Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SELinux initctl's label wrong before boot, correct after.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Dr. Banana
n00b
n00b


Joined: 04 Aug 2021
Posts: 48

PostPosted: Mon Jan 30, 2023 11:21 am    Post subject: SELinux initctl's label wrong before boot, correct after. Reply with quote

I've decided to try and use SELinux on my desktop as a daily driver. Before that I'm testing things out in a VM. I installed gentoo using the standard hardened openrc, non-selinux stage-3 and then switched to SELinux as described in the wiki page: https://wiki.gentoo.org/wiki/SELinux/Installation

Now I'm going through the 'denied' messages in the log and trying to fix them one by one. The first one is something like this:
Code:
kernel: audit: type=1400 <.....>: avc: denied { create } for pid=1 comm="init" name="initctl" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1

kernel: audit: type=1400 <.....>: avc: denied { read write } for pid=1 comm="init" name="initctl" dev="tmpfs" ino=252 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1

kernel: audit: type=1400 <.....>: avc: denied { open } for pid=1 comm="init" name="/run/initctl" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1


But when I run
Code:
 ls -lZ | grep initctl
I get
Code:
prw-------. 1 root root system_u:object_r:initctl_t:s0                0 Jan 30


I've checked and init_t is allowed to do those denied operations on initctl_t. So I think /run/initctl isn't getting the correct label at boot time, but why? And how do I fix this?
_________________
Haters gonna hate,
Potatoes gonna potate.
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3916

PostPosted: Mon Jan 30, 2023 6:50 pm    Post subject: Reply with quote

Have you seen this
Code:

FILE /etc/fstabSetting the rootcontext for the /run mount
# For a "targeted" or "strict" policy type:
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
 
# For an "mls" or "mcs" policy type:
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0


https://wiki.gentoo.org/wiki/SELinux/Installation#Setting_file_system_contexts
Do you have something similar in fstab?
It should be
var_run_t
and you have
tmpfs_t
_________________
:)
Back to top
View user's profile Send private message
Dr. Banana
n00b
n00b


Joined: 04 Aug 2021
Posts: 48

PostPosted: Tue Jan 31, 2023 1:28 am    Post subject: Reply with quote

I do have that line in my fstab, maybe it's not getting reading properly (it has the proper var_run_t label after booting, at least)? Anyway I found an interesting line in dmesg:
Code:
SELinux: unable to change security options during remount (dev tmpfs, type=tmpfs)

_________________
Haters gonna hate,
Potatoes gonna potate.
Back to top
View user's profile Send private message
squidywan
n00b
n00b


Joined: 17 Apr 2024
Posts: 4

PostPosted: Wed Apr 17, 2024 11:35 am    Post subject: Reply with quote

I got this error too. For 23.0 and 17.1 hardened profiles.
How you solve it?
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 90

PostPosted: Wed Apr 17, 2024 11:52 am    Post subject: Reply with quote

Enable the service auditd and launch these commands after a reboot
Code:
audit2allow --dmesg; audit2allow --boot
You'll get the policies to add.

Dr. Banana wrote:
I installed gentoo using the standard hardened openrc, non-selinux stage-3 and then switched to SELinux

The wiki suggests to not :
Quote:
SELinux stage3 tarballs are also available and supported - this is significantly easier than performing the steps below. The tarballs can be simply unpacked onto a target system, relabel the entire system, add the initial user to the administration SELinux user and reboot.
Back to top
View user's profile Send private message
squidywan
n00b
n00b


Joined: 17 Apr 2024
Posts: 4

PostPosted: Wed Apr 17, 2024 12:14 pm    Post subject: Reply with quote

nicop, thank you

Code:

hardened /home/user # audit2allow --dmesg; audit2allow --boot

#============= init_t ==============
allow init_t initrc_state_t:file { create getattr lock open write };
allow init_t setfiles_exec_t:file { execute execute_no_trans open read };
allow init_t tmpfs_t:fifo_file { create getattr open read write };

#============= initrc_t ==============
allow initrc_t var_lib_t:file { create open read rename unlink write };

#============= systemd_tmpfiles_t ==============
....

Long list.... 8O

Think this topic related to
https://forums.gentoo.org/viewtopic-t-1168067.html

And seems relabeling is broken.
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 90

PostPosted: Wed Apr 17, 2024 12:24 pm    Post subject: Reply with quote

If possible, you really should start again from the selinux-stage3.
Relabeling a system when you start on selinux is the best way to get lost.


squidywan wrote:
Long list.... 8O


In any case, selinux requires a lot of settings before reaching the enforced status. Especially on desktop I imagine (my desktop is not gentooish)

You can use "automagic" commands to generate policies and apply them blindly but this is not necessarily the best way to understand. Resolution is often something other than a simple policy : permissions, owners, use directories defined in contexts.
Back to top
View user's profile Send private message
squidywan
n00b
n00b


Joined: 17 Apr 2024
Posts: 4

PostPosted: Thu Apr 18, 2024 10:51 am    Post subject: Reply with quote

nicop wrote:
If possible, you really should start again from the selinux-stage3.
In this way a I got errors again. All on their places :?
Code:
[    2.247835] audit: type=1403 audit(1713437091.650:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[    2.253501] audit: type=1400 audit(1713437091.656:3): avc:  denied  { create } for  pid=1 comm="init" name="initctl" scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file permissive=1
[    2.254224] audit: type=1400 audit(1713437091.656:4): avc:  denied  { read write } for  pid=1 comm="init" name="initctl" dev="tmpfs" ino=297 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file permissive=1
[    2.254227] audit: type=1400 audit(1713437091.656:5): avc:  denied  { open } for  pid=1 comm="init" path="/run/initctl" dev="tmpfs" ino=297 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file permissive=1
[    2.254229] audit: type=1400 audit(1713437091.656:6): avc:  denied  { getattr } for  pid=1 comm="init" path="/run/initctl" dev="tmpfs" ino=297 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file permissive=1
[    2.269204] audit: type=1400 audit(1713437091.673:7): avc:  denied  { write } for  pid=1234 comm="loadkeys" path="/dev/null" dev="devtmpfs" ino=4 scontext=system_u:system_r:loadkeys_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    2.271096] audit: type=1400 audit(1713437091.673:8): avc:  denied  { search } for  pid=1234 comm="loadkeys" name="console" dev="dm-1" ino=2097863 scontext=system_u:system_r:loadkeys_t tcontext=system_u:object_r:initrc_state_t tclass=dir permissive=1
[    2.271554] audit: type=1400 audit(1713437091.673:9): avc:  denied  { getattr } for  pid=1234 comm="loadkeys" path="/lib/rc/console/keymap" dev="dm-1" ino=2097873 scontext=system_u:system_r:loadkeys_t tcontext=system_u:object_r:initrc_state_t tclass=file permissive=1
[    2.272101] audit: type=1400 audit(1713437091.673:10): avc:  denied  { read } for  pid=1234 comm="loadkeys" name="keymap" dev="dm-1" ino=2097873 scontext=system_u:system_r:loadkeys_t tcontext=system_u:object_r:initrc_state_t tclass=file permissive=1
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 90

PostPosted: Thu Apr 18, 2024 11:51 am    Post subject: Reply with quote

Well, even if it's easier (no relabeling) to start with the stage3-selinux, Gentoo doesn't have SELinux ready out of the box at all.

As I said previously, you'll have to generate many policies by yourself. The positive aspect ( :wink: ) is that it assists in comprehending selinux.

To find your way later, create one file for policies/contexts (.te/.fc) per domain (init_t, loadkeys_t ...). And let's go !

Few precautions, proceed carefully with :
- wide access booleans (keep a history of changes somewhere.)
- execmem, _trans, relabelto

In addition to the gentoo wiki, red hat documentation is helpful too.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum