1 |
Hi all, |
2 |
|
3 |
I've installed my first SELinux enhanced Gentoo Hardened a few days |
4 |
ago. |
5 |
A lot of avc appears in the logs and I fear that those would crash the |
6 |
server if I try to boot in enforcing mode. |
7 |
|
8 |
Basic configuration details : |
9 |
Kernel: 3.2.2-hardened-r1 |
10 |
Profile: hardened/linux/amd64/selinux |
11 |
sec-policy: based on the hardened-dev overlay: |
12 |
- sec-policy/selinux-base-policy: 2.20120215-r4 |
13 |
- sec-policy/selinux-base: 2.20120215-r4 |
14 |
Policy: strict |
15 |
Mode: permissive |
16 |
|
17 |
First of all, I think that the current policy lakes a context rules for |
18 |
ip6tables, I fixed it by adding the following rule (The context used |
19 |
here comes from /var/lib/iptables): |
20 |
/var/lib/ip6tables(/.*)? gen_context(system_u:object_r:initrc_tmp_t) |
21 |
|
22 |
Then, another rule seems to be missing from nginx. I think it's caused |
23 |
by a the following line in my configuration: “include |
24 |
/etc/nginx/vhosts.d/*.conf;” that result in : |
25 |
Mar 2 11:10:47 ***** kernel: [ 968.008780] type=1400 |
26 |
audit(1330683047.439:55): avc: denied { read } for pid=2257 |
27 |
comm="nginx" name="vhosts.d" dev="sda1" ino=393764 |
28 |
scontext=system_u:system_r:nginx_t |
29 |
tcontext=system_u:object_r:nginx_conf_t tclass=dir |
30 |
|
31 |
I added the following rule to resolve this avc: |
32 |
allow nginx_t nginx_conf_t:dir read; |
33 |
|
34 |
I don't have enough experience to understand the following avcs that |
35 |
come after every boot (after I log in) : |
36 |
|
37 |
Mar 2 10:54:51 ***** kernel: [ 3.669361] type=1400 |
38 |
audit(1330682082.668:3): avc: denied { getattr } for pid=736 |
39 |
comm="mount" name="/" dev="sysfs" ino=1 |
40 |
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:sysfs_t |
41 |
tclass=filesystem |
42 |
Mar 2 10:54:51 ***** kernel: [ 3.803100] type=1400 |
43 |
audit(1330682082.802:4): avc: denied { getattr } for pid=751 |
44 |
comm="restorecon" name="/" dev="sysfs" ino=1 |
45 |
scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:sysfs_t |
46 |
tclass=filesystem |
47 |
Mar 2 10:54:51 ***** kernel: [ 6.859414] type=1400 |
48 |
audit(1330682086.290:5): avc: denied { getattr } for pid=968 |
49 |
comm="pvscan" name="/" dev="sysfs" ino=1 |
50 |
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:sysfs_t |
51 |
tclass=filesystem |
52 |
Mar 2 10:54:51 ***** kernel: [ 7.767982] type=1400 |
53 |
audit(1330682087.198:6): avc: denied { setsched } for pid=1010 |
54 |
comm="mount" scontext=system_u:system_r:mount_t |
55 |
tcontext=system_u:system_r:kernel_t tclass=process |
56 |
Mar 2 10:54:51 ***** kernel: [ 8.354336] type=1400 |
57 |
audit(1330682087.785:7): avc: denied { write } for pid=1062 comm="rm" |
58 |
name="console" dev="sda1" ino=423795 scontext=system_u:system_r:initrc_t |
59 |
tcontext=system_u:object_r:lib_t tclass=dir |
60 |
Mar 2 10:54:51 ***** kernel: [ 8.354358] type=1400 |
61 |
audit(1330682087.785:8): avc: denied { remove_name } for pid=1062 |
62 |
comm="rm" name="keymap" dev="sda1" ino=393305 |
63 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
64 |
tclass=dir |
65 |
Mar 2 10:54:51 ***** kernel: [ 8.354373] type=1400 |
66 |
audit(1330682087.785:9): avc: denied { unlink } for pid=1062 |
67 |
comm="rm" name="keymap" dev="sda1" ino=393305 |
68 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
69 |
tclass=file |
70 |
Mar 2 10:54:51 ***** kernel: [ 8.365926] type=1400 |
71 |
audit(1330682087.796:10): avc: denied { create } for pid=1063 |
72 |
comm="mkdir" name=".test.1056" scontext=system_u:system_r:initrc_t |
73 |
tcontext=system_u:object_r:var_run_t tclass=dir |
74 |
Mar 2 10:54:51 ***** kernel: [ 8.719682] type=1400 |
75 |
audit(1330682088.150:11): avc: denied { getattr } for pid=1175 |
76 |
comm="fuser" path="socket:[1859]" dev="sockfs" ino=1859 |
77 |
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
78 |
tclass=unix_stream_socket |
79 |
Mar 2 10:54:51 ***** kernel: [ 8.720802] type=1400 |
80 |
audit(1330682088.151:12): avc: denied { getattr } for pid=1176 |
81 |
comm="fuser" path="socket:[1860]" dev="sockfs" ino=1860 |
82 |
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t |
83 |
tclass=netlink_kobject_uevent_socket |
84 |
Mar 2 10:54:51 ***** kernel: [ 8.849343] type=1400 |
85 |
audit(1330682088.280:13): avc: denied { setattr } for pid=1271 |
86 |
comm="chmod" name="/" dev="tmpfs" ino=3021 |
87 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmp_t |
88 |
tclass=dir |
89 |
Mar 2 10:54:51 ***** kernel: [ 9.151457] type=1400 |
90 |
audit(1330682088.582:14): avc: denied { add_name } for pid=1299 |
91 |
comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t |
92 |
tcontext=system_u:object_r:lib_t tclass=dir |
93 |
Mar 2 10:54:54 ***** kernel: [ 15.470860] type=1400 |
94 |
audit(1330682094.901:22): avc: denied { getattr } for pid=1735 |
95 |
comm="openvpn" name="/" dev="sysfs" ino=1 |
96 |
scontext=system_u:system_r:openvpn_t tcontext=system_u:object_r:sysfs_t |
97 |
tclass=filesystem |
98 |
Mar 2 10:54:56 ***** kernel: [ 16.646182] type=1400 |
99 |
audit(1330682096.077:23): avc: denied { add_name } for pid=1804 |
100 |
comm="runscript.sh" name="wrapper_loop.pid" |
101 |
scontext=system_u:system_r:initrc_t |
102 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=dir |
103 |
Mar 2 10:54:56 ***** kernel: [ 16.646272] type=1400 |
104 |
audit(1330682096.077:24): avc: denied { create } for pid=1804 |
105 |
comm="runscript.sh" name="wrapper_loop.pid" |
106 |
scontext=system_u:system_r:initrc_t |
107 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=file |
108 |
Mar 2 10:54:56 ***** kernel: [ 16.646389] type=1400 |
109 |
audit(1330682096.077:25): avc: denied { write } for pid=1804 |
110 |
comm="runscript.sh" name="wrapper_loop.pid" dev="sda1" ino=524346 |
111 |
scontext=system_u:system_r:initrc_t |
112 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=file |
113 |
Mar 2 10:54:56 ***** kernel: [ 16.903405] type=1400 |
114 |
audit(1330682096.334:26): avc: denied { setattr } for pid=1805 |
115 |
comm="asterisk" name="asterisk" dev="sda1" ino=568583 |
116 |
scontext=system_u:system_r:asterisk_t |
117 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=dir |
118 |
Mar 2 10:54:58 ***** kernel: [ 19.082552] type=1400 |
119 |
audit(1330682098.513:27): avc: denied { getattr } for pid=1838 |
120 |
comm="mount" name="/" dev="sysfs" ino=1 |
121 |
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:sysfs_t |
122 |
tclass=filesystem |
123 |
Mar 2 10:54:58 ***** kernel: [ 19.340996] type=1400 |
124 |
audit(1330682098.772:28): avc: denied { dac_override } for pid=1865 |
125 |
comm="nginx" capability=1 scontext=system_u:system_r:nginx_t |
126 |
tcontext=system_u:system_r:nginx_t tclass=capability |
127 |
Mar 2 10:54:59 ***** kernel: [ 20.095608] type=1400 |
128 |
audit(1330682099.526:29): avc: denied { getattr } for pid=1895 |
129 |
comm="sed" name="/" dev="sysfs" ino=1 |
130 |
scontext=system_u:system_r:postfix_master_t |
131 |
tcontext=system_u:object_r:sysfs_t tclass=filesystem |
132 |
Mar 2 10:55:12 ***** kernel: [ 33.256625] type=1400 |
133 |
audit(1330682112.687:30): avc: denied { search } for pid=2033 |
134 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
135 |
scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
136 |
tclass=dir |
137 |
Mar 2 10:55:12 ***** kernel: [ 33.256688] type=1400 |
138 |
audit(1330682112.687:31): avc: denied { getattr } for pid=2033 |
139 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
140 |
scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
141 |
tclass=filesystem |
142 |
Mar 2 10:55:14 ***** kernel: [ 35.354952] type=1400 |
143 |
audit(1330682114.785:32): avc: denied { search } for pid=2042 |
144 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
145 |
scontext=staff_u:staff_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
146 |
tclass=dir |
147 |
Mar 2 10:55:14 ***** kernel: [ 35.355060] type=1400 |
148 |
audit(1330682114.786:33): avc: denied { getattr } for pid=2042 |
149 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
150 |
scontext=staff_u:staff_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
151 |
tclass=filesystem |
152 |
Mar 2 10:55:19 ***** kernel: [ 39.687063] type=1400 |
153 |
audit(1330682119.117:34): avc: denied { transition } for pid=2045 |
154 |
comm="newrole" path="/bin/zsh" dev="sda1" ino=563099 |
155 |
ipaddr=***.***.***.*** scontext=staff_u:staff_r:newrole_t |
156 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=process |
157 |
Mar 2 10:55:19 ***** kernel: [ 39.687937] type=1400 |
158 |
audit(1330682119.118:35): avc: denied { rlimitinh } for pid=2045 |
159 |
comm="zsh" ipaddr=***.***.***.*** scontext=staff_u:staff_r:newrole_t |
160 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=process |
161 |
Mar 2 10:55:19 ***** kernel: [ 39.687958] type=1400 |
162 |
audit(1330682119.118:36): avc: denied { siginh } for pid=2045 |
163 |
comm="zsh" ipaddr=***.***.***.*** scontext=staff_u:staff_r:newrole_t |
164 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=process |
165 |
Mar 2 10:55:19 ***** kernel: [ 39.689198] type=1400 |
166 |
audit(1330682119.120:37): avc: denied { noatsecure } for pid=2045 |
167 |
comm="zsh" ipaddr=***.***.***.*** scontext=staff_u:staff_r:newrole_t |
168 |
tcontext=staff_u:sysadm_r:sysadm_t tclass=process |
169 |
Mar 2 10:55:19 ***** kernel: [ 39.714856] type=1400 |
170 |
audit(1330682119.145:38): avc: denied { getattr } for pid=2045 |
171 |
comm="sudo" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
172 |
scontext=staff_u:sysadm_r:sysadm_sudo_t |
173 |
tcontext=system_u:object_r:sysfs_t tclass=filesystem |
174 |
Mar 2 10:55:19 ***** kernel: [ 39.812201] type=1400 |
175 |
audit(1330682119.243:39): avc: denied { search } for pid=2046 |
176 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
177 |
scontext=staff_u:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
178 |
tclass=dir |
179 |
Mar 2 10:55:19 ***** kernel: [ 39.812263] type=1400 |
180 |
audit(1330682119.243:40): avc: denied { getattr } for pid=2046 |
181 |
comm="unix_chkpwd" name="/" dev="sysfs" ino=1 ipaddr=***.***.***.*** |
182 |
scontext=staff_u:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t |
183 |
tclass=filesystem |
184 |
|
185 |
|
186 |
More information concerning my configuration: |
187 |
#semodule -l |
188 |
apache 2.3.0 |
189 |
application 1.2.0 |
190 |
asterisk 1.10.0 |
191 |
authlogin 2.3.0 |
192 |
bind 1.11.0 |
193 |
bootloader 1.13.0 |
194 |
clock 1.6.0 |
195 |
consoletype 1.10.0 |
196 |
cron 2.4.0 |
197 |
crontabr2e 1.0.0 |
198 |
dmesg 1.3.0 |
199 |
fixes 1.0.0 (ip6table fix) |
200 |
fstools 1.15.0 |
201 |
getty 1.9.0 |
202 |
hostname 1.7.0 |
203 |
hotplug 1.15.0 |
204 |
init 1.18.0 |
205 |
iptables 1.13.0 |
206 |
libraries 2.8.0 |
207 |
locallogin 1.11.0 |
208 |
logging 1.18.0 |
209 |
logrotate 1.14.0 |
210 |
lvm 1.13.0 |
211 |
miscfiles 1.9.0 |
212 |
modutils 1.12.0 |
213 |
mount 1.14.0 |
214 |
mta 2.4.0 |
215 |
netutils 1.11.0 |
216 |
nginx 1.0.10 |
217 |
nginxfix 1.0.10 |
218 |
nscd 1.10.0 |
219 |
openvpn 1.11.0 |
220 |
portage 1.12.0 |
221 |
postfix 1.13.0 |
222 |
raid 1.11.0 |
223 |
rsync 1.11.0 |
224 |
screen 2.5.0 |
225 |
selinuxutil 1.16.0 |
226 |
ssh 2.3.0 |
227 |
staff 2.3.0 |
228 |
storage 1.10.0 |
229 |
su 1.12.0 |
230 |
sudo 1.9.0 |
231 |
sysadm 2.4.0 |
232 |
sysnetwork 1.13.0 |
233 |
udev 1.14.0 |
234 |
unprivuser 2.3.0 |
235 |
userdomain 4.7.0 |
236 |
usermanage 1.17.0 |
237 |
xdg 1.0.0 |
238 |
|
239 |
|
240 |
#getsebool -a |
241 |
allow_execheap --> off |
242 |
allow_execmem --> off |
243 |
allow_execmod --> off |
244 |
allow_execstack --> off |
245 |
allow_httpd_anon_write --> off |
246 |
allow_httpd_mod_auth_pam --> off |
247 |
allow_httpd_sys_script_anon_write --> off |
248 |
allow_httpd_user_script_anon_write --> off |
249 |
allow_mount_anyfile --> off |
250 |
allow_polyinstantiation --> off |
251 |
allow_ptrace --> off |
252 |
allow_rsync_anon_write --> off |
253 |
allow_ssh_keysign --> off |
254 |
allow_user_mysql_connect --> off |
255 |
allow_user_postgresql_connect --> off |
256 |
allow_ypbind --> off |
257 |
console_login --> off |
258 |
cron_can_relabel --> off |
259 |
fcron_crond --> off |
260 |
gentoo_nginx_can_network_connect --> off |
261 |
gentoo_nginx_can_network_connect_http --> on |
262 |
gentoo_nginx_enable_http_server --> on |
263 |
gentoo_nginx_enable_imap_server --> off |
264 |
gentoo_nginx_enable_pop3_server --> off |
265 |
gentoo_nginx_enable_smtp_server --> off |
266 |
gentoo_try_dontaudit --> on |
267 |
gentoo_wait_requests --> off |
268 |
global_ssp --> on |
269 |
httpd_builtin_scripting --> off |
270 |
httpd_can_network_connect --> off |
271 |
httpd_can_network_connect_db --> off |
272 |
httpd_can_network_relay --> off |
273 |
httpd_can_sendmail --> off |
274 |
httpd_dbus_avahi --> off |
275 |
httpd_enable_cgi --> off |
276 |
httpd_enable_ftp_server --> off |
277 |
httpd_enable_homedirs --> off |
278 |
httpd_ssi_exec --> off |
279 |
httpd_tty_comm --> off |
280 |
httpd_unified --> off |
281 |
httpd_use_cifs --> off |
282 |
httpd_use_gpg --> off |
283 |
httpd_use_nfs --> off |
284 |
init_upstart --> off |
285 |
mail_read_content --> off |
286 |
mmap_low_allowed --> off |
287 |
named_write_master_zones --> off |
288 |
nfs_export_all_ro --> off |
289 |
nfs_export_all_rw --> off |
290 |
openvpn_enable_homedirs --> off |
291 |
portage_use_nfs --> off |
292 |
rsync_export_all_ro --> on |
293 |
secure_mode --> on |
294 |
secure_mode_insmod --> off |
295 |
secure_mode_policyload --> off |
296 |
ssh_sysadm_login --> off |
297 |
use_nfs_home_dirs --> off |
298 |
use_samba_home_dirs --> off |
299 |
user_direct_mouse --> off |
300 |
user_dmesg --> off |
301 |
user_ping --> off |
302 |
user_rw_noexattrfile --> off |
303 |
user_tcp_server --> off |
304 |
user_ttyfile_stat --> off |
305 |
|
306 |
#fstab : |
307 |
/dev/sda1 / ext4 noatime |
308 |
|
309 |
0 1 |
310 |
/dev/sda3 none swap sw |
311 |
|
312 |
0 0 |
313 |
proc /proc proc defaults |
314 |
|
315 |
0 0 |
316 |
tmpfs /tmp tmpfs |
317 |
defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t |
318 |
0 0 |
319 |
udev /dev tmpfs |
320 |
rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 |
321 |
0 0 |
322 |
none /selinux selinuxfs noauto |
323 |
|
324 |
0 0 |
325 |
|
326 |
#mounts : |
327 |
rootfs on / type rootfs (rw) |
328 |
/dev/root on / type ext4 |
329 |
(rw,seclabel,noatime,user_xattr,barrier=1,data=ordered) |
330 |
selinuxfs on /selinux type selinuxfs (rw,relatime) |
331 |
proc on /proc type proc (rw,relatime) |
332 |
rc-svcdir on /lib64/rc/init.d type tmpfs |
333 |
(rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755) |
334 |
sysfs on /sys type sysfs (rw,seclabel,nosuid,nodev,noexec,relatime) |
335 |
debugfs on /sys/kernel/debug type debugfs |
336 |
(rw,nosuid,nodev,noexec,relatime) |
337 |
udev on /dev type tmpfs |
338 |
(rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10240k,mode=755) |
339 |
devpts on /dev/pts type devpts |
340 |
(rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620) |
341 |
shm on /dev/shm type tmpfs |
342 |
(rw,rootcontext=system_u:object_r:tmpfs_t,seclabel,nosuid,nodev,noexec,relatime) |
343 |
tmpfs on /tmp type tmpfs |
344 |
(rw,noexec,nosuid,rootcontext="system_u:object_r:tmp_t") |
345 |
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc |
346 |
(rw,noexec,nosuid,nodev) |
347 |
|
348 |
I think something about /sys mount point is missing in my fstab but I'm |
349 |
unable to find anything about that in the web. |
350 |
|
351 |
Thanks, |
352 |
Vincent Brillault |