View previous topic :: View next topic |
Author |
Message |
niderecha n00b
Joined: 10 Nov 2024 Posts: 18
|
Posted: Sun Nov 10, 2024 11:31 pm Post subject: help with selinux on a fresh gentoo |
|
|
Hi. I'm new to selinux, and I'm trying to make it work (enforcing, strict) on an empty and fresh gentoo with profile
Code: | [34] default/linux/amd64/23.0/no-multilib/hardened/selinux/systemd (stable) * |
and a minimal set of utilities. There are a few problems I don't understand, it starts with NetworkManager:
Code: | Nov 10 23:14:26 gentoo systemd[1]: Starting Network Manager...
Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.619:200): avc: denied { search } for pid=1249 comm="(kManager)" name="pressure" dev="proc" ino=4026532062 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_psi_t tclass=dir permissive=0
Nov 10 23:14:26 gentoo NetworkManager[1249]: <info> [1731280466.6466] NetworkManager (version 1.46.0-r1) is starting... (after a restart, boot:b5e02538-4d3f-4629-b718-22043a4494f5)
Nov 10 23:14:26 gentoo NetworkManager[1249]: <info> [1731280466.6466] Read config: /etc/NetworkManager/NetworkManager.conf (lib: 31-mac-addr-change.conf)
Nov 10 23:14:26 gentoo NetworkManager[1249]: <info> [1731280466.6488] manager[0x55dd42195770]: monitoring kernel firmware directory '/lib/firmware'.
Nov 10 23:14:26 gentoo NetworkManager[1249]: <error> [1731280466.6488] session-monitor: failed to create systemd-logind monitor: -13
Nov 10 23:14:26 gentoo dbus-daemon[885]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.32' (uid=0 pid=1249 comm="/usr/sbin/NetworkManager --no-daemon" label="system_u:system_r:NetworkManager_t")
Nov 10 23:14:26 gentoo systemd[1]: Starting Hostname Service...
Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.643:201): avc: denied { watch } for pid=1249 comm="NetworkManager" path="/run/systemd/seats" dev="tmpfs" ino=86 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.673:202): avc: denied { search } for pid=1255 comm="(ostnamed)" name="pressure" dev="proc" ino=4026532062 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_psi_t tclass=dir permissive=0
Nov 10 23:14:26 gentoo (ostnamed)[1255]: systemd-hostnamed.service: Failed to set up mount namespacing: /proc: Permission denied
Nov 10 23:14:26 gentoo (ostnamed)[1255]: systemd-hostnamed.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-hostnamed: Permission denied
Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.689:203): avc: denied { mounton } for pid=1255 comm="(ostnamed)" path="/run/systemd/mount-rootfs/proc" dev="zfs" ino=881 scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=0 |
What is the right thing to do about the very first error?
Code: | Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.619:200): avc: denied { search } for pid=1249 comm="(kManager)" name="pressure" dev="proc" ino=4026532062 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_psi_t tclass=dir permissive=0 |
|
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 95
|
|
Back to top |
|
|
niderecha n00b
Joined: 10 Nov 2024 Posts: 18
|
Posted: Mon Nov 11, 2024 9:09 am Post subject: |
|
|
Thanks. I've been following the wiki, but I still have to wrap my head around it.
This is not a desktop, it should be a server running a web server, php, database and not much else. I'm a bit confused because from the first error it looks like I need to give init_t more power, and this is messing with the base system which should already have sane defaults... |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 95
|
Posted: Mon Nov 11, 2024 10:50 pm Post subject: |
|
|
niderecha wrote: | the base system which should already have sane defaults... |
Sane defaults policies may have different meanings depending on the environments. So you'll have to set custom policies.
About your log :
- Some warnings do not necessarily block a program. search permission may in some cases be one of them.
Besides network-manager with its multiple hooks, may not be the best way to prevent warnings.
- You have a AVC message with unlabeled_t. SELinux is based on file label, so you have to clean up that before. I think something was wrong during your installation. Try to relabel : https://wiki.gentoo.org/wiki/SELinux/Installation#Relabel |
|
Back to top |
|
|
niderecha n00b
Joined: 10 Nov 2024 Posts: 18
|
Posted: Thu Nov 14, 2024 8:32 pm Post subject: |
|
|
Thanks! I relabeled the system (although I thought I have done it before) and replaced networkmanager with systemd-networkd, hopefully it is simpler.
The first error messages are:
Code: | Nov 14 19:55:29 gentoo kernel: audit: type=1400 audit(1731614129.280:3): avc: denied { setattr } for pid=1 comm="systemd" name="chr" dev="tmpfs" ino=11 scontext=system_u:system_r:init_t tcontext=system_u:object_r:init_runtime_t tclass=chr_file permissive=1
Nov 14 19:55:29 gentoo kernel: audit: type=1400 audit(1731614129.280:4): avc: denied { setattr } for pid=1 comm="systemd" name="blk" dev="tmpfs" ino=12 scontext=system_u:system_r:init_t tcontext=system_u:object_r:init_runtime_t tclass=blk_file permissive=1 |
Does it mean I'm doing something wrong? |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 95
|
Posted: Fri Nov 15, 2024 9:46 am Post subject: |
|
|
I suspect systemd try relabeling /run or /tmp, wich is ok.
Could you post your fstab ? |
|
Back to top |
|
|
niderecha n00b
Joined: 10 Nov 2024 Posts: 18
|
Posted: Fri Nov 15, 2024 9:49 am Post subject: |
|
|
My fstab is just one line: Code: | /dev/vda1 /boot vfat defaults,discard,umask=0077 0 2 |
|
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 95
|
Posted: Fri Nov 15, 2024 9:55 am Post subject: |
|
|
No root, tmpfs ?
Could you post full /etc/fstab ? |
|
Back to top |
|
|
niderecha n00b
Joined: 10 Nov 2024 Posts: 18
|
Posted: Fri Nov 15, 2024 9:58 am Post subject: |
|
|
Root is taken care of by init, and I don't mount anything else. This is a minimal test system in qemu, I plan adding things when I understand what selinux really does and when I get it to work with selinux
Code: | gentoo ~ # cat /etc/fstab
# /etc/fstab: static file system information.
#
# See the manpage fstab(5) for more information.
#
# NOTE: The root filesystem should have a pass number of either 0 or 1.
# All other filesystems should have a pass number of 0 or greater than 1.
#
# NOTE: Even though we list ext4 as the type here, it will work with ext2/ext3
# filesystems. This just tells the kernel to use the ext4 driver.
#
# NOTE: You can use full paths to devices like /dev/sda3, but it is often
# more reliable to use filesystem labels or UUIDs. See your filesystem
# documentation for details on setting a label. To obtain the UUID, use
# the blkid(8) command.
# <fs> <mountpoint> <type> <opts> <dump> <pass>
#LABEL=boot /boot ext4 defaults 1 2
#UUID=58e72203-57d1-4497-81ad-97655bd56494 / xfs defaults 0 1
#LABEL=swap none swap sw 0 0
#/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
/dev/vda1 /boot vfat defaults,discard,umask=0077 0 2
gentoo ~ # |
|
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 95
|
Posted: Fri Nov 15, 2024 10:30 am Post subject: |
|
|
ah QEMU, ok.
output of mount ? |
|
Back to top |
|
|
niderecha n00b
Joined: 10 Nov 2024 Posts: 18
|
Posted: Fri Nov 15, 2024 10:31 am Post subject: |
|
|
here:
Code: | gentoo ~ # mount
rpool/gentoo on / type zfs (rw,relatime,seclabel,xattr,posixacl,casesensitive)
devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=4096k,nr_inodes=4099331,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,size=16419128k,nr_inodes=4104782,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=6567652k,nr_inodes=819200,mode=755,inode64)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=32,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=2482)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,seclabel,pagesize=2M)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,size=16419128k,nr_inodes=1048576,inode64)
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/credentials/systemd-network-generator.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/vda1 on /boot type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro,discard)
tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=3283824k,nr_inodes=820956,mode=700,inode64) |
|
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 95
|
|
Back to top |
|
|
niderecha n00b
Joined: 10 Nov 2024 Posts: 18
|
Posted: Fri Nov 15, 2024 5:38 pm Post subject: |
|
|
Thanks. It makes no sense, but I'll try to understand.
Is openrc much better than systemd with selinux? I like systemd more than openrc, but I'm new to selinux and for a start I'd like to have some basic system which just works |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 95
|
Posted: Fri Nov 15, 2024 7:30 pm Post subject: |
|
|
niderecha wrote: |
Is openrc much better than systemd with selinux? I like systemd more than openrc, but I'm new to selinux and for a start I'd like to have some basic system which just works |
I don't believe that question is appropriate. selinux is adapting for all applications. Set custom policies is not bad, you'll need to do that. Just check that it is consistent depending of app : it results of a bad conf or not ? new policy will allow too much perms including other apps ?
In this case, create a policy and go on. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|