| 1 |
On Fri, Mar 02, 2012 at 11:13:17AM +0100, Vincent Brillault wrote: |
| 2 |
> I've installed my first SELinux enhanced Gentoo Hardened a few days |
| 3 |
> ago. |
| 4 |
|
| 5 |
Congratulations! And thanks for sharing your experiences. |
| 6 |
|
| 7 |
> A lot of avc appears in the logs and I fear that those would crash the |
| 8 |
> server if I try to boot in enforcing mode. |
| 9 |
|
| 10 |
It often helps to first boot in permissive, log on as root, run "id -Z" to |
| 11 |
make sure you are in sysadm_t (if not, then enforcing will definitely not |
| 12 |
work) and then switch to enforcing mode (setenforce 1) and play around a |
| 13 |
bit. That way, you don't need to boot immediately in enforcing (that's the |
| 14 |
next step). |
| 15 |
|
| 16 |
> First of all, I think that the current policy lakes a context rules for |
| 17 |
> ip6tables, I fixed it by adding the following rule (The context used |
| 18 |
> here comes from /var/lib/iptables): |
| 19 |
> /var/lib/ip6tables(/.*)? gen_context(system_u:object_r:initrc_tmp_t) |
| 20 |
|
| 21 |
Correct, I'll have this added in rev 5. |
| 22 |
|
| 23 |
> Then, another rule seems to be missing from nginx. I think it's caused |
| 24 |
> by a the following line in my configuration: “include |
| 25 |
> /etc/nginx/vhosts.d/*.conf;” that result in : |
| 26 |
> Mar 2 11:10:47 ***** kernel: [ 968.008780] type=1400 |
| 27 |
> audit(1330683047.439:55): avc: denied { read } for pid=2257 |
| 28 |
> comm="nginx" name="vhosts.d" dev="sda1" ino=393764 |
| 29 |
> scontext=system_u:system_r:nginx_t |
| 30 |
> tcontext=system_u:object_r:nginx_conf_t tclass=dir |
| 31 |
> |
| 32 |
> I added the following rule to resolve this avc: |
| 33 |
> allow nginx_t nginx_conf_t:dir read; |
| 34 |
|
| 35 |
Correct. I'll add in a "list_dirs_pattern" for this, which includes the read |
| 36 |
privilege. Will be included in rev 5. |
| 37 |
|
| 38 |
> I don't have enough experience to understand the following avcs that |
| 39 |
> come after every boot (after I log in) : |
| 40 |
|
| 41 |
I'll give feedback on a few, but it would be nice if we could tackle them |
| 42 |
one by one, preferably also a bit later when you could (try to) boot in |
| 43 |
enforcing mode. |
| 44 |
|
| 45 |
The problem with debugging in permissive is that the system behavior is |
| 46 |
different. An earlier denial in enforcing mode might already prevent other |
| 47 |
denials to be reached. And it doesn't mean that that denial is wrong - some |
| 48 |
things we notice when enabling SELinux is that many applications have weird |
| 49 |
behavior... |
| 50 |
|
| 51 |
> Mar 2 10:54:51 ***** kernel: [ 3.669361] type=1400 |
| 52 |
> audit(1330682082.668:3): avc: denied { getattr } for pid=736 |
| 53 |
> comm="mount" name="/" dev="sysfs" ino=1 |
| 54 |
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:sysfs_t |
| 55 |
> tclass=filesystem |
| 56 |
[... snip other getattr on sysfs_t filesystem class ...] |
| 57 |
|
| 58 |
I have these too, not sure yet why they would be needed. I have yet to play |
| 59 |
around and see what the difference is in behavior when enabling or |
| 60 |
dontauditing this. |
| 61 |
|
| 62 |
I know that recent GLIBCs do a bit more with sysfs almost by default, but I |
| 63 |
thought that was about checking the CPU information, not getting attributes |
| 64 |
on the file system... |
| 65 |
|
| 66 |
> Mar 2 10:54:51 ***** kernel: [ 7.767982] type=1400 |
| 67 |
> audit(1330682087.198:6): avc: denied { setsched } for pid=1010 |
| 68 |
> comm="mount" scontext=system_u:system_r:mount_t |
| 69 |
> tcontext=system_u:system_r:kernel_t tclass=process |
| 70 |
|
| 71 |
Hmm, don't have these here. |
| 72 |
|
| 73 |
> Mar 2 10:54:51 ***** kernel: [ 8.354336] type=1400 |
| 74 |
> audit(1330682087.785:7): avc: denied { write } for pid=1062 comm="rm" |
| 75 |
> name="console" dev="sda1" ino=423795 scontext=system_u:system_r:initrc_t |
| 76 |
> tcontext=system_u:object_r:lib_t tclass=dir |
| 77 |
|
| 78 |
Any idea what it is trying to delete here? I think it is something in |
| 79 |
/lib(64)/rc/console (gut feeling) but I don't know what it is. At least, I |
| 80 |
don't get those, but that might be because the system doesn't get here in |
| 81 |
enforcing mode (i.e. earlier denials are prohibiting it from reaching this |
| 82 |
point). |
| 83 |
|
| 84 |
> Mar 2 10:54:51 ***** kernel: [ 8.354358] type=1400 |
| 85 |
> audit(1330682087.785:8): avc: denied { remove_name } for pid=1062 |
| 86 |
> comm="rm" name="keymap" dev="sda1" ino=393305 |
| 87 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
| 88 |
> tclass=dir |
| 89 |
> Mar 2 10:54:51 ***** kernel: [ 8.354373] type=1400 |
| 90 |
> audit(1330682087.785:9): avc: denied { unlink } for pid=1062 |
| 91 |
> comm="rm" name="keymap" dev="sda1" ino=393305 |
| 92 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
| 93 |
> tclass=file |
| 94 |
|
| 95 |
I think these are related with the earlier one. |
| 96 |
|
| 97 |
> Mar 2 10:54:51 ***** kernel: [ 8.365926] type=1400 |
| 98 |
> audit(1330682087.796:10): avc: denied { create } for pid=1063 |
| 99 |
> comm="mkdir" name=".test.1056" scontext=system_u:system_r:initrc_t |
| 100 |
> tcontext=system_u:object_r:var_run_t tclass=dir |
| 101 |
|
| 102 |
This means an init script (source context is "initrc_t") is trying to create |
| 103 |
a directory most likely in /var/run. If you could find out which init script |
| 104 |
it is? Creating temporary directories there isn't exactly a good practice, |
| 105 |
even though I think it is merely checking (in the init script) if the script |
| 106 |
can write there. |
| 107 |
|
| 108 |
> Mar 2 10:54:51 ***** kernel: [ 8.719682] type=1400 |
| 109 |
> audit(1330682088.150:11): avc: denied { getattr } for pid=1175 |
| 110 |
> comm="fuser" path="socket:[1859]" dev="sockfs" ino=1859 |
| 111 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
| 112 |
> tclass=unix_stream_socket |
| 113 |
|
| 114 |
Probably /etc/init.d/bootmisc (as it is the only feasible init script that |
| 115 |
calls fuser) that finds stuff in /var/run and wants to clean them. |
| 116 |
|
| 117 |
[... snip many other denials ...] |
| 118 |
> I think something about /sys mount point is missing in my fstab but I'm |
| 119 |
> unable to find anything about that in the web. |
| 120 |
|
| 121 |
Don't worry, /sys is mounted by default even if you don't define it in your |
| 122 |
/etc/fstab. |
| 123 |
|
| 124 |
For more information about SELinux bug reporting, please see |
| 125 |
http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml |
| 126 |
|
| 127 |
Wkr, |
| 128 |
Sven Vermeulen |
Archives