Re: [gentoo-hardened] selinux novice - gentoo-hardened

From:	Hinnerk van Bruinehsen <h.v.bruinehsen@×××××××××.de>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] selinux novice
Date:	Sat, 21 Jul 2012 22:55:17
Message-Id:	`500AB624.3080206@fu-berlin.de`
In Reply to:	[gentoo-hardened] selinux novice by Ivan Gooten

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

On 21.07.2012 15:51, Ivan Gooten wrote:

5

> hello,

6

>

7

> I have just installed selinux on my gentoo box, and getting

8

> difficulties in permissive mode. If someone can have a look at this

9

> and point me somewhere...

10

>

11

> Emerge doesn't work If i run it from terminal in X11 - it call

12

> traces, cant merge anything. In dmesg I can find:

13

>

14

> ---------------- type=1400 audit(1342877962.365:424): avc:  denied

15

> { read write } for pid=15719 comm="sh" name="1" dev="devpts" ino=4

16

> scontext=system_u:system_r:portage_fetch_t

17

> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400

18

> audit(1342877962.367:425): avc:  denied  { search } for pid=15719

19

> comm="sh" name="ivan" dev="dm-3" ino=20709377

20

> scontext=system_u:system_r:portage_fetch_t

21

> tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=1400

22

> audit(1342877962.394:426): avc:  denied  { search } for pid=15720

23

> comm="id" name="/" dev="sysfs" ino=1

24

> scontext=system_u:system_r:portage_fetch_t

25

> tcontext=system_u:object_r:sysfs_t tclass=dir type=1400

26

> audit(1342878036.496:428): avc:  denied  { read write } for

27

> pid=15894 comm="emerge" name="1" dev="devpts" ino=4

28

> scontext=system_u:system_r:portage_t

29

> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400

30

> audit(1342878036.500:429): avc:  denied  { ioctl } for  pid=15894

31

> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4

32

> scontext=system_u:system_r:portage_t

33

> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400

34

> audit(1342878036.505:430): avc:  denied  { getattr } for pid=15894

35

> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4

36

> scontext=system_u:system_r:portage_t

37

> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400

38

> audit(1342878083.667:431): avc:  denied  { read write } for

39

> pid=16890 comm="sh" name="1" dev="devpts" ino=4

40

> scontext=system_u:system_r:portage_fetch_t

41

> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400

42

> audit(1342878083.671:432): avc:  denied  { search } for pid=16892

43

> comm="id" name="/" dev="sysfs" ino=1

44

> scontext=system_u:system_r:portage_fetch_t

45

> tcontext=system_u:object_r:sysfs_t tclass=dir ---------------- I'm

46

> running xdm - gdm3 to be more accurate - and as normal user in

47

> terminal I switch to root and then do newrole -t sysadm_t - after

48

> that I'm trying to emerge something. Ofcourse from raw console

49

> a.k.a. non X env, emerging works.

50

>

51

> Additional info: ---------------- # sestatus SELinux status:

52

> enabled SELinuxfs mount:                /sys/fs/selinux SELinux

53

> root directory:         /etc/selinux Loaded policy name:

54

> targeted Current mode:                   permissive Mode from

55

> config file:          permissive Policy MLS status:

56

> disabled Policy deny_unknown status:     denied Max kernel policy

57

> version:      26 ---------------- # id -Z // after switching to

58

> root and changing newrole system_u:system_r:sysadm_t

59

> ---------------- all installed sec-policy packages are from

60

> hardened-devel overlay = 2.20120215-r14 ---------------- I did

61

> rlpkg -a -r so many times.. :-)

62

>

63

> thanks in advance

64

>

65

> Ivan Gooten

66

>

67

68

Hi,

69

70

the first few things I notice are that it's "newrole -r sysadm_r" -

71

"newrole -t" just switches the type.

72

You shouldn't be in system_u, either, but in staff_u.

73

Since you are using a targeted policy you acually would have more

74

rights, if you remove the selinux usermapping for your user at all,

75

because you would be in "unconfined_r:unconfined_t" which means that

76

there aren't really any restrictions for you user except they're

77

stated explicitly.

78

79

WKR

80

81

Hinnerk

82

83

-----BEGIN PGP SIGNATURE-----

84

Version: GnuPG v2.0.19 (GNU/Linux)

85

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

86

87

iQEcBAEBAgAGBQJQCrYjAAoJEJwwOFaNFkYcbysH/37pEdkLN/kp8S+Hr9O7rrbI

88

20cQI6IoDnWc4KtzBK9lhbI8RV3xSvsKSG2/nS8kY9CmMEwEdrXnnRrOtPDuxOez

89

4KXCQH4CSVARmU3YW/HxPDfm5/PL2h4npOuPjGU2ZQ9oQNt89CKS6zPc/OmWhqJe

90

PnTZwioVdRH5bHvcsjAsO2niSYCvoex7mjxTZB2RzniRHV0ZsGRzCHj6qiVwQeE4

91

xAP1Rk3Gzr9kwfIDOWDq47/mlhnUEIp3E6fNmsscta8FcZjh/kGxtOwNlfxwu1hg

92

+zS/Q7iREffLAsBOGlICbMkm4859bW1dDi9IW+VT5CzTQkUygTbQ/t2dYQJ3NUU=

93

=Lvu6

94

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	On 21.07.2012 15:51, Ivan Gooten wrote:
5	> hello,
6	>
7	> I have just installed selinux on my gentoo box, and getting
8	> difficulties in permissive mode. If someone can have a look at this
9	> and point me somewhere...
10	>
11	> Emerge doesn't work If i run it from terminal in X11 - it call
12	> traces, cant merge anything. In dmesg I can find:
13	>
14	> ---------------- type=1400 audit(1342877962.365:424): avc: denied
15	> { read write } for pid=15719 comm="sh" name="1" dev="devpts" ino=4
16	> scontext=system_u:system_r:portage_fetch_t
17	> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
18	> audit(1342877962.367:425): avc: denied { search } for pid=15719
19	> comm="sh" name="ivan" dev="dm-3" ino=20709377
20	> scontext=system_u:system_r:portage_fetch_t
21	> tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=1400
22	> audit(1342877962.394:426): avc: denied { search } for pid=15720
23	> comm="id" name="/" dev="sysfs" ino=1
24	> scontext=system_u:system_r:portage_fetch_t
25	> tcontext=system_u:object_r:sysfs_t tclass=dir type=1400
26	> audit(1342878036.496:428): avc: denied { read write } for
27	> pid=15894 comm="emerge" name="1" dev="devpts" ino=4
28	> scontext=system_u:system_r:portage_t
29	> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
30	> audit(1342878036.500:429): avc: denied { ioctl } for pid=15894
31	> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
32	> scontext=system_u:system_r:portage_t
33	> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
34	> audit(1342878036.505:430): avc: denied { getattr } for pid=15894
35	> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
36	> scontext=system_u:system_r:portage_t
37	> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
38	> audit(1342878083.667:431): avc: denied { read write } for
39	> pid=16890 comm="sh" name="1" dev="devpts" ino=4
40	> scontext=system_u:system_r:portage_fetch_t
41	> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
42	> audit(1342878083.671:432): avc: denied { search } for pid=16892
43	> comm="id" name="/" dev="sysfs" ino=1
44	> scontext=system_u:system_r:portage_fetch_t
45	> tcontext=system_u:object_r:sysfs_t tclass=dir ---------------- I'm
46	> running xdm - gdm3 to be more accurate - and as normal user in
47	> terminal I switch to root and then do newrole -t sysadm_t - after
48	> that I'm trying to emerge something. Ofcourse from raw console
49	> a.k.a. non X env, emerging works.
50	>
51	> Additional info: ---------------- # sestatus SELinux status:
52	> enabled SELinuxfs mount: /sys/fs/selinux SELinux
53	> root directory: /etc/selinux Loaded policy name:
54	> targeted Current mode: permissive Mode from
55	> config file: permissive Policy MLS status:
56	> disabled Policy deny_unknown status: denied Max kernel policy
57	> version: 26 ---------------- # id -Z // after switching to
58	> root and changing newrole system_u:system_r:sysadm_t
59	> ---------------- all installed sec-policy packages are from
60	> hardened-devel overlay = 2.20120215-r14 ---------------- I did
61	> rlpkg -a -r so many times.. :-)
62	>
63	> thanks in advance
64	>
65	> Ivan Gooten
66	>
67
68	Hi,
69
70	the first few things I notice are that it's "newrole -r sysadm_r" -
71	"newrole -t" just switches the type.
72	You shouldn't be in system_u, either, but in staff_u.
73	Since you are using a targeted policy you acually would have more
74	rights, if you remove the selinux usermapping for your user at all,
75	because you would be in "unconfined_r:unconfined_t" which means that
76	there aren't really any restrictions for you user except they're
77	stated explicitly.
78
79	WKR
80
81	Hinnerk
82
83	-----BEGIN PGP SIGNATURE-----
84	Version: GnuPG v2.0.19 (GNU/Linux)
85	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
86
87	iQEcBAEBAgAGBQJQCrYjAAoJEJwwOFaNFkYcbysH/37pEdkLN/kp8S+Hr9O7rrbI
88	20cQI6IoDnWc4KtzBK9lhbI8RV3xSvsKSG2/nS8kY9CmMEwEdrXnnRrOtPDuxOez
89	4KXCQH4CSVARmU3YW/HxPDfm5/PL2h4npOuPjGU2ZQ9oQNt89CKS6zPc/OmWhqJe
90	PnTZwioVdRH5bHvcsjAsO2niSYCvoex7mjxTZB2RzniRHV0ZsGRzCHj6qiVwQeE4
91	xAP1Rk3Gzr9kwfIDOWDq47/mlhnUEIp3E6fNmsscta8FcZjh/kGxtOwNlfxwu1hg
92	+zS/Q7iREffLAsBOGlICbMkm4859bW1dDi9IW+VT5CzTQkUygTbQ/t2dYQJ3NUU=
93	=Lvu6
94	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-hardened