| View previous topic :: View next topic |
| Author |
Message |
lupusbytes
n00b
Joined: 08 Oct 2019
Posts: 2
|
 Posted: Mon Oct 14, 2019 9:57 pm Post subject: Gentoo hardened/selinux beginner question |
 |
|
Hello.
I'm in the process of setting up a Gentoo amd64 router, for my network.
I have chosen the profile 'default/linux/amd64/17.1/no-multilib/hardened/selinux' as I would like to learn about SELinux.
I followed the installation guides on the wiki and now have a running system with SELinux labels and SELinux mapped users.
I have not yet continued with setting up firewalls, NAT and so on, because SELinux spawns permission errors in audit.log.
The plan is to run this system in enforcing strict mode, but right now I'm in still in permissive mode.
I realize it is expected that I write my own policies, but I'm not sure if the AVC denied messages I see are expected or due to a deeper misconfiguration.
Because the system is so minimal at this point, I did not expect to see errors already.
| Code: |
# grep avc audit.log
type=AVC msg=audit(1571087491.044:62): avc: denied { read } for pid=4765 comm="openrc-run.sh" name="rsyslog.conf" dev="md127p1" ino=2770080 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:syslog_conf_t tclass=file permissive=1
type=AVC msg=audit(1571087491.071:63): avc: denied { write } for pid=4449 comm="rsyslogd" name="dev" dev="md127p1" ino=2770106 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=dir permissive=1
type=AVC msg=audit(1571087491.071:63): avc: denied { remove_name } for pid=4449 comm="rsyslogd" name="log" dev="md127p1" ino=2752548 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=dir permissive=1
type=AVC msg=audit(1571087491.071:63): avc: denied { unlink } for pid=4449 comm="rsyslogd" name="log" dev="md127p1" ino=2752548 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=sock_file permissive=1
type=AVC msg=audit(1571087491.636:64): avc: denied { use } for pid=5231 comm="udevadm" path="/dev/console" dev="devtmpfs" ino=2055 scontext=system_u:system_r:udevadm_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
type=AVC msg=audit(1571087491.636:64): avc: denied { read write } for pid=5231 comm="udevadm" path="/dev/console" dev="devtmpfs" ino=2055 scontext=system_u:system_r:udevadm_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087492.583:68): avc: denied { getattr } for pid=5460 comm="start-stop-daem" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
type=AVC msg=audit(1571087516.297:30): avc: denied { use } for pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
type=AVC msg=audit(1571087516.297:30): avc: denied { read write } for pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087516.300:31): avc: denied { ioctl } for pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 ioctlcmd=0x5401 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087516.300:31): avc: denied { sys_tty_config } for pid=4294 comm="dhcpcd-run-hook" capability=26 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:system_r:dhcpc_script_t tclass=capability permissive=1
type=AVC msg=audit(1571087516.300:32): avc: denied { getattr } for pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087516.300:33): avc: denied { open } for pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087527.803:34): avc: denied { read } for pid=4437 comm="openrc-run.sh" name="rsyslog.conf" dev="md127p1" ino=2770080 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:syslog_conf_t tclass=file permissive=1
type=AVC msg=audit(1571087527.843:35): avc: denied { getattr } for pid=4444 comm="start-stop-daem" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
type=AVC msg=audit(1571087527.857:36): avc: denied { write } for pid=4446 comm="rsyslogd" name="dev" dev="md127p1" ino=2770106 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=dir permissive=1
type=AVC msg=audit(1571087527.857:36): avc: denied { add_name } for pid=4446 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=dir permissive=1
type=AVC msg=audit(1571087527.857:36): avc: denied { create } for pid=4446 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=sock_file permissive=1
type=AVC msg=audit(1571087527.857:37): avc: denied { setattr } for pid=4446 comm="rsyslogd" name="log" dev="md127p1" ino=2752548 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=sock_file permissive=1
type=AVC msg=audit(1571087610.667:45): avc: denied { search } for pid=4536 comm="sudo" name="4533" dev="proc" ino=2740 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_t tclass=dir permissive=1
type=AVC msg=audit(1571087610.667:45): avc: denied { read } for pid=4536 comm="sudo" name="stat" dev="proc" ino=1642 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_t tclass=file permissive=1
type=AVC msg=audit(1571087610.667:45): avc: denied { open } for pid=4536 comm="sudo" path="/proc/4533/stat" dev="proc" ino=1642 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_t tclass=file permissive=1
|
If i pull this into audit2allow, it will look like this:
| Code: |
# audit2allow < audit.log
#============= dhcpc_script_t ==============
allow dhcpc_script_t console_device_t:chr_file { getattr ioctl open read write };
allow dhcpc_script_t init_t:fd use;
allow dhcpc_script_t self:capability sys_tty_config;
#============= initrc_t ==============
allow initrc_t nsfs_t:file getattr;
allow initrc_t syslog_conf_t:file read;
#============= sysadm_sudo_t ==============
allow sysadm_sudo_t sysadm_t:dir search;
allow sysadm_sudo_t sysadm_t:file { open read };
#============= syslogd_t ==============
allow syslogd_t var_t:dir { add_name remove_name write };
allow syslogd_t var_t:sock_file { create setattr unlink };
#============= udevadm_t ==============
allow udevadm_t console_device_t:chr_file { read write };
allow udevadm_t init_t:fd use;
|
The dhcpc_script_t is getting triggered from /etc/conf.d/net config_eno1="dhcp".
Should we not be allowed to get a DHCP lease by default, on Gentoo SELinux ?
Does any of these permissions look suspicious to you ?
I'm tempted to just allow them all, but as i said, because the system is so minimal, I wonder if i forgot a step somewhere and seek your advice.
Thanks in advance !
/lupus |
|
| Back to top |
|
 |
e3k
Guru
Joined: 01 Oct 2007
Posts: 515
Location: Quantum Flux
|
| Posted: Tue Oct 15, 2019 6:42 pm Post subject: |
|
|
not sure about gentoo but i worked with selinux on RHEL and if it is an unconfigured install then you have to permit a lot of stuff before it starts to work. also you are in permissive mode which means all is allowed and will be just logged. that means selinux is not protecting you in any way just logs events.
_________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
| Back to top |
|
|
lupusbytes
n00b
Joined: 08 Oct 2019
Posts: 2
|
| Posted: Tue Oct 15, 2019 7:29 pm Post subject: |
|
|
| e3k wrote: | | not sure about gentoo but i worked with selinux on RHEL and if it is an unconfigured install then you have to permit a lot of stuff before it starts to work. also you are in permissive mode which means all is allowed and will be just logged. that means selinux is not protecting you in any way just logs events. |
Thanks for the reply !
Yes, I do realize the implications of permissive mode 
I was under the impresseion that the sec-policy/selinux-base-policy that is included in the Gentoo SELinux profile would cover my system at this early this stage.
To quote the package description:
| Quote: | | Gentoo SELinux base policy. This contains policy for a system at the end of system installation. There is no extra policy in this package. |
My thread/questions are about wether or not the AVC errors that are logged in audit.log should be covered by a base policy.
If I'm supposed to write policies for these myself, I will simply do it, but first I wanted to check with someone experienced, if I'm supposed to 
EDIT:
setting modules="dhclient", in /etc/conf.d/net, fixed the dhcp errors. |
|
| Back to top |
|
|
e3k
Guru
Joined: 01 Oct 2007
Posts: 515
Location: Quantum Flux
|
| Posted: Wed Oct 16, 2019 7:18 pm Post subject: |
|
|
in this case sorry i am not a SELinux expert. the only thumb rule for i would use for a freshly installed system is to allow all to make it work and then watch the logs to see if something unexpected comes.
_________________
Flux & Contemplation - Portrait of an Artist in Isolation
|
|
| Back to top |
|
|
|
Networking & Security
