[gentoo-hardened] SELinux policy problems -> no policy for "/dev/console", "/dev/tty0", etc... - gentoo-hardened

From:	"Dominik J. Fischer" <sysadmin@×××××××××.de>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] SELinux policy problems -> no policy for "/dev/console", "/dev/tty0", etc...
Date:	Sun, 29 Mar 2009 10:43:46
Message-Id:	`1238323416.22261.12.camel@ws.dom`

1

Dear list,

2

3

I am trying to implement SELinux strict policy on a fresh gentoo

4

hardened system.

5

Versions:

6

sec-policy/selinux-base-policy 20070928

7

8

Obviously, the SELinux base policy even does not provide rules for those

9

devices initialized at bootup.

10

11

When doing "dmesg | grep avc" I see lots of access denials

12

13

[    5.227966] type=1400 audit(1238350085.227:3): avc:  denied  { read

14

write } for  pid=1 comm="init" path="/dev/console" dev=sda4 ino=426558

15

scontext=system_u:system_r:init_t tcontext=root:object_r:file_t

16

tclass=chr_file

17

[    5.233747] type=1400 audit(1238350085.233:4): avc:  denied

18

{ ioctl } for  pid=1 comm="init" path="/dev/tty0" dev=sda4 ino=413527

19

scontext=system_u:system_r:init_t tcontext=root:object_r:file_t

20

tclass=chr_file

21

[    5.308967] type=1400 audit(1238350085.308:5): avc:  denied  { read

22

write } for  pid=806 comm="rc" name="console" dev=sda4 ino=426558

23

scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_t

24

tclass=chr_file

25

[    5.716816] type=1400 audit(1238350085.716:6): avc:  denied  { read

26

write } for  pid=808 comm="consoletype" name="console" dev=sda4

27

ino=426558 scontext=system_u:system_r:consoletype_t

28

tcontext=root:object_r:file_t tclass=chr_file

29

[    5.718371] type=1400 audit(1238350085.718:7): avc:  denied

30

{ search } for  pid=808 comm="consoletype" name="dev" dev=sda4

31

ino=337142 scontext=system_u:system_r:consoletype_t

32

tcontext=root:object_r:file_t tclass=dir

33

[    5.719875] type=1400 audit(1238350085.719:8): avc:  denied

34

{ getattr } for  pid=808 comm="consoletype" path="/dev/console" dev=sda4

35

ino=426558 scontext=system_u:system_r:consoletype_t

36

tcontext=root:object_r:file_t tclass=chr_file

37

[    5.720133] type=1400 audit(1238350085.719:9): avc:  denied

38

{ ioctl } for  pid=808 comm="consoletype" path="/dev/console" dev=sda4

39

ino=426558 scontext=system_u:system_r:consoletype_t

40

tcontext=root:object_r:file_t tclass=chr_file

41

[    5.786111] type=1400 audit(1238350085.785:10): avc:  denied

42

{ ioctl } for  pid=811 comm="stty" path="/dev/console" dev=sda4

43

ino=426558 scontext=system_u:system_r:initrc_t

44

tcontext=root:object_r:file_t tclass=chr_file

45

[    5.840322] type=1400 audit(1238350085.840:11): avc:  denied

46

{ getattr } for  pid=806 comm="bash" path="/dev/null" dev=sda4

47

ino=415908 scontext=system_u:system_r:initrc_t

48

tcontext=root:object_r:file_t tclass=chr_file

49

[    5.872433] type=1400 audit(1238350085.872:12): avc:  denied  { read

50

write } for  pid=815 comm="dmesg" name="console" dev=sda4 ino=426558

51

scontext=system_u:system_r:dmesg_t tcontext=root:object_r:file_t

52

tclass=chr_file

53

[    5.886838] type=1400 audit(1238350085.886:13): avc:  denied  { read

54

write } for  pid=818 comm="mount" name="console" dev=sda4 ino=426558

55

scontext=system_u:system_r:mount_t tcontext=root:object_r:file_t

56

tclass=chr_file

57

58

59

1. What am I doing wrong? Does a policy exist for those cases and I did

60

not install it?

61

2. If not so, how can I get rid of these since I understand that these

62

denials would prevent my system from booting once the audit mode is

63

left?

64

65

box ~ # sestatus -v       

66

SELinux status:                 enabled

67

SELinuxfs mount:                /selinux

68

Current mode:                   permissive

69

Mode from config file:          permissive

70

Policy version:                 24

71

Policy from config file:        strict

72

73

Process contexts:

74

Current context:                root:sysadm_r:sysadm_t

75

Init context:                   system_u:system_r:init_t

76

/sbin/agetty                    system_u:system_r:getty_t

77

/usr/sbin/sshd                  system_u:system_r:sshd_t

78

79

File contexts:

80

Controlling term:               root:object_r:sysadm_devpts_t

81

/sbin/init                      system_u:object_r:init_exec_t

82

/sbin/agetty                    system_u:object_r:getty_exec_t

83

/bin/login                      system_u:object_r:login_exec_t

84

/sbin/rc                        system_u:object_r:initrc_exec_t

85

/sbin/runscript.sh              system_u:object_r:initrc_exec_t

86

/usr/sbin/sshd                  system_u:object_r:sshd_exec_t

87

/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t

88

/etc/passwd                     system_u:object_r:etc_t

89

/etc/shadow                     system_u:object_r:shadow_t

90

/bin/sh                         system_u:object_r:bin_t ->

91

system_u:object_r:shell_exec_t

92

/bin/bash                       system_u:object_r:shell_exec_t

93

/usr/bin/newrole                system_u:object_r:newrole_exec_t

94

/lib/libc.so.6                  system_u:object_r:lib_t ->

95

system_u:object_r:shlib_t

96

/lib/ld-linux.so.2              system_u:object_r:lib_t ->

97

system_u:object_r:ld_so_t

Thanks in advance!

102

103

Dominik

Gentoo Archives: gentoo-hardened

Replies

1	Dear list,
2
3	I am trying to implement SELinux strict policy on a fresh gentoo
4	hardened system.
5	Versions:
6	sec-policy/selinux-base-policy 20070928
7
8	Obviously, the SELinux base policy even does not provide rules for those
9	devices initialized at bootup.
10
11	When doing "dmesg \| grep avc" I see lots of access denials
12
13	[ 5.227966] type=1400 audit(1238350085.227:3): avc: denied { read
14	write } for pid=1 comm="init" path="/dev/console" dev=sda4 ino=426558
15	scontext=system_u:system_r:init_t tcontext=root:object_r:file_t
16	tclass=chr_file
17	[ 5.233747] type=1400 audit(1238350085.233:4): avc: denied
18	{ ioctl } for pid=1 comm="init" path="/dev/tty0" dev=sda4 ino=413527
19	scontext=system_u:system_r:init_t tcontext=root:object_r:file_t
20	tclass=chr_file
21	[ 5.308967] type=1400 audit(1238350085.308:5): avc: denied { read
22	write } for pid=806 comm="rc" name="console" dev=sda4 ino=426558
23	scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_t
24	tclass=chr_file
25	[ 5.716816] type=1400 audit(1238350085.716:6): avc: denied { read
26	write } for pid=808 comm="consoletype" name="console" dev=sda4
27	ino=426558 scontext=system_u:system_r:consoletype_t
28	tcontext=root:object_r:file_t tclass=chr_file
29	[ 5.718371] type=1400 audit(1238350085.718:7): avc: denied
30	{ search } for pid=808 comm="consoletype" name="dev" dev=sda4
31	ino=337142 scontext=system_u:system_r:consoletype_t
32	tcontext=root:object_r:file_t tclass=dir
33	[ 5.719875] type=1400 audit(1238350085.719:8): avc: denied
34	{ getattr } for pid=808 comm="consoletype" path="/dev/console" dev=sda4
35	ino=426558 scontext=system_u:system_r:consoletype_t
36	tcontext=root:object_r:file_t tclass=chr_file
37	[ 5.720133] type=1400 audit(1238350085.719:9): avc: denied
38	{ ioctl } for pid=808 comm="consoletype" path="/dev/console" dev=sda4
39	ino=426558 scontext=system_u:system_r:consoletype_t
40	tcontext=root:object_r:file_t tclass=chr_file
41	[ 5.786111] type=1400 audit(1238350085.785:10): avc: denied
42	{ ioctl } for pid=811 comm="stty" path="/dev/console" dev=sda4
43	ino=426558 scontext=system_u:system_r:initrc_t
44	tcontext=root:object_r:file_t tclass=chr_file
45	[ 5.840322] type=1400 audit(1238350085.840:11): avc: denied
46	{ getattr } for pid=806 comm="bash" path="/dev/null" dev=sda4
47	ino=415908 scontext=system_u:system_r:initrc_t
48	tcontext=root:object_r:file_t tclass=chr_file
49	[ 5.872433] type=1400 audit(1238350085.872:12): avc: denied { read
50	write } for pid=815 comm="dmesg" name="console" dev=sda4 ino=426558
51	scontext=system_u:system_r:dmesg_t tcontext=root:object_r:file_t
52	tclass=chr_file
53	[ 5.886838] type=1400 audit(1238350085.886:13): avc: denied { read
54	write } for pid=818 comm="mount" name="console" dev=sda4 ino=426558
55	scontext=system_u:system_r:mount_t tcontext=root:object_r:file_t
56	tclass=chr_file
57
58
59	1. What am I doing wrong? Does a policy exist for those cases and I did
60	not install it?
61	2. If not so, how can I get rid of these since I understand that these
62	denials would prevent my system from booting once the audit mode is
63	left?
64
65	box ~ # sestatus -v
66	SELinux status: enabled
67	SELinuxfs mount: /selinux
68	Current mode: permissive
69	Mode from config file: permissive
70	Policy version: 24
71	Policy from config file: strict
72
73	Process contexts:
74	Current context: root:sysadm_r:sysadm_t
75	Init context: system_u:system_r:init_t
76	/sbin/agetty system_u:system_r:getty_t
77	/usr/sbin/sshd system_u:system_r:sshd_t
78
79	File contexts:
80	Controlling term: root:object_r:sysadm_devpts_t
81	/sbin/init system_u:object_r:init_exec_t
82	/sbin/agetty system_u:object_r:getty_exec_t
83	/bin/login system_u:object_r:login_exec_t
84	/sbin/rc system_u:object_r:initrc_exec_t
85	/sbin/runscript.sh system_u:object_r:initrc_exec_t
86	/usr/sbin/sshd system_u:object_r:sshd_exec_t
87	/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
88	/etc/passwd system_u:object_r:etc_t
89	/etc/shadow system_u:object_r:shadow_t
90	/bin/sh system_u:object_r:bin_t ->
91	system_u:object_r:shell_exec_t
92	/bin/bash system_u:object_r:shell_exec_t
93	/usr/bin/newrole system_u:object_r:newrole_exec_t
94	/lib/libc.so.6 system_u:object_r:lib_t ->
95	system_u:object_r:shlib_t
96	/lib/ld-linux.so.2 system_u:object_r:lib_t ->
97	system_u:object_r:ld_so_t
98
99
100
101	Thanks in advance!
102
103	Dominik