7
comm="kdevtmpfs" name="dm-0" dev="devtmpfs" ino=1365
scontext=system_u:system_r:kernel_t tcontext=system_ubject_r:device_t
tclass=blk_file
type=1400 audit(1329552931.591:68): avc: denied { rlimitinh } for
pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:lvm_t tclass=process
type=1400 audit(1329552931.592:69): avc: denied { siginh } for
pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:lvm_t tclass=process
type=1400 audit(1329552931.592:70): avc: denied { noatsecure } for
pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:lvm_t tclass=process
type=1400 audit(1329552932.032:71): avc: denied { read } for pid=711
comm="udevd" name="15" dev="tmpfs" ino=1182
scontext=system_u:system_r:udev_t tcontext=system_ubject_r:udev_tbl_t
tclass=lnk_file
type=1400 audit(1329552932.032:72): avc: denied { unlink } for
pid=896 comm="udevd" name="15" dev="tmpfs" ino=1182
scontext=system_u:system_r:udev_t tcontext=system_ubject_r:udev_tbl_t
tclass=lnk_file
type=1400 audit(1329552932.095:73): avc: denied { open } for pid=896
comm="udevd" name="diskx2fby-idx2fata-Maxtor_7Y250M0_Y652ABXE-part5"
dev="tmpfs" ino=1173 scontext=system_u:system_r:udev_t
tcontext=system_ubject_r:udev_tbl_t tclass=dir

....

type=1400 audit(1329552936.309:104): avc: denied { read } for
pid=1297 comm="ip" name="console" dev="tmpfs" ino=308
scontext=system_u:system_r:ifconfig_t
tcontext=system_ubject_r:console_device_t tclass=chr_file
type=1400 audit(1329552936.309:105): avc: denied { rlimitinh } for
pid=1297 comm="ip" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:ifconfig_t tclass=process
type=1400 audit(1329552936.309:106): avc: denied { siginh } for
pid=1297 comm="ip" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:ifconfig_t tclass=process
type=1400 audit(1329552936.309:107): avc: denied { noatsecure } for
pid=1297 comm="ip" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:ifconfig_t tclass=process

....

type=1400 audit(1329552936.600:108): avc: denied { write } for
pid=1394 comm="mount" name="/" dev="binfmt_misc" ino=1
scontext=system_u:system_r:mount_t
tcontext=system_ubject_r:binfmt_misc_fs_t tclass=dir

....

type=1400 audit(1329552937.232:109): avc: denied { use } for pid=1519
comm="dhcpcd" path="/dev/console" dev="tmpfs" ino=308
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:init_t
tclass=fd
type=1400 audit(1329552937.232:110): avc: denied { read } for
pid=1519 comm="dhcpcd" path="/dev/console" dev="tmpfs" ino=308
scontext=system_u:system_r:dhcpc_t
tcontext=system_ubject_r:console_device_t tclass=chr_file
type=1400 audit(1329552937.232:111): avc: denied { rlimitinh } for
pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:dhcpc_t tclass=process
type=1400 audit(1329552937.232:112): avc: denied { siginh } for
pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:dhcpc_t tclass=process
type=1400 audit(1329552937.232:113): avc: denied { noatsecure } for
pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:dhcpc_t tclass=process

....

type=1400 audit(1329552945.165:115): avc: denied { read write } for
pid=1562 comm="hostname" path="socket:[2866]" dev="sockfs" ino=2866
scontext=system_u:system_r:hostname_t tcontext=system_u:system_r:dhcpc_t
tclass=unix_stream_socket
type=1400 audit(1329552945.165:116): avc: denied { rlimitinh } for
pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t
tcontext=system_u:system_r:hostname_t tclass=process
type=1400 audit(1329552945.165:117): avc: denied { siginh } for
pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t
tcontext=system_u:system_r:hostname_t tclass=process
type=1400 audit(1329552945.165:118): avc: denied { noatsecure } for
pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t
tcontext=system_u:system_r:hostname_t tclass=process
type=1400 audit(1329552945.221:119): avc: denied { execute } for
pid=1571 comm="rc-service" name="rc" dev="sda3" ino=390958
scontext=system_u:system_r:dhcpc_t tcontext=system_ubject_r:rc_exec_t
tclass=file
type=1400 audit(1329552945.221:120): avc: denied { read open } for
pid=1571 comm="rc-service" name="rc" dev="sda3" ino=390958
scontext=system_u:system_r:dhcpc_t tcontext=system_ubject_r:rc_exec_t
tclass=file
type=1400 audit(1329552945.221:121): avc: denied { execute_no_trans }
for pid=1571 comm="rc-service" path="/sbin/rc" dev="sda3" ino=390958
scontext=system_u:system_r:dhcpc_t tcontext=system_ubject_r:rc_exec_t
tclass=file
type=1400 audit(1329552945.225:122): avc: denied { getattr } for
pid=1571 comm="rc" path="/etc/init.d/ntpd" dev="sda3" ino=765
scontext=system_u:system_r:dhcpc_t
tcontext=system_ubject_r:initrc_exec_t tclass=file
type=1400 audit(1329552945.244:123): avc: denied { execute } for
pid=1573 comm="rc" name="ntpd" dev="sda3" ino=765
scontext=system_u:system_r:dhcpc_t
tcontext=system_ubject_r:initrc_exec_t tclass=file
type=1400 audit(1329552945.244:124): avc: denied { read open } for
pid=1573 comm="rc" name="ntpd" dev="sda3" ino=765
scontext=system_u:system_r:dhcpc_t
tcontext=system_ubject_r:initrc_exec_t tclass=file

Thanks
--
Tomas Dobrovolny

On Sat, Feb 18, 2012 at 11:13:36AM +0100, Tomáš Dobrovolný wrote:
> I have installed new machine using
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml .
> Everything was in order. But when I restart in "full function SELinux"
> in permissive mode in my log are following avc errors. I think, I forgot
> to install something, or turn on.
[...]

From the denials and your kernel configuration, I think you are using an
initrd or initramfs system. Currently, we do not support SELinux when using
initrd/initramfs because the suckers don't play well. There's an open bug on
it, and I hope I can get us with a working initramfs soon.

But for the mean time, either drop the initramfs/initrd system, or boot in
permissive mode and switch to enforcing during the boot-up (for instance
through an init script in the boot runlevel).

Wkr,
Sven Vermeulen

Dne 19.2.2012 09:55, Sven Vermeulen napsal(a):
> On Sat, Feb 18, 2012 at 11:13:36AM +0100, Tomáš Dobrovolný wrote:
>> I have installed new machine using
>> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml .
>> Everything was in order. But when I restart in "full function SELinux"
>> in permissive mode in my log are following avc errors. I think, I forgot
>> to install something, or turn on.
> [...]
>
> From the denials and your kernel configuration, I think you are using an
> initrd or initramfs system. Currently, we do not support SELinux when using
> initrd/initramfs because the suckers don't play well. There's an open bug on
> it, and I hope I can get us with a working initramfs soon.
>
> But for the mean time, either drop the initramfs/initrd system, or boot in
> permissive mode and switch to enforcing during the boot-up (for instance
> through an init script in the boot runlevel).
>
> Wkr,
> Sven Vermeulen
>
>

I have had enabled initrd/initramfs parts in my kernel configuration,
but I don't use it to boot my system. I try to disable it completely and
I will see.

Thanks
--
Tomas Dobrovolny

On Sun, Feb 19, 2012 at 10:07:26AM +0100, Tomáš Dobrovolný wrote:
> I have had enabled initrd/initramfs parts in my kernel configuration,
> but I don't use it to boot my system. I try to disable it completely and
> I will see.

In that case, your /dev/console is mislabeled, and you are currently running
with dontaudits disabled (the many rlimitinh and other privilege attempts
that are by default not audited by SELinux are shown), which might cause
some confusion on the denials.

Relabel the system, also relabel your /dev when /dev isn't mounted (there's
a part about setfiles in the SELinux installation instructions just for
that) and enable dontaudits again (semodule -B).

Wkr,
Sven Vermeulen

Dne 19.2.2012 21:51, Sven Vermeulen napsal(a):
> On Sun, Feb 19, 2012 at 10:07:26AM +0100, Tomáš Dobrovolný wrote:
> In that case, your /dev/console is mislabeled, and you are currently running
> with dontaudits disabled (the many rlimitinh and other privilege attempts
> that are by default not audited by SELinux are shown), which might cause
> some confusion on the denials.
>
> Relabel the system, also relabel your /dev when /dev isn't mounted (there's
> a part about setfiles in the SELinux installation instructions just for
> that) and enable dontaudits again (semodule -B).
>
> Wkr,
> Sven Vermeulen
>
I think, that /dev/console has correct label (on --bind / /mn/gentoo) -

crw-------. 1 root root system_ubject_r:console_device_t 5, 1 Feb 20
01:34 /mnt/gentoo/dev/console

You are right, I have had dontaudits disabled, I enable it and denials
more then less.

But for now I have one avc denials -- the /etc/init.d/sysctl cannot set
kernel parameters, but direct calling of syctl -p can. avc error is:
avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
tclass=capabilty

and audit2allow -w said: Missing type enforcement (TE) allow rule.

Is this rule really missing in base policy, or I forgot to emerge some
policy module.

--

Thanks
Tomas Dobrovolny

On Mon, Feb 20, 2012 at 07:17:02AM +0100, Tomáš Dobrovolný wrote:
> I think, that /dev/console has correct label (on --bind / /mn/gentoo) -
>
> crw-------. 1 root root system_ubject_r:console_device_t 5, 1 Feb 20
> 01:34 /mnt/gentoo/dev/console

Weird, your previous denial logs showed the following:

type=1400 audit(1329556527.347:3): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_ubject_r:root_t
tclass=chr_file

Either the mislabeling then was already solved, or the /dev on your root
file system isn't the same as the one that init found back then. Can you
check if /dev/console has inode 99?

> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set
> kernel parameters, but direct calling of syctl -p can. avc error is:
> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> tclass=capabilty

Hmm... for some reason, refpolicy has explicitly disabled the sys_admin
capability for the initrc_t domain:

allow initrc_t selfrocess { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this

I'll need to check the commit history to see if there was a particular
reason why it is explicitly not set.

Wkr,
Sven Vermeulen

Dne 20.2.2012 18:22, Sven Vermeulen napsal(a):
> On Mon, Feb 20, 2012 at 07:17:02AM +0100, Tomáš Dobrovolný wrote:
>> I think, that /dev/console has correct label (on --bind / /mn/gentoo) -
>>
>> crw-------. 1 root root system_ubject_r:console_device_t 5, 1 Feb 20
>> 01:34 /mnt/gentoo/dev/console
> Weird, your previous denial logs showed the following:
>
> type=1400 audit(1329556527.347:3): avc: denied { read write } for
> pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
> scontext=system_u:system_r:init_t tcontext=system_ubject_r:root_t
> tclass=chr_file
>
> Either the mislabeling then was already solved, or the /dev on your root
> file system isn't the same as the one that init found back then. Can you
> check if /dev/console has inode 99?
On my root fs /dev/console has inode 260611.

Inode 99 is /etc/init.d/udev. with system_ubject_r:initrc_exec_t

I try again turn off dontaudit semodule -DB, reboot and the errors are
still the same (same place, same inodes, same files):

VFS: Mounted root (ext4 filesystem) readonly on device 8:3.
Freeing unused kernel memory: 416k freed
grsec: mount of proc to /proc by /sbin/init[init:1] uid/euid:0/0
gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
grsec: unmount of proc by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0,
parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
grsec: mount of selinuxfs to /selinux by /sbin/init[init:1] uid/euid:0/0
gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
type=1404 audit(1329775199.304:2): enforcing=1 old_enforcing=0
auid=4294967295 ses=4294967295
SELinux: 2048 avtab hash slots, 25193 rules.
SELinux: 2048 avtab hash slots, 25193 rules.
SELinux: 6 users, 6 roles, 1368 types, 80 bools
SELinux: 81 classes, 25193 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses
genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev sda3, type ext4), uses xattr
type=1403 audit(1329775199.361:3): policy loaded auid=4294967295
ses=4294967295
type=1400 audit(1329775199.365:4): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_ubject_r:root_t
tclass=chr_file
type=1400 audit(1329775199.374:5): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_ubject_r:root_t
tclass=chr_file
type=1400 audit(1329775199.384:6): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_ubject_r:root_t
tclass=chr_file
type=1400 audit(1329775199.393:7): avc: denied { rlimitinh } for
pid=1 comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329775199.404:8): avc: denied { siginh } for pid=1
comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329775199.415:9): avc: denied { noatsecure } for
pid=1 comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329775199.427:10): avc: denied { getattr } for pid=1
comm="init" name="/" dev="selinuxfs" ino=1
scontext=system_u:system_r:init_t tcontext=system_ubject_r:security_t
tclass=filesystem


Is it correct, that rootfs is mounted without seclabel?

/proc/mounts:
rootfs / rootfs rw 0 0
/dev/root / ext4
rw,seclabel,relatime,user_xattr,acl,barrier=1,data =ordered 0 0

>> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set
>> kernel parameters, but direct calling of syctl -p can. avc error is:
>> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21
>> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
>> tclass=capabilty
> Hmm... for some reason, refpolicy has explicitly disabled the sys_admin
> capability for the initrc_t domain:
>
> allow initrc_t selfrocess { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
>
> I'll need to check the commit history to see if there was a particular
> reason why it is explicitly not set.
>
> Wkr,
> Sven Vermeulen
>

Maybe to allow it to all init scripts is too strong. It will be better
to allow it only for specialized scripts ... only one /etc/init.d/sysctl ;-)

--
Thanks
Tomas Dobrovolny

On Mon, Feb 20, 2012 at 10:05:22PM +0100, Tomáš Dobrovolný wrote:
> Maybe to allow it to all init scripts is too strong. It will be better
> to allow it only for specialized scripts ... only one /etc/init.d/sysctl ;-)

There's little choice here. Either the script runs as initrc_t, or we
transition when we call sysctl (to sysctl_t or so). Individual initrc_t
domains (like sysctl_initrc_t) we don't support (yet).

Wkr,
Sven Vermeulen