| 1 |
On Friday, February 22, 2013 07:27:00 PM Sven Vermeulen wrote: |
| 2 |
> On Thu, Feb 21, 2013 at 03:46:14PM -0500, Ben P. wrote: |
| 3 |
> > I've put Gentoo-Hardened on a testing computer and been learning a lot |
| 4 |
> > about selinux. Everything works, including X, but I have a few entries in |
| 5 |
> > my avc log that I'm not sure about. |
| 6 |
> |
| 7 |
> Cool, let's take a look. But generally, if you have denials but no problems, |
| 8 |
> you might want to dontaudit them if they are in your way. To make sure |
| 9 |
> there is no difference in behavior, you can try booting in permissive mode |
| 10 |
> once and compare with running in enforcing mode just to be sure. |
| 11 |
> |
| 12 |
> That being said, some denials might give us a few clues as to what might |
| 13 |
> still be needed. |
| 14 |
> |
| 15 |
> > I note that this is running on an encrypted root drive and therefore I |
| 16 |
> > need an initramfs. Dracut wasn't working for me so I rolled my own, which |
| 17 |
> > does boot in enforcing mode (with a few minor errors) so bug 397567 seems |
| 18 |
> > to not be universal. |
| 19 |
> |
| 20 |
> Yes, I think the needed changes have been made to kernel_t already to allow |
| 21 |
> "standard" bootups to succeed. However, due to the complexity that an |
| 22 |
> initramfs can inhibit (say you use an initramfs to NFS-mount file systems, |
| 23 |
> load up a trusted key through the TPM chip and what not) it's pretty obvious |
| 24 |
> that kernel_t will not always be equally sufficient. |
| 25 |
> |
| 26 |
> > So some of these errors may be due to the initramfs then, although |
| 27 |
> > I'm not sure why, since almost everything is unmounted before switch_root. |
| 28 |
> > |
| 29 |
> > avc: denied { read write } for pid=1 comm="init" |
| 30 |
> > path=2F6465762F636F6E736F6C65202864656C6574656429 dev="rootfs" ino=5998 |
| 31 |
> > scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
| 32 |
> > tclass=chr_file |
| 33 |
> |
| 34 |
> No idea what it is trying to do here, but given that it is about a path-less |
| 35 |
> character file (which probably means that the path cannot be devised from |
| 36 |
> the current location, either because the file has been removed or due to a |
| 37 |
> chroot) and that the permissions are read/write (and not open), I'd guess |
| 38 |
> this is an inherited file descriptor towards that character device and most |
| 39 |
> likely a leaked, inherited fd. Thus might be ok to not allow (and perhaps |
| 40 |
> even dontaudit). |
| 41 |
> |
| 42 |
> > avc: denied { getattr } for pid=1 comm="init" name="/" dev="selinuxfs" |
| 43 |
> > ino=1 scontext=system_u:system_r:init_t |
| 44 |
> > tcontext=system_u:object_r:security_t tclass=filesystem |
| 45 |
> |
| 46 |
> This is probably ok to allow, but not strictly necessary afaik. |
| 47 |
> |
| 48 |
> > avc: denied { search } for pid=1 comm="init" name="var" dev="dm-0" |
| 49 |
> > ino=556492 scontext=system_u:system_r:init_t |
| 50 |
> > tcontext=system_u:object_r:file_t tclass=dir |
| 51 |
> |
| 52 |
> This is somewhat more wrong. file_t is a type that shouldn't be on the file |
| 53 |
> system after it has been fully labeled. |
| 54 |
> |
| 55 |
> > avc: denied { write } for pid=400 comm="cryptsetup" |
| 56 |
> > name="read_ahead_kb" |
| 57 |
> > dev="sysfs" ino=14972 scontext=system_u:system_r:lvm_t |
| 58 |
> > tcontext=system_u:object_r:sysfs_t tclass=file |
| 59 |
> |
| 60 |
> Probably ok to allow - I don't know much about the optimizations that are |
| 61 |
> possible, but it seems that cryptsetup here is trying to optimize for |
| 62 |
> something. You might not even notice that since it often is for specific |
| 63 |
> corner cases. |
| 64 |
> |
| 65 |
> > avc: denied { read write } for pid=1084 comm="unix_chkpwd" |
| 66 |
> > path="/dev/tty1" dev="devtmpfs" ino=1045 |
| 67 |
> > scontext=system_u:system_r:chkpwd_t |
| 68 |
> > tcontext=system_u:object_r:tty_device_t tclass=chr_file |
| 69 |
> > avc: denied { search } for pid=1084 comm="unix_chkpwd" name="/" |
| 70 |
> > dev="sysfs" ino=1 scontext=system_u:system_r:chkpwd_t |
| 71 |
> > tcontext=system_u:object_r:sysfs_t tclass=dir |
| 72 |
> > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" name="/" |
| 73 |
> > dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t |
| 74 |
> > tcontext=system_u:object_r:security_t tclass=filesystem |
| 75 |
> > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" |
| 76 |
> > path="/sys/fs/selinux" dev="selinuxfs" ino=1 |
| 77 |
> > scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t |
| 78 |
> > tclass=dir |
| 79 |
> > |
| 80 |
|
| 81 |
|
| 82 |
I solved the problem with denials not being printed, and found a few other |
| 83 |
problems with the selinux policies. |
| 84 |
|
| 85 |
Rather than spam the mailing list, I've put them up at |
| 86 |
http://www.bennyp.org/selinux/ . (Don't worry, no ads or anything there). In |
| 87 |
particular: |
| 88 |
|
| 89 |
* Samba wouldn't start |
| 90 |
* Couldn't mount anything on /var/tmp/portage |
| 91 |
* The cryptsetup thing |
| 92 |
* Udev/initrc misbehaving |
| 93 |
|
| 94 |
If you want, I can certainly add some of these to the bugtracker so you can |
| 95 |
officially record them. Keep in mind though that I've been looking at selinux |
| 96 |
for a total of about 2 weeks :) |
| 97 |
|
| 98 |
Also, if anyone is interested in testing out some (likely buggy and full of |
| 99 |
holes) modules, I've written a module for tightvnc (see the site). This allows |
| 100 |
a user to start a remote XVnc session accessible through ssh. It's probably |
| 101 |
not a topic for this mailing list, however. |
| 102 |
|
| 103 |
After much of the changes documented on that site, my system is running pretty |
| 104 |
smoothly in enforcing mode :) |
| 105 |
|
| 106 |
Keep up the good work |
| 107 |
Ben P. |
Archives