View previous topic :: View next topic |
Author |
Message |
Dr. Banana n00b
Joined: 04 Aug 2021 Posts: 48
|
Posted: Mon Jan 30, 2023 11:21 am Post subject: SELinux initctl's label wrong before boot, correct after. |
|
|
I've decided to try and use SELinux on my desktop as a daily driver. Before that I'm testing things out in a VM. I installed gentoo using the standard hardened openrc, non-selinux stage-3 and then switched to SELinux as described in the wiki page: https://wiki.gentoo.org/wiki/SELinux/Installation
Now I'm going through the 'denied' messages in the log and trying to fix them one by one. The first one is something like this:
Code: | kernel: audit: type=1400 <.....>: avc: denied { create } for pid=1 comm="init" name="initctl" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1
kernel: audit: type=1400 <.....>: avc: denied { read write } for pid=1 comm="init" name="initctl" dev="tmpfs" ino=252 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1
kernel: audit: type=1400 <.....>: avc: denied { open } for pid=1 comm="init" name="/run/initctl" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1 |
But when I run Code: | ls -lZ | grep initctl | I get
Code: | prw-------. 1 root root system_u:object_r:initctl_t:s0 0 Jan 30 |
I've checked and init_t is allowed to do those denied operations on initctl_t. So I think /run/initctl isn't getting the correct label at boot time, but why? And how do I fix this? _________________ Haters gonna hate,
Potatoes gonna potate. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3916
|
Posted: Mon Jan 30, 2023 6:50 pm Post subject: |
|
|
Have you seen this
Code: |
FILE /etc/fstabSetting the rootcontext for the /run mount
# For a "targeted" or "strict" policy type:
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0
# For an "mls" or "mcs" policy type:
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0 0 0
|
https://wiki.gentoo.org/wiki/SELinux/Installation#Setting_file_system_contexts
Do you have something similar in fstab?
It should be
var_run_t
and you have
tmpfs_t _________________
|
|
Back to top |
|
|
Dr. Banana n00b
Joined: 04 Aug 2021 Posts: 48
|
Posted: Tue Jan 31, 2023 1:28 am Post subject: |
|
|
I do have that line in my fstab, maybe it's not getting reading properly (it has the proper var_run_t label after booting, at least)? Anyway I found an interesting line in dmesg:
Code: | SELinux: unable to change security options during remount (dev tmpfs, type=tmpfs) |
_________________ Haters gonna hate,
Potatoes gonna potate. |
|
Back to top |
|
|
squidywan n00b
Joined: 17 Apr 2024 Posts: 4
|
Posted: Wed Apr 17, 2024 11:35 am Post subject: |
|
|
I got this error too. For 23.0 and 17.1 hardened profiles.
How you solve it? |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 81
|
Posted: Wed Apr 17, 2024 11:52 am Post subject: |
|
|
Enable the service auditd and launch these commands after a reboot Code: | audit2allow --dmesg; audit2allow --boot | You'll get the policies to add.
Dr. Banana wrote: | I installed gentoo using the standard hardened openrc, non-selinux stage-3 and then switched to SELinux
|
The wiki suggests to not :
Quote: | SELinux stage3 tarballs are also available and supported - this is significantly easier than performing the steps below. The tarballs can be simply unpacked onto a target system, relabel the entire system, add the initial user to the administration SELinux user and reboot. |
|
|
Back to top |
|
|
squidywan n00b
Joined: 17 Apr 2024 Posts: 4
|
Posted: Wed Apr 17, 2024 12:14 pm Post subject: |
|
|
nicop, thank you
Code: |
hardened /home/user # audit2allow --dmesg; audit2allow --boot
#============= init_t ==============
allow init_t initrc_state_t:file { create getattr lock open write };
allow init_t setfiles_exec_t:file { execute execute_no_trans open read };
allow init_t tmpfs_t:fifo_file { create getattr open read write };
#============= initrc_t ==============
allow initrc_t var_lib_t:file { create open read rename unlink write };
#============= systemd_tmpfiles_t ==============
....
|
Long list....
Think this topic related to
https://forums.gentoo.org/viewtopic-t-1168067.html
And seems relabeling is broken. |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 81
|
Posted: Wed Apr 17, 2024 12:24 pm Post subject: |
|
|
If possible, you really should start again from the selinux-stage3.
Relabeling a system when you start on selinux is the best way to get lost.
squidywan wrote: | Long list.... |
In any case, selinux requires a lot of settings before reaching the enforced status. Especially on desktop I imagine (my desktop is not gentooish)
You can use "automagic" commands to generate policies and apply them blindly but this is not necessarily the best way to understand. Resolution is often something other than a simple policy : permissions, owners, use directories defined in contexts. |
|
Back to top |
|
|
squidywan n00b
Joined: 17 Apr 2024 Posts: 4
|
Posted: Thu Apr 18, 2024 10:51 am Post subject: |
|
|
nicop wrote: | If possible, you really should start again from the selinux-stage3. | In this way a I got errors again. All on their places
Code: | [ 2.247835] audit: type=1403 audit(1713437091.650:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[ 2.253501] audit: type=1400 audit(1713437091.656:3): avc: denied { create } for pid=1 comm="init" name="initctl" scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file permissive=1
[ 2.254224] audit: type=1400 audit(1713437091.656:4): avc: denied { read write } for pid=1 comm="init" name="initctl" dev="tmpfs" ino=297 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file permissive=1
[ 2.254227] audit: type=1400 audit(1713437091.656:5): avc: denied { open } for pid=1 comm="init" path="/run/initctl" dev="tmpfs" ino=297 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file permissive=1
[ 2.254229] audit: type=1400 audit(1713437091.656:6): avc: denied { getattr } for pid=1 comm="init" path="/run/initctl" dev="tmpfs" ino=297 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file permissive=1
[ 2.269204] audit: type=1400 audit(1713437091.673:7): avc: denied { write } for pid=1234 comm="loadkeys" path="/dev/null" dev="devtmpfs" ino=4 scontext=system_u:system_r:loadkeys_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 2.271096] audit: type=1400 audit(1713437091.673:8): avc: denied { search } for pid=1234 comm="loadkeys" name="console" dev="dm-1" ino=2097863 scontext=system_u:system_r:loadkeys_t tcontext=system_u:object_r:initrc_state_t tclass=dir permissive=1
[ 2.271554] audit: type=1400 audit(1713437091.673:9): avc: denied { getattr } for pid=1234 comm="loadkeys" path="/lib/rc/console/keymap" dev="dm-1" ino=2097873 scontext=system_u:system_r:loadkeys_t tcontext=system_u:object_r:initrc_state_t tclass=file permissive=1
[ 2.272101] audit: type=1400 audit(1713437091.673:10): avc: denied { read } for pid=1234 comm="loadkeys" name="keymap" dev="dm-1" ino=2097873 scontext=system_u:system_r:loadkeys_t tcontext=system_u:object_r:initrc_state_t tclass=file permissive=1
|
|
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 81
|
Posted: Thu Apr 18, 2024 11:51 am Post subject: |
|
|
Well, even if it's easier (no relabeling) to start with the stage3-selinux, Gentoo doesn't have SELinux ready out of the box at all.
As I said previously, you'll have to generate many policies by yourself. The positive aspect ( ) is that it assists in comprehending selinux.
To find your way later, create one file for policies/contexts (.te/.fc) per domain (init_t, loadkeys_t ...). And let's go !
Few precautions, proceed carefully with :
- wide access booleans (keep a history of changes somewhere.)
- execmem, _trans, relabelto
In addition to the gentoo wiki, red hat documentation is helpful too. |
|
Back to top |
|
|
|