1 |
On Friday, February 22, 2013 07:27:00 PM Sven Vermeulen wrote: |
2 |
> On Thu, Feb 21, 2013 at 03:46:14PM -0500, Ben P. wrote: |
3 |
> > I've put Gentoo-Hardened on a testing computer and been learning a lot |
4 |
> > about selinux. Everything works, including X, but I have a few entries in |
5 |
> > my avc log that I'm not sure about. |
6 |
> |
7 |
> Cool, let's take a look. But generally, if you have denials but no problems, |
8 |
> you might want to dontaudit them if they are in your way. To make sure |
9 |
> there is no difference in behavior, you can try booting in permissive mode |
10 |
> once and compare with running in enforcing mode just to be sure. |
11 |
> |
12 |
> That being said, some denials might give us a few clues as to what might |
13 |
> still be needed. |
14 |
> |
15 |
> > I note that this is running on an encrypted root drive and therefore I |
16 |
> > need an initramfs. Dracut wasn't working for me so I rolled my own, which |
17 |
> > does boot in enforcing mode (with a few minor errors) so bug 397567 seems |
18 |
> > to not be universal. |
19 |
> |
20 |
> Yes, I think the needed changes have been made to kernel_t already to allow |
21 |
> "standard" bootups to succeed. However, due to the complexity that an |
22 |
> initramfs can inhibit (say you use an initramfs to NFS-mount file systems, |
23 |
> load up a trusted key through the TPM chip and what not) it's pretty obvious |
24 |
> that kernel_t will not always be equally sufficient. |
25 |
> |
26 |
> > So some of these errors may be due to the initramfs then, although |
27 |
> > I'm not sure why, since almost everything is unmounted before switch_root. |
28 |
> > |
29 |
> > avc: denied { read write } for pid=1 comm="init" |
30 |
> > path=2F6465762F636F6E736F6C65202864656C6574656429 dev="rootfs" ino=5998 |
31 |
> > scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
32 |
> > tclass=chr_file |
33 |
> |
34 |
> No idea what it is trying to do here, but given that it is about a path-less |
35 |
> character file (which probably means that the path cannot be devised from |
36 |
> the current location, either because the file has been removed or due to a |
37 |
> chroot) and that the permissions are read/write (and not open), I'd guess |
38 |
> this is an inherited file descriptor towards that character device and most |
39 |
> likely a leaked, inherited fd. Thus might be ok to not allow (and perhaps |
40 |
> even dontaudit). |
41 |
> |
42 |
> > avc: denied { getattr } for pid=1 comm="init" name="/" dev="selinuxfs" |
43 |
> > ino=1 scontext=system_u:system_r:init_t |
44 |
> > tcontext=system_u:object_r:security_t tclass=filesystem |
45 |
> |
46 |
> This is probably ok to allow, but not strictly necessary afaik. |
47 |
> |
48 |
> > avc: denied { search } for pid=1 comm="init" name="var" dev="dm-0" |
49 |
> > ino=556492 scontext=system_u:system_r:init_t |
50 |
> > tcontext=system_u:object_r:file_t tclass=dir |
51 |
> |
52 |
> This is somewhat more wrong. file_t is a type that shouldn't be on the file |
53 |
> system after it has been fully labeled. |
54 |
> |
55 |
> > avc: denied { write } for pid=400 comm="cryptsetup" |
56 |
> > name="read_ahead_kb" |
57 |
> > dev="sysfs" ino=14972 scontext=system_u:system_r:lvm_t |
58 |
> > tcontext=system_u:object_r:sysfs_t tclass=file |
59 |
> |
60 |
> Probably ok to allow - I don't know much about the optimizations that are |
61 |
> possible, but it seems that cryptsetup here is trying to optimize for |
62 |
> something. You might not even notice that since it often is for specific |
63 |
> corner cases. |
64 |
> |
65 |
> > avc: denied { read write } for pid=1084 comm="unix_chkpwd" |
66 |
> > path="/dev/tty1" dev="devtmpfs" ino=1045 |
67 |
> > scontext=system_u:system_r:chkpwd_t |
68 |
> > tcontext=system_u:object_r:tty_device_t tclass=chr_file |
69 |
> > avc: denied { search } for pid=1084 comm="unix_chkpwd" name="/" |
70 |
> > dev="sysfs" ino=1 scontext=system_u:system_r:chkpwd_t |
71 |
> > tcontext=system_u:object_r:sysfs_t tclass=dir |
72 |
> > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" name="/" |
73 |
> > dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t |
74 |
> > tcontext=system_u:object_r:security_t tclass=filesystem |
75 |
> > avc: denied { getattr } for pid=1084 comm="unix_chkpwd" |
76 |
> > path="/sys/fs/selinux" dev="selinuxfs" ino=1 |
77 |
> > scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t |
78 |
> > tclass=dir |
79 |
> > |
80 |
|
81 |
|
82 |
I solved the problem with denials not being printed, and found a few other |
83 |
problems with the selinux policies. |
84 |
|
85 |
Rather than spam the mailing list, I've put them up at |
86 |
http://www.bennyp.org/selinux/ . (Don't worry, no ads or anything there). In |
87 |
particular: |
88 |
|
89 |
* Samba wouldn't start |
90 |
* Couldn't mount anything on /var/tmp/portage |
91 |
* The cryptsetup thing |
92 |
* Udev/initrc misbehaving |
93 |
|
94 |
If you want, I can certainly add some of these to the bugtracker so you can |
95 |
officially record them. Keep in mind though that I've been looking at selinux |
96 |
for a total of about 2 weeks :) |
97 |
|
98 |
Also, if anyone is interested in testing out some (likely buggy and full of |
99 |
holes) modules, I've written a module for tightvnc (see the site). This allows |
100 |
a user to start a remote XVnc session accessible through ssh. It's probably |
101 |
not a topic for this mailing list, however. |
102 |
|
103 |
After much of the changes documented on that site, my system is running pretty |
104 |
smoothly in enforcing mode :) |
105 |
|
106 |
Keep up the good work |
107 |
Ben P. |