1 |
Hi Nick, |
2 |
|
3 |
Thanks for the report, but would you be so kind as to open up bug |
4 |
reports for each of the issues at https://bugs.gentoo.org/ |
5 |
|
6 |
--Tony |
7 |
|
8 |
On 07/23/2011 04:46 PM, Nick Kossifidis wrote: |
9 |
> Hello all and thanks a lot for your work on hardened gentoo ;-) |
10 |
> |
11 |
> Last time I tried setting up a default hardened gentoo + SElinux setup |
12 |
> was in 2009 so I gave it a shot again a few weeks ago and it seems |
13 |
> there are still some bugs that result denials in avc logs etc ( sorry |
14 |
> for the long mail :-( ): |
15 |
> |
16 |
> 1) For start check out /lib/rc/sh/init.sh, in svcdir_restorecon() it |
17 |
> tries to run /usr/sbin/selinuxenabled but in case /usr is on a |
18 |
> different partition it won't work (and rc_svcdir will remain |
19 |
> mis-labeled, resulting extra avc denials) because it gets called |
20 |
> before mount. It seems weird that packages like |
21 |
> sys-apps/policycoreutils, sys-libs/libselinux etc are located under |
22 |
> /usr, after all they are linked with libraries under /lib not /usr/lib |
23 |
> and are system tools, not user-related. In my case I solved this one |
24 |
> by just checking if /sbin/restorecon exists (it's what udev-mount also |
25 |
> does), I don't know if it's the correct solution but it works so far. |
26 |
> |
27 |
> |
28 |
> 2) In order for restorecon to relabel rc_svcdir the following rule is needed |
29 |
> allow setfiles_t initrc_t:dir relabelto; |
30 |
> or else I get this: |
31 |
> avc: denied { relabelto } for pid=979 comm="restorecon" name="/" |
32 |
> dev=tmpfs ino=2054 scontext=system_u:system_r:setfiles_t |
33 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
34 |
> |
35 |
> |
36 |
> 3) Even with the correct labels I still got denials for rc operations |
37 |
> on rc_svcdir: |
38 |
> can't mount tmpfs under rc_svcdir... |
39 |
> avc: denied { associate } for pid=979 comm="restorecon" name="/" |
40 |
> dev=tmpfs ino=2054 scontext=system_u:object_r:initrc_t |
41 |
> tcontext=system_u:object_r:tmpfs_t tclass=filesystem |
42 |
> avc: denied { associate } for pid=13300 comm="rc" name="krunlevel" |
43 |
> scontext=system_u:object_r:initrc_t tcontext=system_u:object_r:tmpfs_t |
44 |
> tclass=filesystem |
45 |
> |
46 |
> and various other operations under rc_svcdir (removed duplicates)... |
47 |
> avc: denied { write } for pid=980 comm="cp" name="/" dev=tmpfs |
48 |
> ino=2054 scontext=system_u:system_r:initrc_t |
49 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
50 |
> avc: denied { add_name } for pid=980 comm="cp" name="depconfig" |
51 |
> scontext=system_u:system_r:initrc_t |
52 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
53 |
> avc: denied { create } for pid=980 comm="cp" name="depconfig" |
54 |
> scontext=system_u:system_r:initrc_t |
55 |
> tcontext=system_u:object_r:initrc_t tclass=file |
56 |
> avc: denied { setattr } for pid=980 comm="cp" name="depconfig" |
57 |
> dev=tmpfs ino=2066 scontext=system_u:system_r:initrc_t |
58 |
> tcontext=system_u:object_r:initrc_t tclass=file |
59 |
> avc: denied { create } for pid=960 comm="rc" name="starting" |
60 |
> scontext=system_u:system_r:initrc_t |
61 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
62 |
> avc: denied { remove_name } for pid=960 comm="rc" |
63 |
> name="rc.stopping" dev=tmpfs ino=42 |
64 |
> scontext=system_u:system_r:initrc_t |
65 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
66 |
> avc: denied { unlink } for pid=2129 comm="rc" name="local" |
67 |
> dev=tmpfs ino=4514 scontext=system_u:system_r:initrc_t |
68 |
> tcontext=system_u:object_r:initrc_t tclass=file |
69 |
> avc: denied { rmdir } for pid=1935 comm="rc" name="rc.starting" |
70 |
> dev=tmpfs ino=3842 scontext=system_u:system_r:initrc_t |
71 |
> tcontext=system_u:object_r:initrc_t tclass=dir |
72 |
> avc: denied { unlink } for pid=13455 comm="rc" name="local" |
73 |
> dev=tmpfs ino=4077 scontext=system_u:system_r:initrc_t |
74 |
> tcontext=system_u:object_r:initrc_t tclass=lnk_file |
75 |
> |
76 |
> the following rules should fix that: |
77 |
> allow initrc_t tmpfs_t:filesystem associate; |
78 |
> allow initrc_t self:dir { write remove_name create add_name rmdir }; |
79 |
> allow initrc_t self:file { create unlink setattr }; |
80 |
> allow initrc_t self:lnk_file { create unlink }; |
81 |
> |
82 |
> |
83 |
> 4) More rc stuff under /tmp /var/lib /var/log /var/run... |
84 |
> avc: denied { setattr } for pid=1538 comm="chmod" name="/" dev=sda5 |
85 |
> ino=2 scontext=system_u:system_r:initrc_t |
86 |
> tcontext=system_u:object_r:tmp_t tclass=dir |
87 |
> avc: denied { create } for pid=1550 comm="mkdir" name=".test.1403" |
88 |
> scontext=system_u:system_r:initrc_t |
89 |
> tcontext=system_u:object_r:var_log_t tclass=dir |
90 |
> avc: denied { rmdir } for pid=1551 comm="rmdir" name=".test.1403" |
91 |
> dev=sda6 ino=210166 scontext=system_u:system_r:initrc_t |
92 |
> tcontext=system_u:object_r:var_log_t tclass=dir |
93 |
> avc: denied { add_name } for pid=1556 comm="runscript.sh" |
94 |
> name="unicode" scontext=system_u:system_r:initrc_t |
95 |
> tcontext=system_u:object_r:lib_t tclass=dir |
96 |
> avc: denied { create } for pid=1556 comm="runscript.sh" |
97 |
> name="unicode" scontext=system_u:system_r:initrc_t |
98 |
> tcontext=system_u:object_r:lib_t tclass=file |
99 |
> avc: denied { write } for pid=1556 comm="runscript.sh" |
100 |
> name="unicode" dev=sda2 ino=80888 scontext=system_u:system_r:initrc_t |
101 |
> tcontext=system_u:object_r:lib_t tclass=file |
102 |
> avc: denied { write } for pid=1424 comm="rm" name="console" |
103 |
> dev=sda2 ino=80915 scontext=system_u:system_r:initrc_t |
104 |
> tcontext=system_u:object_r:lib_t tclass=dir |
105 |
> avc: denied { remove_name } for pid=1424 comm="rm" |
106 |
> name="default8x16.psfu.gz" dev=sda2 ino=80899 |
107 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
108 |
> tclass=dir |
109 |
> avc: denied { unlink } for pid=1424 comm="rm" |
110 |
> name="default8x16.psfu.gz" dev=sda2 ino=80899 |
111 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
112 |
> tclass=file |
113 |
> avc: denied { create } for pid=1425 comm="mkdir" name=".test.1418" |
114 |
> scontext=system_u:system_r:initrc_t |
115 |
> tcontext=system_u:object_r:var_run_t tclass=dir |
116 |
> avc: denied { unlink } for pid=1534 comm="rm" name="syslog-ng.ctl" |
117 |
> dev=sda6 ino=80809 scontext=system_u:system_r:initrc_t |
118 |
> tcontext=system_u:object_r:devlog_t tclass=sock_file |
119 |
> |
120 |
> the following rules should be ok: |
121 |
> allow initrc_t tmp_t:dir setattr; |
122 |
> allow initrc_t lib_t:dir { write remove_name add_name }; |
123 |
> allow initrc_t lib_t:file { write create unlink }; |
124 |
> allow initrc_t var_log_t:dir { create rmdir }; |
125 |
> allow initrc_t var_run_t:dir create; |
126 |
> allow initrc_t devlog_t:sock_file unlink; |
127 |
> |
128 |
> |
129 |
> 5) Fuser-related (ran by bootmisc and rc-mount.sh), I don't know why |
130 |
> this runs under initrc_t but getattr is not a big deal I guess, I'm |
131 |
> not sure however about the execmod: |
132 |
> avc: denied { execmod } for pid=1433 comm="fuser" path="/bin/fuser" |
133 |
> dev=sda2 ino=185930 scontext=system_u:system_r:initrc_t |
134 |
> tcontext=system_u:object_r:bin_t tclass=file |
135 |
> avc: denied { getattr } for pid=1492 comm="fuser" |
136 |
> path="socket:[2273]" dev=sockfs ino=2273 |
137 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
138 |
> tclass=unix_stream_socket |
139 |
> avc: denied { getattr } for pid=1493 comm="fuser" |
140 |
> path="socket:[2274]" dev=sockfs ino=2274 |
141 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
142 |
> tclass=netlink_kobject_uevent_socket |
143 |
> avc: denied { getattr } for pid=1526 comm="fuser" |
144 |
> path="/sys/kernel/debug" dev=debugfs ino=1 |
145 |
> scontext=system_u:system_r:initrc_t |
146 |
> tcontext=system_u:object_r:debugfs_t tclass=dir |
147 |
> |
148 |
> the following rules hide this but I'm not sure if it's the correct |
149 |
> approach, maybe we should modify bootmisc/rc-mount.sh: |
150 |
> allow initrc_t bin_t:file execmod; |
151 |
> allow initrc_t debugfs_t:dir getattr; |
152 |
> allow initrc_t udev_t:netlink_kobject_uevent_socket getattr; |
153 |
> allow initrc_t udev_t:unix_stream_socket getattr; |
154 |
> |
155 |
> |
156 |
> 6) Udhcp-related (ran by udhcpc-hook.sh and net), again I'm not sure |
157 |
> what's the right thing to do here, I think dhcp client shouldn't run |
158 |
> under initrc_t: |
159 |
> avc: denied { create } for pid=1844 comm="busybox" |
160 |
> scontext=system_u:system_r:initrc_t |
161 |
> tcontext=system_u:system_r:initrc_t tclass=rawip_socket |
162 |
> avc: denied { ioctl } for pid=1844 comm="busybox" |
163 |
> path="socket:[33897]" dev=sockfs ino=33897 |
164 |
> scontext=system_u:system_r:initrc_t |
165 |
> tcontext=system_u:system_r:initrc_t tclass=rawip_socket |
166 |
> avc: denied { name_bind } for pid=1844 comm="busybox" src=68 |
167 |
> scontext=system_u:system_r:initrc_t |
168 |
> tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket |
169 |
> avc: denied { node_bind } for pid=1844 comm="busybox" src=68 |
170 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:node_t |
171 |
> tclass=udp_socket |
172 |
> |
173 |
> the following rules clean it up |
174 |
> allow initrc_t self:rawip_socket { create ioctl }; |
175 |
> allow initrc_t dhcpc_port_t:udp_socket name_bind; |
176 |
> allow initrc_t node_t:udp_socket node_bind; |
177 |
> |
178 |
> switching to dhclient instead results these denials: |
179 |
> avc: denied { name_bind } for pid=1825 comm="dhclient" src=65059 |
180 |
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:port_t |
181 |
> tclass=udp_socket |
182 |
> avc: denied { read write } for pid=1827 comm="ifconfig" |
183 |
> path="socket:[3855]" dev=sockfs ino=3855 |
184 |
> scontext=system_u:system_r:ifconfig_t |
185 |
> tcontext=system_u:system_r:dhcpc_t tclass=udp_socket |
186 |
> avc: denied { read write } for pid=1845 comm="hostname" |
187 |
> path="socket:[3767]" dev=sockfs ino=3767 |
188 |
> scontext=system_u:system_r:hostname_t |
189 |
> tcontext=system_u:system_r:dhcpc_t tclass=udp_socket |
190 |
> |
191 |
> this runs under dhcpc_t so the first one seems ok and ifconfig / |
192 |
> hostname are meant to tweak network settings (instead of initrc_t) so |
193 |
> I stayed with dhclient and there are the rules to hide the above and |
194 |
> get a working dhcp: |
195 |
> allow dhcpc_t port_t:udp_socket name_bind; |
196 |
> allow ifconfig_t dhcpc_t:udp_socket { read write }; |
197 |
> allow hostname_t dhcpc_t:udp_socket { read write }; |
198 |
> |
199 |
> |
200 |
> 7) Udev-related |
201 |
> avc: denied { read } for pid=1056 comm="udevd" name="30" dev=tmpfs |
202 |
> ino=2727 scontext=system_u:system_r:udev_t |
203 |
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file |
204 |
> avc: denied { unlink } for pid=1309 comm="udevd" name="30" |
205 |
> dev=tmpfs ino=2727 scontext=system_u:system_r:udev_t |
206 |
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file |
207 |
> avc: denied { open } for pid=1309 comm="udevd" name="root" |
208 |
> dev=tmpfs ino=2707 scontext=system_u:system_r:udev_t |
209 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
210 |
> avc: denied { relabelto } for pid=1055 comm="udevd" name=".udev" |
211 |
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t |
212 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
213 |
> avc: denied { search } for pid=1055 comm="udevd" name=".udev" |
214 |
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t |
215 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
216 |
> avc: denied { write } for pid=1055 comm="udevd" name=".udev" |
217 |
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t |
218 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
219 |
> avc: denied { add_name } for pid=1055 comm="udevd" name="queue.tmp" |
220 |
> scontext=system_u:system_r:udev_t |
221 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
222 |
> avc: denied { remove_name } for pid=1055 comm="udevd" |
223 |
> name="queue.tmp" dev=tmpfs ino=2231 scontext=system_u:system_r:udev_t |
224 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
225 |
> avc: denied { getattr } for pid=1056 comm="udevd" path="/dev/.udev" |
226 |
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t |
227 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
228 |
> avc: denied { create } for pid=1056 comm="udevd" name="data" |
229 |
> scontext=system_u:system_r:udev_t |
230 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
231 |
> avc: denied { read } for pid=1089 comm="udevadm" name=".udev" |
232 |
> dev=tmpfs ino=158 scontext=system_u:system_r:udev_t |
233 |
> tcontext=system_u:object_r:udev_tbl_t tclass=dir |
234 |
> avc: denied { create } for pid=1103 comm="udevd" name="4" |
235 |
> scontext=system_u:system_r:udev_t |
236 |
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file |
237 |
> |
238 |
> these seem ok since they are marked as udev_tbl_t so these rules should be ok |
239 |
> allow udev_t udev_tbl_t:dir { search read create write getattr |
240 |
> relabelto remove_name open add_name }; |
241 |
> allow udev_t udev_tbl_t:lnk_file { read create unlink }; |
242 |
> |
243 |
> |
244 |
> 8) Cron-related, these come from logrotate.cron and makewhatis |
245 |
> avc: denied { read } for pid=7385 comm="syslog-ng" |
246 |
> path="pipe:[21161]" dev=pipefs ino=21161 |
247 |
> scontext=system_u:system_r:syslogd_t |
248 |
> tcontext=system_u:system_r:crond_t tclass=fifo_file |
249 |
> avc: denied { use } for pid=7385 comm="syslog-ng" path="/dev/null" |
250 |
> dev=tmpfs ino=154 scontext=system_u:system_r:syslogd_t |
251 |
> tcontext=system_u:system_r:logrotate_t tclass=fd |
252 |
> avc: denied { create } for pid=11730 comm="mkdir" |
253 |
> name="whatis.tmp.dir.11727" |
254 |
> scontext=system_u:system_r:system_cronjob_t |
255 |
> tcontext=system_u:object_r:tmp_t tclass=dir |
256 |
> avc: denied { rmdir } for pid=11778 comm="rm" |
257 |
> name="whatis.tmp.dir.11727" dev=sda5 ino=7825 |
258 |
> scontext=system_u:system_r:system_cronjob_t |
259 |
> tcontext=system_u:object_r:tmp_t tclass=dir |
260 |
> |
261 |
> makewhatis looks ok since it works on tmp_t and it seems ok I think |
262 |
> for syslogd_t to have read access to cron's fifo_file but I'm not sure |
263 |
> for logrotate_t file descriptor, anyway here are the rules for this: |
264 |
> allow system_cronjob_t tmp_t:dir { create rmdir }; |
265 |
> allow syslogd_t crond_t:fifo_file read; |
266 |
> allow syslogd_t logrotate_t:fd use; |
267 |
> |
268 |
> |
269 |
> 9) Sendmail-related, these come from sendmail when trying to put mail |
270 |
> on user's home folder |
271 |
> avc: denied { append } for pid=5240 comm="sendmail" |
272 |
> name="dead.letter" dev=sda2 ino=161795 |
273 |
> scontext=system_u:system_r:system_mail_t |
274 |
> tcontext=root:object_r:user_home_t tclass=file |
275 |
> avc: denied { open } for pid=5240 comm="sendmail" |
276 |
> name="dead.letter" dev=sda2 ino=161795 |
277 |
> scontext=system_u:system_r:system_mail_t |
278 |
> tcontext=root:object_r:user_home_t tclass=file |
279 |
> avc: denied { getattr } for pid=5240 comm="sendmail" |
280 |
> path="/root/dead.letter" dev=sda2 ino=161795 |
281 |
> scontext=system_u:system_r:system_mail_t |
282 |
> tcontext=root:object_r:user_home_t tclass=file |
283 |
> |
284 |
> I think open getattr and append are ok (no create/write) so these |
285 |
> rules should do it: |
286 |
> allow system_mail_t user_home_t:file { getattr open append }; |
287 |
> |
288 |
> |
289 |
> 10) Apache2 tries to open a tcp port to communicate with the client |
290 |
> and this is what happens: |
291 |
> avc: denied { name_connect } for pid=5279 comm="apache2" dest=18083 |
292 |
> ipaddr=x.x.x.x scontext=system_u:system_r:httpd_t |
293 |
> tcontext=system_u:object_r:port_t tclass=tcp_socket |
294 |
> |
295 |
> the following should be ok: |
296 |
> allow httpd_t port_t:tcp_socket name_connect; |
297 |
> |
298 |
> |
299 |
> 11) Finaly i get denials similar to this one from syslog: |
300 |
> avc: denied { syslog } for pid=1948 comm="syslog-ng" capability=34 |
301 |
> scontext=system_u:system_r:syslogd_t |
302 |
> tcontext=system_u:system_r:syslogd_t tclass=capability2 |
303 |
> |
304 |
> and this rule should fix them: |
305 |
> allow syslogd_t self:capability2 syslog; |
306 |
> |
307 |
> but i get an error when i try to load it using semodule -i... |
308 |
> |
309 |
> |
310 |
> I also got a few more denials related to su and newrole and I'm trying |
311 |
> to figure out if it's my mistake or bad policies, I'll let you know. |
312 |
> |
313 |
> |
314 |
> Again thanks a lot for your work and if there is anything I can do to |
315 |
> help let me know ;-) |
316 |
> |
317 |
> |
318 |
|
319 |
|
320 |
-- |
321 |
Anthony G. Basile, Ph.D. |
322 |
Gentoo Linux Developer [Hardened] |
323 |
E-Mail : blueness@g.o |
324 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
325 |
GnuPG ID : D0455535 |