| 1 |
Hi Nick, |
| 2 |
|
| 3 |
Thanks for the report, but would you be so kind as to open up bug |
| 4 |
reports for each of the issues at https://bugs.gentoo.org/ |
| 5 |
|
| 6 |
--Tony |
| 7 |
|
| 8 |
On 07/23/2011 04:46 PM, Nick Kossifidis wrote: |
| 9 |
> Hello all and thanks a lot for your work on hardened gentoo ;-) |
| 10 |
> |
| 11 |
> Last time I tried setting up a default hardened gentoo + SElinux setup |
| 12 |
> was in 2009 so I gave it a shot again a few weeks ago and it seems |
| 13 |
> there are still some bugs that result denials in avc logs etc ( sorry |
| 14 |
> for the long mail :-( ): |
| 15 |
> |
| 16 |
> 1) For start check out /lib/rc/sh/init.sh, in svcdir_restorecon() it |
| 17 |
> tries to run /usr/sbin/selinuxenabled but in case /usr is on a |
| 18 |
> different partition it won't work (and rc_svcdir will remain |
| 19 |
> mis-labeled, resulting extra avc denials) because it gets called |
| 20 |
> before mount. It seems weird that packages like |
| 21 |
> sys-apps/policycoreutils, sys-libs/libselinux etc are located under |
| 22 |
> /usr, after all they are linked with libraries under /lib not /usr/lib |
| 23 |
> and are system tools, not user-related. In my case I solved this one |
| 24 |
> by just checking if /sbin/restorecon exists (it's what udev-mount also |
| 25 |
> does), I don't know if it's the correct solution but it works so far. |
| 26 |
> |
| 27 |
> |
| 28 |
> 2) In order for restorecon to relabel rc_svcdir the following rule is needed |
| 29 |
> allow setfiles_t initrc_t:dir relabelto; |
| 30 |
> or else I get this: |
| 31 |
> avc: denied { relabelto } for pid=979 comm="restorecon" name="/" |
| 32 |
> dev=tmpfs ino=2054 scontext=system_u:system_r:setfiles_t |
| 33 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
| 34 |
> |
| 35 |
> |
| 36 |
> 3) Even with the correct labels I still got denials for rc operations |
| 37 |
> on rc_svcdir: |
| 38 |
> can't mount tmpfs under rc_svcdir... |
| 39 |
> avc: denied { associate } for pid=979 comm="restorecon" name="/" |
| 40 |
> dev=tmpfs ino=2054 scontext=system_u:object_r:initrc_t |
| 41 |
> tcontext=system_u:object_r:tmpfs_t tclass=filesystem |
| 42 |
> avc: denied { associate } for pid=13300 comm="rc" name="krunlevel" |
| 43 |
> scontext=system_u:object_r:initrc_t tcontext=system_u:object_r:tmpfs_t |
| 44 |
> tclass=filesystem |
| 45 |
> |
| 46 |
> and various other operations under rc_svcdir (removed duplicates)... |
| 47 |
> avc: denied { write } for pid=980 comm="cp" name="/" dev=tmpfs |
| 48 |
> ino=2054 scontext=system_u:system_r:initrc_t |
| 49 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
| 50 |
> avc: denied { add_name } for pid=980 comm="cp" name="depconfig" |
| 51 |
> scontext=system_u:system_r:initrc_t |
| 52 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
| 53 |
> avc: denied { create } for pid=980 comm="cp" name="depconfig" |
| 54 |
> scontext=system_u:system_r:initrc_t |
| 55 |
> tcontext=system_u:object_r:initrc_t tclass=file |
| 56 |
> avc: denied { setattr } for pid=980 comm="cp" name="depconfig" |
| 57 |
> dev=tmpfs ino=2066 scontext=system_u:system_r:initrc_t |
| 58 |
> tcontext=system_u:object_r:initrc_t tclass=file |
| 59 |
> avc: denied { create } for pid=960 comm="rc" name="starting" |
| 60 |
> scontext=system_u:system_r:initrc_t |
| 61 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
| 62 |
> avc: denied { remove_name } for pid=960 comm="rc" |
| 63 |
> name="rc.stopping" dev=tmpfs ino=42 |
| 64 |
> scontext=system_u:system_r:initrc_t |
| 65 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
| 66 |
> avc: denied { unlink } for pid=2129 comm="rc" name="local" |
| 67 |
> dev=tmpfs ino=4514 scontext=system_u:system_r:initrc_t |
| 68 |
> tcontext=system_u:object_r:initrc_t tclass=file |
| 69 |
> avc: denied { rmdir } for pid=1935 comm="rc" name="rc.starting" |
| 70 |
> dev=tmpfs ino=3842 scontext=system_u:system_r:initrc_t |
| 71 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
| 72 |
> avc: denied { unlink } for pid=13455 comm="rc" name="local" |
| 73 |
> dev=tmpfs ino=4077 scontext=system_u:system_r:initrc_t |
| 74 |
> tcontext=system_u:object_r:initrc_t tclass=lnk_file |
| 75 |
> |
| 76 |
> the following rules should fix that: |
| 77 |
> allow initrc_t tmpfs_t:filesystem associate; |
| 78 |
> allow initrc_t self:dir { write remove_name create add_name rmdir }; |
| 79 |
> allow initrc_t self:file { create unlink setattr }; |
| 80 |
> allow initrc_t self:lnk_file { create unlink }; |
| 81 |
> |
| 82 |
> |
| 83 |
> 4) More rc stuff under /tmp /var/lib /var/log /var/run... |
| 84 |
> avc: denied { setattr } for pid=1538 comm="chmod" name="/" dev=sda5 |
| 85 |
> ino=2 scontext=system_u:system_r:initrc_t |
| 86 |
> tcontext=system_u:object_r:tmp_t tclass=dir |
| 87 |
> avc: denied { create } for pid=1550 comm="mkdir" name=".test.1403" |
| 88 |
> scontext=system_u:system_r:initrc_t |
| 89 |
> tcontext=system_u:object_r:var_log_t tclass=dir |
| 90 |
> avc: denied { rmdir } for pid=1551 comm="rmdir" name=".test.1403" |
| 91 |
> dev=sda6 ino=210166 scontext=system_u:system_r:initrc_t |
| 92 |
> tcontext=system_u:object_r:var_log_t tclass=dir |
| 93 |
> avc: denied { add_name } for pid=1556 comm="runscript.sh" |
| 94 |
> name="unicode" scontext=system_u:system_r:initrc_t |
| 95 |
> tcontext=system_u:object_r:lib_t tclass=dir |
| 96 |
> avc: denied { create } for pid=1556 comm="runscript.sh" |
| 97 |
> name="unicode" scontext=system_u:system_r:initrc_t |
| 98 |
> tcontext=system_u:object_r:lib_t tclass=file |
| 99 |
> avc: denied { write } for pid=1556 comm="runscript.sh" |
| 100 |
> name="unicode" dev=sda2 ino=80888 scontext=system_u:system_r:initrc_t |
| 101 |
> tcontext=system_u:object_r:lib_t tclass=file |
| 102 |
> avc: denied { write } for pid=1424 comm="rm" name="console" |
| 103 |
> dev=sda2 ino=80915 scontext=system_u:system_r:initrc_t |
| 104 |
> tcontext=system_u:object_r:lib_t tclass=dir |
| 105 |
> avc: denied { remove_name } for pid=1424 comm="rm" |
| 106 |
> name="default8x16.psfu.gz" dev=sda2 ino=80899 |
| 107 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
| 108 |
> tclass=dir |
| 109 |
> avc: denied { unlink } for pid=1424 comm="rm" |
| 110 |
> name="default8x16.psfu.gz" dev=sda2 ino=80899 |
| 111 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
| 112 |
> tclass=file |
| 113 |
> avc: denied { create } for pid=1425 comm="mkdir" name=".test.1418" |
| 114 |
> scontext=system_u:system_r:initrc_t |
| 115 |
> tcontext=system_u:object_r:var_run_t tclass=dir |
| 116 |
> avc: denied { unlink } for pid=1534 comm="rm" name="syslog-ng.ctl" |
| 117 |
> dev=sda6 ino=80809 scontext=system_u:system_r:initrc_t |
| 118 |
> tcontext=system_u:object_r:devlog_t tclass=sock_file |
| 119 |
> |
| 120 |
> the following rules should be ok: |
| 121 |
> allow initrc_t tmp_t:dir setattr; |
| 122 |
> allow initrc_t lib_t:dir { write remove_name add_name }; |
| 123 |
> allow initrc_t lib_t:file { write create unlink }; |
| 124 |
> allow initrc_t var_log_t:dir { create rmdir }; |
| 125 |
> allow initrc_t var_run_t:dir create; |
| 126 |
> allow initrc_t devlog_t:sock_file unlink; |
| 127 |
> |
| 128 |
> |
| 129 |
> 5) Fuser-related (ran by bootmisc and rc-mount.sh), I don't know why |
| 130 |
> this runs under initrc_t but getattr is not a big deal I guess, I'm |
| 131 |
> not sure however about the execmod: |
| 132 |
> avc: denied { execmod } for pid=1433 comm="fuser" path="/bin/fuser" |
| 133 |
> dev=sda2 ino=185930 scontext=system_u:system_r:initrc_t |
| 134 |
> tcontext=system_u:object_r:bin_t tclass=file |
| 135 |
> avc: denied { getattr } for pid=1492 comm="fuser" |
| 136 |
> path="socket:[2273]" dev=sockfs ino=2273 |
| 137 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
| 138 |
> tclass=unix_stream_socket |
| 139 |
> avc: denied { getattr } for pid=1493 comm="fuser" |
| 140 |
> path="socket:[2274]" dev=sockfs ino=2274 |
| 141 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
| 142 |
> tclass=netlink_kobject_uevent_socket |
| 143 |
> avc: denied { getattr } for pid=1526 comm="fuser" |
| 144 |
> path="/sys/kernel/debug" dev=debugfs ino=1 |
| 145 |
> scontext=system_u:system_r:initrc_t |
| 146 |
> tcontext=system_u:object_r:debugfs_t tclass=dir |
| 147 |
> |
| 148 |
> the following rules hide this but I'm not sure if it's the correct |
| 149 |
> approach, maybe we should modify bootmisc/rc-mount.sh: |
| 150 |
> allow initrc_t bin_t:file execmod; |
| 151 |
> allow initrc_t debugfs_t:dir getattr; |
| 152 |
> allow initrc_t udev_t:netlink_kobject_uevent_socket getattr; |
| 153 |
> allow initrc_t udev_t:unix_stream_socket getattr; |
| 154 |
> |
| 155 |
> |
| 156 |
> 6) Udhcp-related (ran by udhcpc-hook.sh and net), again I'm not sure |
| 157 |
> what's the right thing to do here, I think dhcp client shouldn't run |
| 158 |
> under initrc_t: |
| 159 |
> avc: denied { create } for pid=1844 comm="busybox" |
| 160 |
> scontext=system_u:system_r:initrc_t |
| 161 |
> tcontext=system_u:system_r:initrc_t tclass=rawip_socket |
| 162 |
> avc: denied { ioctl } for pid=1844 comm="busybox" |
| 163 |
> path="socket:[33897]" dev=sockfs ino=33897 |
| 164 |
> scontext=system_u:system_r:initrc_t |
| 165 |
> tcontext=system_u:system_r:initrc_t tclass=rawip_socket |
| 166 |
> avc: denied { name_bind } for pid=1844 comm="busybox" src=68 |
| 167 |
> scontext=system_u:system_r:initrc_t |
| 168 |
> tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket |
| 169 |
> avc: denied { node_bind } for pid=1844 comm="busybox" src=68 |
| 170 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:node_t |
| 171 |
> tclass=udp_socket |
| 172 |
> |
| 173 |
> the following rules clean it up |
| 174 |
> allow initrc_t self:rawip_socket { create ioctl }; |
| 175 |
> allow initrc_t dhcpc_port_t:udp_socket name_bind; |
| 176 |
> allow initrc_t node_t:udp_socket node_bind; |
| 177 |
> |
| 178 |
> switching to dhclient instead results these denials: |
| 179 |
> avc: denied { name_bind } for pid=1825 comm="dhclient" src=65059 |
| 180 |
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:port_t |
| 181 |
> tclass=udp_socket |
| 182 |
> avc: denied { read write } for pid=1827 comm="ifconfig" |
| 183 |
> path="socket:[3855]" dev=sockfs ino=3855 |
| 184 |
> scontext=system_u:system_r:ifconfig_t |
| 185 |
> tcontext=system_u:system_r:dhcpc_t tclass=udp_socket |
| 186 |
> avc: denied { read write } for pid=1845 comm="hostname" |
| 187 |
> path="socket:[3767]" dev=sockfs ino=3767 |
| 188 |
> scontext=system_u:system_r:hostname_t |
| 189 |
> tcontext=system_u:system_r:dhcpc_t tclass=udp_socket |
| 190 |
> |
| 191 |
> this runs under dhcpc_t so the first one seems ok and ifconfig / |
| 192 |
> hostname are meant to tweak network settings (instead of initrc_t) so |
| 193 |
> I stayed with dhclient and there are the rules to hide the above and |
| 194 |
> get a working dhcp: |
| 195 |
> allow dhcpc_t port_t:udp_socket name_bind; |
| 196 |
> allow ifconfig_t dhcpc_t:udp_socket { read write }; |
| 197 |
> allow hostname_t dhcpc_t:udp_socket { read write }; |
| 198 |
> |
| 199 |
> |
| 200 |
> 7) Udev-related |
| 201 |
> avc: denied { read } for pid=1056 comm="udevd" name="30" dev=tmpfs |
| 202 |
> ino=2727 scontext=system_u:system_r:udev_t |
| 203 |
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file |
| 204 |
> avc: denied { unlink } for pid=1309 comm="udevd" name="30" |
| 205 |
> dev=tmpfs ino=2727 scontext=system_u:system_r:udev_t |
| 206 |
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file |
| 207 |
> avc: denied { open } for pid=1309 comm="udevd" name="root" |
| 208 |
> dev=tmpfs ino=2707 scontext=system_u:system_r:udev_t |
| 209 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 210 |
> avc: denied { relabelto } for pid=1055 comm="udevd" name=".udev" |
| 211 |
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t |
| 212 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 213 |
> avc: denied { search } for pid=1055 comm="udevd" name=".udev" |
| 214 |
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t |
| 215 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 216 |
> avc: denied { write } for pid=1055 comm="udevd" name=".udev" |
| 217 |
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t |
| 218 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 219 |
> avc: denied { add_name } for pid=1055 comm="udevd" name="queue.tmp" |
| 220 |
> scontext=system_u:system_r:udev_t |
| 221 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 222 |
> avc: denied { remove_name } for pid=1055 comm="udevd" |
| 223 |
> name="queue.tmp" dev=tmpfs ino=2231 scontext=system_u:system_r:udev_t |
| 224 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 225 |
> avc: denied { getattr } for pid=1056 comm="udevd" path="/dev/.udev" |
| 226 |
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t |
| 227 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 228 |
> avc: denied { create } for pid=1056 comm="udevd" name="data" |
| 229 |
> scontext=system_u:system_r:udev_t |
| 230 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 231 |
> avc: denied { read } for pid=1089 comm="udevadm" name=".udev" |
| 232 |
> dev=tmpfs ino=158 scontext=system_u:system_r:udev_t |
| 233 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
| 234 |
> avc: denied { create } for pid=1103 comm="udevd" name="4" |
| 235 |
> scontext=system_u:system_r:udev_t |
| 236 |
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file |
| 237 |
> |
| 238 |
> these seem ok since they are marked as udev_tbl_t so these rules should be ok |
| 239 |
> allow udev_t udev_tbl_t:dir { search read create write getattr |
| 240 |
> relabelto remove_name open add_name }; |
| 241 |
> allow udev_t udev_tbl_t:lnk_file { read create unlink }; |
| 242 |
> |
| 243 |
> |
| 244 |
> 8) Cron-related, these come from logrotate.cron and makewhatis |
| 245 |
> avc: denied { read } for pid=7385 comm="syslog-ng" |
| 246 |
> path="pipe:[21161]" dev=pipefs ino=21161 |
| 247 |
> scontext=system_u:system_r:syslogd_t |
| 248 |
> tcontext=system_u:system_r:crond_t tclass=fifo_file |
| 249 |
> avc: denied { use } for pid=7385 comm="syslog-ng" path="/dev/null" |
| 250 |
> dev=tmpfs ino=154 scontext=system_u:system_r:syslogd_t |
| 251 |
> tcontext=system_u:system_r:logrotate_t tclass=fd |
| 252 |
> avc: denied { create } for pid=11730 comm="mkdir" |
| 253 |
> name="whatis.tmp.dir.11727" |
| 254 |
> scontext=system_u:system_r:system_cronjob_t |
| 255 |
> tcontext=system_u:object_r:tmp_t tclass=dir |
| 256 |
> avc: denied { rmdir } for pid=11778 comm="rm" |
| 257 |
> name="whatis.tmp.dir.11727" dev=sda5 ino=7825 |
| 258 |
> scontext=system_u:system_r:system_cronjob_t |
| 259 |
> tcontext=system_u:object_r:tmp_t tclass=dir |
| 260 |
> |
| 261 |
> makewhatis looks ok since it works on tmp_t and it seems ok I think |
| 262 |
> for syslogd_t to have read access to cron's fifo_file but I'm not sure |
| 263 |
> for logrotate_t file descriptor, anyway here are the rules for this: |
| 264 |
> allow system_cronjob_t tmp_t:dir { create rmdir }; |
| 265 |
> allow syslogd_t crond_t:fifo_file read; |
| 266 |
> allow syslogd_t logrotate_t:fd use; |
| 267 |
> |
| 268 |
> |
| 269 |
> 9) Sendmail-related, these come from sendmail when trying to put mail |
| 270 |
> on user's home folder |
| 271 |
> avc: denied { append } for pid=5240 comm="sendmail" |
| 272 |
> name="dead.letter" dev=sda2 ino=161795 |
| 273 |
> scontext=system_u:system_r:system_mail_t |
| 274 |
> tcontext=root:object_r:user_home_t tclass=file |
| 275 |
> avc: denied { open } for pid=5240 comm="sendmail" |
| 276 |
> name="dead.letter" dev=sda2 ino=161795 |
| 277 |
> scontext=system_u:system_r:system_mail_t |
| 278 |
> tcontext=root:object_r:user_home_t tclass=file |
| 279 |
> avc: denied { getattr } for pid=5240 comm="sendmail" |
| 280 |
> path="/root/dead.letter" dev=sda2 ino=161795 |
| 281 |
> scontext=system_u:system_r:system_mail_t |
| 282 |
> tcontext=root:object_r:user_home_t tclass=file |
| 283 |
> |
| 284 |
> I think open getattr and append are ok (no create/write) so these |
| 285 |
> rules should do it: |
| 286 |
> allow system_mail_t user_home_t:file { getattr open append }; |
| 287 |
> |
| 288 |
> |
| 289 |
> 10) Apache2 tries to open a tcp port to communicate with the client |
| 290 |
> and this is what happens: |
| 291 |
> avc: denied { name_connect } for pid=5279 comm="apache2" dest=18083 |
| 292 |
> ipaddr=x.x.x.x scontext=system_u:system_r:httpd_t |
| 293 |
> tcontext=system_u:object_r:port_t tclass=tcp_socket |
| 294 |
> |
| 295 |
> the following should be ok: |
| 296 |
> allow httpd_t port_t:tcp_socket name_connect; |
| 297 |
> |
| 298 |
> |
| 299 |
> 11) Finaly i get denials similar to this one from syslog: |
| 300 |
> avc: denied { syslog } for pid=1948 comm="syslog-ng" capability=34 |
| 301 |
> scontext=system_u:system_r:syslogd_t |
| 302 |
> tcontext=system_u:system_r:syslogd_t tclass=capability2 |
| 303 |
> |
| 304 |
> and this rule should fix them: |
| 305 |
> allow syslogd_t self:capability2 syslog; |
| 306 |
> |
| 307 |
> but i get an error when i try to load it using semodule -i... |
| 308 |
> |
| 309 |
> |
| 310 |
> I also got a few more denials related to su and newrole and I'm trying |
| 311 |
> to figure out if it's my mistake or bad policies, I'll let you know. |
| 312 |
> |
| 313 |
> |
| 314 |
> Again thanks a lot for your work and if there is anything I can do to |
| 315 |
> help let me know ;-) |
| 316 |
> |
| 317 |
> |
| 318 |
|
| 319 |
|
| 320 |
-- |
| 321 |
Anthony G. Basile, Ph.D. |
| 322 |
Gentoo Linux Developer [Hardened] |
| 323 |
E-Mail : blueness@g.o |
| 324 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 325 |
GnuPG ID : D0455535 |
Archives