Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   selinux novice (http://www.linux-archive.org/gentoo-hardened/685899-selinux-novice.html)

Ivan Gooten 07-21-2012 01:51 PM

selinux novice
 
hello,

I have just installed selinux on my gentoo box, and getting difficulties in permissive mode. If someone can have a look at this and point me somewhere...

Emerge doesn't work If i run it from terminal in X11 - it call traces,* cant merge anything. In dmesg I can find:


----------------
type=1400 audit(1342877962.365:424): avc:* denied* { read write } for* pid=15719 comm="sh" name="1" dev="devpts" ino=4 scontext=system_u:system_r:portage_fetch_t tcontext=system_u:object_r:devpts_t tclass=chr_file

type=1400 audit(1342877962.367:425): avc:* denied* { search } for* pid=15719 comm="sh" name="ivan" dev="dm-3" ino=20709377 scontext=system_u:system_r:portage_fetch_t tcontext=staff_u:object_r:user_home_dir_t tclass=dir

type=1400 audit(1342877962.394:426): avc:* denied* { search } for* pid=15720 comm="id" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:portage_fetch_t tcontext=system_u:object_r:sysfs_t tclass=dir

type=1400 audit(1342878036.496:428): avc:* denied* { read write } for* pid=15894 comm="emerge" name="1" dev="devpts" ino=4 scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t tclass=chr_file

type=1400 audit(1342878036.500:429): avc:* denied* { ioctl } for* pid=15894 comm="emerge" path="/dev/pts/1" dev="devpts" ino=4 scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t tclass=chr_file

type=1400 audit(1342878036.505:430): avc:* denied* { getattr } for* pid=15894 comm="emerge" path="/dev/pts/1" dev="devpts" ino=4 scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t tclass=chr_file

type=1400 audit(1342878083.667:431): avc:* denied* { read write } for* pid=16890 comm="sh" name="1" dev="devpts" ino=4 scontext=system_u:system_r:portage_fetch_t tcontext=system_u:object_r:devpts_t tclass=chr_file

type=1400 audit(1342878083.671:432): avc:* denied* { search } for* pid=16892 comm="id" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:portage_fetch_t tcontext=system_u:object_r:sysfs_t tclass=dir

----------------
I'm running xdm - gdm3 to be more accurate - and as normal user in terminal I switch to root and then do newrole -t sysadm_t - after that I'm trying to emerge something.
Ofcourse from raw console a.k.a. non X env, emerging works.


Additional info:
----------------
# sestatus
SELinux status:**************** enabled
SELinuxfs mount:*************** /sys/fs/selinux
SELinux root directory:******** /etc/selinux
Loaded policy name:************ targeted

Current mode:****************** permissive
Mode from config file:********* permissive
Policy MLS status:************* disabled
Policy deny_unknown status:**** denied
Max kernel policy version:***** 26
----------------

# id -Z // after switching to root and changing newrole
system_u:system_r:sysadm_t
----------------
all installed sec-policy packages are from hardened-devel overlay = 2.20120215-r14
----------------
I did rlpkg -a -r so many times.. :-)


thanks in advance

Ivan Gooten

Hinnerk van Bruinehsen 07-21-2012 02:01 PM

selinux novice
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21.07.2012 15:51, Ivan Gooten wrote:
> hello,
>
> I have just installed selinux on my gentoo box, and getting
> difficulties in permissive mode. If someone can have a look at this
> and point me somewhere...
>
> Emerge doesn't work If i run it from terminal in X11 - it call
> traces, cant merge anything. In dmesg I can find:
>
> ---------------- type=1400 audit(1342877962.365:424): avc: denied
> { read write } for pid=15719 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342877962.367:425): avc: denied { search } for pid=15719
> comm="sh" name="ivan" dev="dm-3" ino=20709377
> scontext=system_u:system_r:portage_fetch_t
> tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=1400
> audit(1342877962.394:426): avc: denied { search } for pid=15720
> comm="id" name="/" dev="sysfs" ino=1
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:sysfs_t tclass=dir type=1400
> audit(1342878036.496:428): avc: denied { read write } for
> pid=15894 comm="emerge" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878036.500:429): avc: denied { ioctl } for pid=15894
> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878036.505:430): avc: denied { getattr } for pid=15894
> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878083.667:431): avc: denied { read write } for
> pid=16890 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878083.671:432): avc: denied { search } for pid=16892
> comm="id" name="/" dev="sysfs" ino=1
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:sysfs_t tclass=dir ---------------- I'm
> running xdm - gdm3 to be more accurate - and as normal user in
> terminal I switch to root and then do newrole -t sysadm_t - after
> that I'm trying to emerge something. Ofcourse from raw console
> a.k.a. non X env, emerging works.
>
> Additional info: ---------------- # sestatus SELinux status:
> enabled SELinuxfs mount: /sys/fs/selinux SELinux
> root directory: /etc/selinux Loaded policy name:
> targeted Current mode: permissive Mode from
> config file: permissive Policy MLS status:
> disabled Policy deny_unknown status: denied Max kernel policy
> version: 26 ---------------- # id -Z // after switching to
> root and changing newrole system_u:system_r:sysadm_t
> ---------------- all installed sec-policy packages are from
> hardened-devel overlay = 2.20120215-r14 ---------------- I did
> rlpkg -a -r so many times.. :-)
>
> thanks in advance
>
> Ivan Gooten
>

Hi,

the first few things I notice are that it's "newrole -r sysadm_r" -
"newrole -t" just switches the type.
You shouldn't be in system_u, either, but in staff_u.
Since you are using a targeted policy you acually would have more
rights, if you remove the selinux usermapping for your user at all,
because you would be in "unconfined_r:unconfined_t" which means that
there aren't really any restrictions for you user except they're
stated explicitly.

WKR

Hinnerk

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQCrYjAAoJEJwwOFaNFkYcbysH/37pEdkLN/kp8S+Hr9O7rrbI
20cQI6IoDnWc4KtzBK9lhbI8RV3xSvsKSG2/nS8kY9CmMEwEdrXnnRrOtPDuxOez
4KXCQH4CSVARmU3YW/HxPDfm5/PL2h4npOuPjGU2ZQ9oQNt89CKS6zPc/OmWhqJe
PnTZwioVdRH5bHvcsjAsO2niSYCvoex7mjxTZB2RzniRHV0ZsG RzCHj6qiVwQeE4
xAP1Rk3Gzr9kwfIDOWDq47/mlhnUEIp3E6fNmsscta8FcZjh/kGxtOwNlfxwu1hg
+zS/Q7iREffLAsBOGlICbMkm4859bW1dDi9IW+VT5CzTQkUygTbQ/t2dYQJ3NUU=
=Lvu6
-----END PGP SIGNATURE-----

Sven Vermeulen 07-21-2012 05:14 PM

selinux novice
 
On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote:
> I have just installed selinux on my gentoo box, and getting difficulties in
> permissive mode. If someone can have a look at this and point me
> somewhere...
>
> Emerge doesn't work If i run it from terminal in X11 - it call traces,
> cant merge anything. In dmesg I can find:
>
> ----------------
> type=1400 audit(1342877962.365:424): avc: denied { read write } for
> pid=15719 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file

Looking at this first message already shows something weird: it sais that
the source context is "system_u:system_r:portage_fetch_t", whereas this
should be either "staff_u:sysadm_r:portage_fetch_t" or
"root:sysadm_r:portage_fetch_t".

[...]
> I switch to root and then do newrole -t sysadm_t - after that I'm trying to
> emerge something.
> Ofcourse from raw console a.k.a. non X env, emerging works.
[...]
> # id -Z // after switching to root and changing newrole
> system_u:system_r:sysadm_t

It looks like there is no proper transitioning after logon.

First, make sure you ran "dispatch-conf" or "etc-update" to make sure
changes are made to your PAM configuration files.

Next, for the graphical logon (including GDM), you might need to manually
update to add in pam_selinux.so (see
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3)

Make sure that, when logged on, your "id -Z" shows you as being staff_u (or
user_u, but then you won't be able to adminster the system), or if you log
on as root, probably the "root" SELinux user.

Only then can we go further. And as already mentioned, it's "newrole -r
sysadm_r" as we need to change our (operational) role towards the system
administration role.

Wkr,
Sven Vermeulen

Ivan Gooten 07-22-2012 11:55 AM

selinux novice
 
On Sat, Jul 21, 2012 at 7:14 PM, Sven Vermeulen <swift@gentoo.org> wrote:

On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote:

> I have just installed selinux on my gentoo box, and getting difficulties in

> permissive mode. If someone can have a look at this and point me

> somewhere...

>

> Emerge doesn't work If i run it from terminal in X11 - it call traces,

> cant merge anything. In dmesg I can find:

>

> ----------------

> type=1400 audit(1342877962.365:424): avc: *denied *{ read write } for

> pid=15719 comm="sh" name="1" dev="devpts" ino=4

> scontext=system_u:system_r:portage_fetch_t

> tcontext=system_u:object_r:devpts_t tclass=chr_file



Looking at this first message already shows something weird: it sais that

the source context is "system_u:system_r:portage_fetch_t", whereas this

should be either "staff_u:sysadm_r:portage_fetch_t" or

"root:sysadm_r:portage_fetch_t".



[...]

> I switch to root and then do newrole -t sysadm_t - after that I'm trying to

> emerge something.

> Ofcourse from raw console a.k.a. non X env, emerging works.

[...]

> # id -Z // after switching to root and changing newrole

> system_u:system_r:sysadm_t



It looks like there is no proper transitioning after logon.



First, make sure you ran "dispatch-conf" or "etc-update" to make sure

changes are made to your PAM configuration files.



Next, for the graphical logon (including GDM), you might need to manually

update to add in pam_selinux.so (see

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3)




Make sure that, when logged on, your "id -Z" shows you as being staff_u (or

user_u, but then you won't be able to adminster the system), or if you log

on as root, probably the "root" SELinux user.

Thank all you for your replies :-)

So after messing with semanage/pam I have:
--------------------
#semanage login -l

Login Name*************** SELinux User************


__default__************** user_u******************
root********************* root********************
system_u***************** system_u****************
ivan ******************* staff_u****
--------------------


which results in console for user root context like "root:sysadm_r:sysadm_t",
whereas in X11 terminal, (after switching from ivan user to root by su -) -> "staff_u:staff_r:staff_t".
I understand that in X11 term I'll have to "newrole -r sysadm_r" for root everytime, when I will want to administrate the system?

And what about the context's difference between root (root:...) logged from console and root (staff_u:...) logged via x11 terminal - is that wrong?

Ivan
*



Only then can we go further. And as already mentioned, it's "newrole -r

sysadm_r" as we need to change our (operational) role towards the system

administration role.



Wkr,

* * * * Sven Vermeulen

Sven Vermeulen 07-22-2012 04:07 PM

selinux novice
 
On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote:
[...]
> which results in console for user root context like
> "root:sysadm_r:sysadm_t",

That's good.

> whereas in X11 terminal, (after switching from ivan user to root by su -)
> -> "staff_u:staff_r:staff_t".

That's almost good ;-)

> I understand that in X11 term I'll have to "newrole -r sysadm_r" for root
> everytime, when I will want to administrate the system?

Yes, you need to switch roles (first switch roles, then use su(do)) every
time you need to do administrative changes (or queries) on the system. The
staff_r role is for regular operations (user) whereas sysadm_r is for system
administration.

> And what about the context's difference between root (root:...) logged from
> console and root (staff_u:...) logged via x11 terminal - is that wrong?

No, that's not wrong. If you log on directly as root, then your SELinux user
(the first part in the context) is "root". If you log on as someone else,
you get that SELinux user (such as "staff_u") which remains throughout your
session (SELinux users don't change, even when you do "su").

Wkr,
Sven Vermeulen

Ivan Gooten 07-27-2012 09:59 AM

selinux novice
 
ok so now I get it a bit, anyway selinux is still misconfigured here.
I've created a pastebin with my current denials, if could you look at it:
http://pastebin.com/uNRcaeUT


and semodule -l prints out:
------
alsa*** 1.11.0***
application*** 1.2.0***
arpwatch*** 1.10.0***
authlogin*** 2.3.0***
automount*** 1.13.0***
bootloader*** 1.13.0***
cgroup*** 1.1.0***

clock*** 1.6.0***
consolekit*** 1.8.0***
consoletype*** 1.10.0***
courier*** 1.12.0***
cpufreqselector*** 1.3.0***
cron*** 2.4.0***
daemontools*** 1.2.0***
dbus*** 1.16.0***
dhcp*** 1.9.0***

dmesg*** 1.3.0***
dnsmasq*** 1.9.0***
fstools*** 1.15.0***
getty*** 1.9.0***
gnome*** 2.2.0***
gpg*** 2.5.0***
gpm*** 1.8.0***
hostname*** 1.7.0***
hotplug*** 1.15.0***
init*** 1.18.0***

iptables*** 1.13.0***
java*** 2.5.0***
libraries*** 2.8.0***
locallogin*** 1.11.0***
logging*** 1.18.0***
logrotate*** 1.14.0***
lvm*** 1.13.0***
miscfiles*** 1.9.0***
modutils*** 1.12.0***

mono*** 1.8.0***
mount*** 1.14.0***
mozilla*** 2.5.0***
mplayer*** 2.4.0***
mta*** 2.4.0***
netutils*** 1.11.0***
networkmanager*** 1.14.0***
nscd*** 1.10.0***
openvpn*** 1.11.0***
policykit*** 1.2.0***

portage*** 1.12.0***
privoxy*** 1.11.0***
psad*** 1.0.0***
qemu*** 1.6.0***
qmail*** 1.5.0***
raid*** 1.11.0***
rsync*** 1.11.0***
samba*** 1.14.0***
screen*** 2.5.0***
selinuxutil*** 1.16.0***

ssh*** 2.3.0***
staff*** 2.3.0***
storage*** 1.10.0***
su*** 1.12.0***
sudo*** 1.9.0***
sysadm*** 2.4.0***
sysnetwork*** 1.13.0***
thunderbird*** 2.3.0***
tor*** 1.8.0***
ucspitcp*** 1.3.0***

udev*** 1.14.0***
ulogd*** 1.2.0***
unconfined*** 3.4.0***
unprivuser*** 2.3.0***
userdomain*** 4.7.0***
usermanage*** 1.17.0***
virt*** 1.4.0***
wine*** 1.10.0***
wireshark*** 2.3.0***

xdg*** 1.0.0***
xfs*** 1.6.0***
xscreensaver*** 1.1.0***
xserver*** 3.7.0***
------

thanks

Ivan

On Sun, Jul 22, 2012 at 6:07 PM, Sven Vermeulen <swift@gentoo.org> wrote:

On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote:

[...]

> which results in console for user root context like

> "root:sysadm_r:sysadm_t",



That's good.



> whereas in X11 terminal, (after switching from ivan user to root by su -)

> -> "staff_u:staff_r:staff_t".



That's almost good ;-)



> I understand that in X11 term I'll have to "newrole -r sysadm_r" for root

> everytime, when I will want to administrate the system?



Yes, you need to switch roles (first switch roles, then use su(do)) every

time you need to do administrative changes (or queries) on the system. The

staff_r role is for regular operations (user) whereas sysadm_r is for system

administration.



> And what about the context's difference between root (root:...) logged from

> console and root (staff_u:...) logged via x11 terminal - is that wrong?



No, that's not wrong. If you log on directly as root, then your SELinux user

(the first part in the context) is "root". If you log on as someone else,

you get that SELinux user (such as "staff_u") which remains throughout your

session (SELinux users don't change, even when you do "su").



Wkr,

* * * * Sven Vermeulen

Sven Vermeulen 07-27-2012 12:08 PM

selinux novice
 
On Fri, Jul 27, 2012 at 11:59:14AM +0200, Ivan Gooten wrote:
> ok so now I get it a bit, anyway selinux is still misconfigured here.
> I've created a pastebin with my current denials, if could you look at it:
> http://pastebin.com/uNRcaeUT

Can you please take a look at
http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml ? It
describes the information we need in order to structurally solve problems
you might be facing.

With denials alone we can't do much - there is no proof that the denials are
actually interfering something (which is why we also need the errors you get
from the applications) and they're not filtered so we don't know what to
look for first (which is why we suggest to structure issues one at a time).

Wkr,
Sven Vermeulen


All times are GMT. The time now is 04:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.