| 1 |
Hi all, |
| 2 |
|
| 3 |
I've installed my first SELinux enhanced Gentoo Hardened a few days |
| 4 |
ago. |
| 5 |
A lot of avc appears in the logs and I fear that those would crash the |
| 6 |
server if I try to boot in enforcing mode. |
| 7 |
|
| 8 |
Basic configuration details : |
| 9 |
Kernel: 3.2.2-hardened-r1 |
| 10 |
Profile: hardened/linux/amd64/selinux |
| 11 |
sec-policy: based on the hardened-dev overlay: |
| 12 |
- sec-policy/selinux-base-policy: 2.20120215-r4 |
| 13 |
- sec-policy/selinux-base: 2.20120215-r4 |
| 14 |
Policy: strict |
| 15 |
Mode: permissive |
| 16 |
|
| 17 |
First of all, I think that the current policy lakes a context rules for |
| 18 |
ip6tables, I fixed it by adding the following rule (The context used |
| 19 |
here comes from /var/lib/iptables): |
| 20 |
/var/lib/ip6tables(/.*)? gen_context(system_u:object_r:initrc_tmp_t) |
| 21 |
|
| 22 |
Then, another rule seems to be missing from nginx. I think it's caused |
| 23 |
by a the following line in my configuration: “include |
| 24 |
/etc/nginx/vhosts.d/*.conf;” that result in : |
| 25 |
Mar 2 11:10:47 ***** kernel: [ 968.008780] type=1400 |
| 26 |
audit(1330683047.439:55): avc: denied { read } for pid=2257 |
| 27 |
comm="nginx" name="vhosts.d" dev="sda1" ino=393764 |
| 28 |
scontext=system_u:system_r:nginx_t |
| 29 |
tcontext=system_u:object_r:nginx_conf_t tclass=dir |
| 30 |
|
| 31 |
I added the following rule to resolve this avc: |
| 32 |
allow nginx_t nginx_conf_t:dir read; |
| 33 |
|
| 34 |
I don't have enough experience to understand the following avcs that |
| 35 |
come after every boot (after I log in) : |
| 36 |
|
| 37 |
Mar 2 10:54:51 ***** kernel: [ 3.669361] type=1400 |
| 38 |
audit(1330682082.668:3): avc: denied { getattr } for pid=736 |
| 39 |
comm="mount" name="/" dev="sysfs" ino=1 |
| 40 |
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:sysfs_t |
| 41 |
tclass=filesystem |
| 42 |
Mar 2 10:54:51 ***** kernel: [ 3.803100] type=1400 |
| 43 |
audit(1330682082.802:4): avc: denied { getattr } for pid=751 |
| 44 |
comm="restorecon" name="/" dev="sysfs" ino=1 |
| 45 |
scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:sysfs_t |
| 46 |
tclass=filesystem |
| 47 |
Mar 2 10:54:51 ***** kernel: [ 6.859414] type=1400 |
| 48 |
audit(1330682086.290:5): avc: denied { getattr } for pid=968 |
| 49 |
comm="pvscan" name="/" dev="sysfs" ino=1 |
| 50 |
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:sysfs_t |
| 51 |
tclass=filesystem |
| 52 |
Mar 2 10:54:51 ***** kernel: [ 7.767982] type=1400 |
| 53 |
audit(1330682087.198:6): avc: denied { setsched } for pid=1010 |
| 54 |
comm="mount" scontext=system_u:system_r:mount_t |
| 55 |
tcontext=system_u:system_r:kernel_t tclass=process |
| 56 |
Mar 2 10:54:51 ***** kernel: [ 8.354336] type=1400 |
| 57 |
audit(1330682087.785:7): avc: denied { write } for pid=1062 comm="rm" |
| 58 |
name="console" dev="sda1" ino=423795 scontext=system_u:system_r:initrc_t |
| 59 |
tcontext=system_u:object_r:lib_t tclass=dir |
| 60 |
Mar 2 10:54:51 ***** kernel: [ 8.354358] type=1400 |
| 61 |
audit(1330682087.785:8): avc: denied { remove_name } for pid=1062 |
| 62 |
comm="rm" name="keymap" dev="sda1" ino=393305 |
| 63 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
| 64 |
tclass=dir |
| 65 |
Mar 2 10:54:51 ***** kernel: [ 8.354373] type=1400 |
| 66 |
audit(1330682087.785:9): avc: denied { unlink } for pid=1062 |
| 67 |
comm="rm" name="keymap" dev="sda1" ino=393305 |
| 68 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
| 69 |
tclass=file |
| 70 |
Mar 2 10:54:51 ***** kernel: [ 8.365926] type=1400 |
| 71 |
audit(1330682087.796:10): avc: denied { create } for pid=1063 |
| 72 |
comm="mkdir" name=".test.1056" scontext=system_u:system_r:initrc_t |
| 73 |
tcontext=system_u:object_r:var_run_t tclass=dir |
| 74 |
Mar 2 10:54:51 ***** kernel: [ 8.719682] type=1400 |
| 75 |
audit(1330682088.150:11): avc: denied { getattr } for pid=1175 |
| 76 |
comm="fuser" path="socket:[1859]" dev="sockfs" ino=1859 |
| 77 |
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
| 78 |
tclass=unix_stream_socket |
| 79 |
Mar 2 10:54:51 ***** kernel: [ 8.720802] type=1400 |
| 80 |
audit(1330682088.151:12): avc: denied { getattr } for pid=1176 |
| 81 |
comm="fuser" path="socket:[1860]" dev="sockfs" ino=1860 |
| 82 |
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
| 83 |
tclass=netlink_kobject_uevent_socket |
| 84 |
Mar 2 10:54:51 ***** kernel: [ 8.849343] type=1400 |
| 85 |
audit(1330682088.280:13): avc: denied { setattr } for pid=1271 |
| 86 |
comm="chmod" name="/" dev="tmpfs" ino=3021 |
| 87 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmp_t |
| 88 |
tclass=dir |
| 89 |
Mar 2 10:54:51 ***** kernel: [ 9.151457] type=1400 |
| 90 |
audit(1330682088.582:14): avc: denied { add_name } for pid=1299 |
| 91 |
comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t |
| 92 |
tcontext=system_u:object_r:lib_t tclass=dir |
| 93 |
Mar 2 10:54:54 ***** kernel: [ 15.470860] type=1400 |
| 94 |
audit(1330682094.901:22): avc: denied { getattr } for pid=1735 |
| 95 |
comm="openvpn" name="/" dev="sysfs" ino=1 |
| 96 |
scontext=system_u:system_r:openvpn_t tcontext=system_u:object_r:sysfs_t |
| 97 |
tclass=filesystem |
| 98 |
Mar 2 10:54:56 ***** kernel: [ 16.646182] type=1400 |
| 99 |
audit(1330682096.077:23): avc: denied { add_name } for pid=1804 |
| 100 |
comm="runscript.sh" name="wrapper_loop.pid" |
| 101 |
scontext=system_u:system_r:initrc_t |
| 102 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=dir |
| 103 |
Mar 2 10:54:56 ***** kernel: [ 16.646272] type=1400 |
| 104 |
audit(1330682096.077:24): avc: denied { create } for pid=1804 |
| 105 |
comm="runscript.sh" name="wrapper_loop.pid" |
| 106 |
scontext=system_u:system_r:initrc_t |
| 107 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=file |
| 108 |
Mar 2 10:54:56 ***** kernel: [ 16.646389] type=1400 |
| 109 |
audit(1330682096.077:25): avc: denied { write } for pid=1804 |
| 110 |
comm="runscript.sh" name="wrapper_loop.pid" dev="sda1" ino=524346 |
| 111 |
scontext=system_u:system_r:initrc_t |
| 112 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=file |
| 113 |
Mar 2 10:54:56 ***** kernel: [ 16.903405] type=1400 |
| 114 |
audit(1330682096.334:26): avc: denied { setattr } for pid=1805 |
| 115 |
comm="asterisk" name="asterisk" dev="sda1" ino=568583 |
| 116 |
scontext=system_u:system_r:asterisk_t |
| 117 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=dir |
| 118 |
Mar 2 10:54:58 ***** kernel: [ 19.082552] type=1400 |
| 119 |
audit(1330682098.513:27): avc: denied { getattr } for pid=1838 |
| 120 |
comm="mount" name="/" dev="sysfs" ino=1 |
| 121 |
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:sysfs_t |
| 122 |
tclass=filesystem |
| 123 |
Mar 2 10:54:58 ***** kernel: [ 19.340996] type=1400 |
| 124 |
audit(1330682098.772:28): avc: denied { dac_override } for pid=1865 |
| 125 |
comm="nginx" capability=1 scontext=system_u:system_r:nginx_t |
| 126 |
tcontext=system_u:system_r:nginx_t tclass=capability |
| 127 |
Mar 2 10:54:59 ***** kernel: [ 20.095608] type=1400 |
| 128 |
audit(1330682099.526:29): avc: denied { getattr } for pid=1895 |
| 129 |
comm="sed" name="/" dev="sysfs" ino=1 |
| 130 |
scontext=system_u:system_r:postfix_master_t |
| 131 |
tcontext=system_u:object_r:sysfs_t tclass=filesystem |
| 132 |
Mar 2 10:55:12 ***** kernel: [ 33.256625] type=1400 |
| 133 |
audit(1330682112.687:30): avc: denied { search } for pid=2033 |
| 134 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
| 135 |
scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
| 136 |
tclass=dir |
| 137 |
Mar 2 10:55:12 ***** kernel: [ 33.256688] type=1400 |
| 138 |
audit(1330682112.687:31): avc: denied { getattr } for pid=2033 |
| 139 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
| 140 |
scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
| 141 |
tclass=filesystem |
| 142 |
Mar 2 10:55:14 ***** kernel: [ 35.354952] type=1400 |
| 143 |
audit(1330682114.785:32): avc: denied { search } for pid=2042 |
| 144 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
| 145 |
scontext=staff_u:staff_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
| 146 |
tclass=dir |
| 147 |
Mar 2 10:55:14 ***** kernel: [ 35.355060] type=1400 |
| 148 |
audit(1330682114.786:33): avc: denied { getattr } for pid=2042 |
| 149 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
| 150 |
scontext=staff_u:staff_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
| 151 |
tclass=filesystem |
| 152 |
Mar 2 10:55:19 ***** kernel: [ 39.687063] type=1400 |
| 153 |
audit(1330682119.117:34): avc: denied { transition } for pid=2045 |
| 154 |
comm="newrole" path="/bin/zsh" dev="sda1" ino=563099 |
| 155 |
ipaddr=***.***.***.*** scontext=staff_u:staff_r:newrole_t |
| 156 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=process |
| 157 |
Mar 2 10:55:19 ***** kernel: [ 39.687937] type=1400 |
| 158 |
audit(1330682119.118:35): avc: denied { rlimitinh } for pid=2045 |
| 159 |
comm="zsh" ipaddr=***.***.***.*** scontext=staff_u:staff_r:newrole_t |
| 160 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=process |
| 161 |
Mar 2 10:55:19 ***** kernel: [ 39.687958] type=1400 |
| 162 |
audit(1330682119.118:36): avc: denied { siginh } for pid=2045 |
| 163 |
comm="zsh" ipaddr=***.***.***.*** scontext=staff_u:staff_r:newrole_t |
| 164 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=process |
| 165 |
Mar 2 10:55:19 ***** kernel: [ 39.689198] type=1400 |
| 166 |
audit(1330682119.120:37): avc: denied { noatsecure } for pid=2045 |
| 167 |
comm="zsh" ipaddr=***.***.***.*** scontext=staff_u:staff_r:newrole_t |
| 168 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=process |
| 169 |
Mar 2 10:55:19 ***** kernel: [ 39.714856] type=1400 |
| 170 |
audit(1330682119.145:38): avc: denied { getattr } for pid=2045 |
| 171 |
comm="sudo" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
| 172 |
scontext=staff_u:sysadm_r:sysadm_sudo_t |
| 173 |
tcontext=system_u:object_r:sysfs_t tclass=filesystem |
| 174 |
Mar 2 10:55:19 ***** kernel: [ 39.812201] type=1400 |
| 175 |
audit(1330682119.243:39): avc: denied { search } for pid=2046 |
| 176 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
| 177 |
scontext=staff_u:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
| 178 |
tclass=dir |
| 179 |
Mar 2 10:55:19 ***** kernel: [ 39.812263] type=1400 |
| 180 |
audit(1330682119.243:40): avc: denied { getattr } for pid=2046 |
| 181 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
| 182 |
scontext=staff_u:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
| 183 |
tclass=filesystem |
| 184 |
|
| 185 |
|
| 186 |
More information concerning my configuration: |
| 187 |
#semodule -l |
| 188 |
apache 2.3.0 |
| 189 |
application 1.2.0 |
| 190 |
asterisk 1.10.0 |
| 191 |
authlogin 2.3.0 |
| 192 |
bind 1.11.0 |
| 193 |
bootloader 1.13.0 |
| 194 |
clock 1.6.0 |
| 195 |
consoletype 1.10.0 |
| 196 |
cron 2.4.0 |
| 197 |
crontabr2e 1.0.0 |
| 198 |
dmesg 1.3.0 |
| 199 |
fixes 1.0.0 (ip6table fix) |
| 200 |
fstools 1.15.0 |
| 201 |
getty 1.9.0 |
| 202 |
hostname 1.7.0 |
| 203 |
hotplug 1.15.0 |
| 204 |
init 1.18.0 |
| 205 |
iptables 1.13.0 |
| 206 |
libraries 2.8.0 |
| 207 |
locallogin 1.11.0 |
| 208 |
logging 1.18.0 |
| 209 |
logrotate 1.14.0 |
| 210 |
lvm 1.13.0 |
| 211 |
miscfiles 1.9.0 |
| 212 |
modutils 1.12.0 |
| 213 |
mount 1.14.0 |
| 214 |
mta 2.4.0 |
| 215 |
netutils 1.11.0 |
| 216 |
nginx 1.0.10 |
| 217 |
nginxfix 1.0.10 |
| 218 |
nscd 1.10.0 |
| 219 |
openvpn 1.11.0 |
| 220 |
portage 1.12.0 |
| 221 |
postfix 1.13.0 |
| 222 |
raid 1.11.0 |
| 223 |
rsync 1.11.0 |
| 224 |
screen 2.5.0 |
| 225 |
selinuxutil 1.16.0 |
| 226 |
ssh 2.3.0 |
| 227 |
staff 2.3.0 |
| 228 |
storage 1.10.0 |
| 229 |
su 1.12.0 |
| 230 |
sudo 1.9.0 |
| 231 |
sysadm 2.4.0 |
| 232 |
sysnetwork 1.13.0 |
| 233 |
udev 1.14.0 |
| 234 |
unprivuser 2.3.0 |
| 235 |
userdomain 4.7.0 |
| 236 |
usermanage 1.17.0 |
| 237 |
xdg 1.0.0 |
| 238 |
|
| 239 |
|
| 240 |
#getsebool -a |
| 241 |
allow_execheap --> off |
| 242 |
allow_execmem --> off |
| 243 |
allow_execmod --> off |
| 244 |
allow_execstack --> off |
| 245 |
allow_httpd_anon_write --> off |
| 246 |
allow_httpd_mod_auth_pam --> off |
| 247 |
allow_httpd_sys_script_anon_write --> off |
| 248 |
allow_httpd_user_script_anon_write --> off |
| 249 |
allow_mount_anyfile --> off |
| 250 |
allow_polyinstantiation --> off |
| 251 |
allow_ptrace --> off |
| 252 |
allow_rsync_anon_write --> off |
| 253 |
allow_ssh_keysign --> off |
| 254 |
allow_user_mysql_connect --> off |
| 255 |
allow_user_postgresql_connect --> off |
| 256 |
allow_ypbind --> off |
| 257 |
console_login --> off |
| 258 |
cron_can_relabel --> off |
| 259 |
fcron_crond --> off |
| 260 |
gentoo_nginx_can_network_connect --> off |
| 261 |
gentoo_nginx_can_network_connect_http --> on |
| 262 |
gentoo_nginx_enable_http_server --> on |
| 263 |
gentoo_nginx_enable_imap_server --> off |
| 264 |
gentoo_nginx_enable_pop3_server --> off |
| 265 |
gentoo_nginx_enable_smtp_server --> off |
| 266 |
gentoo_try_dontaudit --> on |
| 267 |
gentoo_wait_requests --> off |
| 268 |
global_ssp --> on |
| 269 |
httpd_builtin_scripting --> off |
| 270 |
httpd_can_network_connect --> off |
| 271 |
httpd_can_network_connect_db --> off |
| 272 |
httpd_can_network_relay --> off |
| 273 |
httpd_can_sendmail --> off |
| 274 |
httpd_dbus_avahi --> off |
| 275 |
httpd_enable_cgi --> off |
| 276 |
httpd_enable_ftp_server --> off |
| 277 |
httpd_enable_homedirs --> off |
| 278 |
httpd_ssi_exec --> off |
| 279 |
httpd_tty_comm --> off |
| 280 |
httpd_unified --> off |
| 281 |
httpd_use_cifs --> off |
| 282 |
httpd_use_gpg --> off |
| 283 |
httpd_use_nfs --> off |
| 284 |
init_upstart --> off |
| 285 |
mail_read_content --> off |
| 286 |
mmap_low_allowed --> off |
| 287 |
named_write_master_zones --> off |
| 288 |
nfs_export_all_ro --> off |
| 289 |
nfs_export_all_rw --> off |
| 290 |
openvpn_enable_homedirs --> off |
| 291 |
portage_use_nfs --> off |
| 292 |
rsync_export_all_ro --> on |
| 293 |
secure_mode --> on |
| 294 |
secure_mode_insmod --> off |
| 295 |
secure_mode_policyload --> off |
| 296 |
ssh_sysadm_login --> off |
| 297 |
use_nfs_home_dirs --> off |
| 298 |
use_samba_home_dirs --> off |
| 299 |
user_direct_mouse --> off |
| 300 |
user_dmesg --> off |
| 301 |
user_ping --> off |
| 302 |
user_rw_noexattrfile --> off |
| 303 |
user_tcp_server --> off |
| 304 |
user_ttyfile_stat --> off |
| 305 |
|
| 306 |
#fstab : |
| 307 |
/dev/sda1 / ext4 noatime |
| 308 |
|
| 309 |
0 1 |
| 310 |
/dev/sda3 none swap sw |
| 311 |
|
| 312 |
0 0 |
| 313 |
proc /proc proc defaults |
| 314 |
|
| 315 |
0 0 |
| 316 |
tmpfs /tmp tmpfs |
| 317 |
defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t |
| 318 |
0 0 |
| 319 |
udev /dev tmpfs |
| 320 |
rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 |
| 321 |
0 0 |
| 322 |
none /selinux selinuxfs noauto |
| 323 |
|
| 324 |
0 0 |
| 325 |
|
| 326 |
#mounts : |
| 327 |
rootfs on / type rootfs (rw) |
| 328 |
/dev/root on / type ext4 |
| 329 |
(rw,seclabel,noatime,user_xattr,barrier=1,data=ordered) |
| 330 |
selinuxfs on /selinux type selinuxfs (rw,relatime) |
| 331 |
proc on /proc type proc (rw,relatime) |
| 332 |
rc-svcdir on /lib64/rc/init.d type tmpfs |
| 333 |
(rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755) |
| 334 |
sysfs on /sys type sysfs (rw,seclabel,nosuid,nodev,noexec,relatime) |
| 335 |
debugfs on /sys/kernel/debug type debugfs |
| 336 |
(rw,nosuid,nodev,noexec,relatime) |
| 337 |
udev on /dev type tmpfs |
| 338 |
(rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10240k,mode=755) |
| 339 |
devpts on /dev/pts type devpts |
| 340 |
(rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620) |
| 341 |
shm on /dev/shm type tmpfs |
| 342 |
(rw,rootcontext=system_u:object_r:tmpfs_t,seclabel,nosuid,nodev,noexec,relatime) |
| 343 |
tmpfs on /tmp type tmpfs |
| 344 |
(rw,noexec,nosuid,rootcontext="system_u:object_r:tmp_t") |
| 345 |
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc |
| 346 |
(rw,noexec,nosuid,nodev) |
| 347 |
|
| 348 |
I think something about /sys mount point is missing in my fstab but I'm |
| 349 |
unable to find anything about that in the web. |
| 350 |
|
| 351 |
Thanks, |
| 352 |
Vincent Brillault |
Archives