1 |
On Fri, Mar 02, 2012 at 11:13:17AM +0100, Vincent Brillault wrote: |
2 |
> I've installed my first SELinux enhanced Gentoo Hardened a few days |
3 |
> ago. |
4 |
|
5 |
Congratulations! And thanks for sharing your experiences. |
6 |
|
7 |
> A lot of avc appears in the logs and I fear that those would crash the |
8 |
> server if I try to boot in enforcing mode. |
9 |
|
10 |
It often helps to first boot in permissive, log on as root, run "id -Z" to |
11 |
make sure you are in sysadm_t (if not, then enforcing will definitely not |
12 |
work) and then switch to enforcing mode (setenforce 1) and play around a |
13 |
bit. That way, you don't need to boot immediately in enforcing (that's the |
14 |
next step). |
15 |
|
16 |
> First of all, I think that the current policy lakes a context rules for |
17 |
> ip6tables, I fixed it by adding the following rule (The context used |
18 |
> here comes from /var/lib/iptables): |
19 |
> /var/lib/ip6tables(/.*)? gen_context(system_u:object_r:initrc_tmp_t) |
20 |
|
21 |
Correct, I'll have this added in rev 5. |
22 |
|
23 |
> Then, another rule seems to be missing from nginx. I think it's caused |
24 |
> by a the following line in my configuration: “include |
25 |
> /etc/nginx/vhosts.d/*.conf;” that result in : |
26 |
> Mar 2 11:10:47 ***** kernel: [ 968.008780] type=1400 |
27 |
> audit(1330683047.439:55): avc: denied { read } for pid=2257 |
28 |
> comm="nginx" name="vhosts.d" dev="sda1" ino=393764 |
29 |
> scontext=system_u:system_r:nginx_t |
30 |
> tcontext=system_u:object_r:nginx_conf_t tclass=dir |
31 |
> |
32 |
> I added the following rule to resolve this avc: |
33 |
> allow nginx_t nginx_conf_t:dir read; |
34 |
|
35 |
Correct. I'll add in a "list_dirs_pattern" for this, which includes the read |
36 |
privilege. Will be included in rev 5. |
37 |
|
38 |
> I don't have enough experience to understand the following avcs that |
39 |
> come after every boot (after I log in) : |
40 |
|
41 |
I'll give feedback on a few, but it would be nice if we could tackle them |
42 |
one by one, preferably also a bit later when you could (try to) boot in |
43 |
enforcing mode. |
44 |
|
45 |
The problem with debugging in permissive is that the system behavior is |
46 |
different. An earlier denial in enforcing mode might already prevent other |
47 |
denials to be reached. And it doesn't mean that that denial is wrong - some |
48 |
things we notice when enabling SELinux is that many applications have weird |
49 |
behavior... |
50 |
|
51 |
> Mar 2 10:54:51 ***** kernel: [ 3.669361] type=1400 |
52 |
> audit(1330682082.668:3): avc: denied { getattr } for pid=736 |
53 |
> comm="mount" name="/" dev="sysfs" ino=1 |
54 |
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:sysfs_t |
55 |
> tclass=filesystem |
56 |
[... snip other getattr on sysfs_t filesystem class ...] |
57 |
|
58 |
I have these too, not sure yet why they would be needed. I have yet to play |
59 |
around and see what the difference is in behavior when enabling or |
60 |
dontauditing this. |
61 |
|
62 |
I know that recent GLIBCs do a bit more with sysfs almost by default, but I |
63 |
thought that was about checking the CPU information, not getting attributes |
64 |
on the file system... |
65 |
|
66 |
> Mar 2 10:54:51 ***** kernel: [ 7.767982] type=1400 |
67 |
> audit(1330682087.198:6): avc: denied { setsched } for pid=1010 |
68 |
> comm="mount" scontext=system_u:system_r:mount_t |
69 |
> tcontext=system_u:system_r:kernel_t tclass=process |
70 |
|
71 |
Hmm, don't have these here. |
72 |
|
73 |
> Mar 2 10:54:51 ***** kernel: [ 8.354336] type=1400 |
74 |
> audit(1330682087.785:7): avc: denied { write } for pid=1062 comm="rm" |
75 |
> name="console" dev="sda1" ino=423795 scontext=system_u:system_r:initrc_t |
76 |
> tcontext=system_u:object_r:lib_t tclass=dir |
77 |
|
78 |
Any idea what it is trying to delete here? I think it is something in |
79 |
/lib(64)/rc/console (gut feeling) but I don't know what it is. At least, I |
80 |
don't get those, but that might be because the system doesn't get here in |
81 |
enforcing mode (i.e. earlier denials are prohibiting it from reaching this |
82 |
point). |
83 |
|
84 |
> Mar 2 10:54:51 ***** kernel: [ 8.354358] type=1400 |
85 |
> audit(1330682087.785:8): avc: denied { remove_name } for pid=1062 |
86 |
> comm="rm" name="keymap" dev="sda1" ino=393305 |
87 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
88 |
> tclass=dir |
89 |
> Mar 2 10:54:51 ***** kernel: [ 8.354373] type=1400 |
90 |
> audit(1330682087.785:9): avc: denied { unlink } for pid=1062 |
91 |
> comm="rm" name="keymap" dev="sda1" ino=393305 |
92 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
93 |
> tclass=file |
94 |
|
95 |
I think these are related with the earlier one. |
96 |
|
97 |
> Mar 2 10:54:51 ***** kernel: [ 8.365926] type=1400 |
98 |
> audit(1330682087.796:10): avc: denied { create } for pid=1063 |
99 |
> comm="mkdir" name=".test.1056" scontext=system_u:system_r:initrc_t |
100 |
> tcontext=system_u:object_r:var_run_t tclass=dir |
101 |
|
102 |
This means an init script (source context is "initrc_t") is trying to create |
103 |
a directory most likely in /var/run. If you could find out which init script |
104 |
it is? Creating temporary directories there isn't exactly a good practice, |
105 |
even though I think it is merely checking (in the init script) if the script |
106 |
can write there. |
107 |
|
108 |
> Mar 2 10:54:51 ***** kernel: [ 8.719682] type=1400 |
109 |
> audit(1330682088.150:11): avc: denied { getattr } for pid=1175 |
110 |
> comm="fuser" path="socket:[1859]" dev="sockfs" ino=1859 |
111 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
112 |
> tclass=unix_stream_socket |
113 |
|
114 |
Probably /etc/init.d/bootmisc (as it is the only feasible init script that |
115 |
calls fuser) that finds stuff in /var/run and wants to clean them. |
116 |
|
117 |
[... snip many other denials ...] |
118 |
> I think something about /sys mount point is missing in my fstab but I'm |
119 |
> unable to find anything about that in the web. |
120 |
|
121 |
Don't worry, /sys is mounted by default even if you don't define it in your |
122 |
/etc/fstab. |
123 |
|
124 |
For more information about SELinux bug reporting, please see |
125 |
http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml |
126 |
|
127 |
Wkr, |
128 |
Sven Vermeulen |