| View previous topic :: View next topic |
| Author |
Message |
kgdrenefort
Guru
Joined: 19 Sep 2023
Posts: 314
Location: Somewhere in the 77
|
 Posted: Thu May 30, 2024 6:11 am Post subject: [ABORTED] SELinux: Switching from permissive to enforced |
 |
|
Hello,
Long-story-short: I had installed this gentoo with from start the SELinux profile, but since I had many troubles to set it up, I tried to revert back to non-SELinux profile, clean and going back on the SELinux profile and follow the migration process:
| Code: | | default/linux/amd64/23.0/hardened/selinux/systemd |
Now I'm using a SELinux system, but in permissive mode, otherwise the AVC removes me the possibility to log as root, my user, having a running LightDM at boot…
---
Context: A workstation using Xfce4 with LightDM, that needs a working SELinux with:
- The profile showed above
- Stable release
- Dist-kernel
- SEL policy: Strict, but I would probably need to switch (later ?) on mcs, looks more like my needs (VMs to run as servers, with aside a normal workstation)
- SEL features: Unconfined domain, for my own and every-day user, which needs to still be able to logs as root from command-line using su - (not sudo or other)
- Auditd AVC's logs enabled
Goals: Runs the system in enforced mode and have my GUIs back, ability to login as in permissive mode. While my own user would be unconfined, others Unix users needs to be confined. Some would runs the VMs as a background task, which would be my servers, using KVM/Qemu. My own user needs, possibly, to run the virt-manager GUI utility and be allowed to use and manage the VM, if it's not possible I will probably switch back to the command-line utilities and log as the Unix users with allowed privileges.
Problem(s): From /etc/default/grub, I set:
| Code: |
# Append parameters to the linux kernel command line
GRUB_CMDLINE_LINUX="enforcing=1 lsm=selinux"
|
Once it starts, I can see a lot of error for running services that are not usually a problem, then I see the login shell a side a lot of AVC errors.
More details and configurations:
/etc/selinux/config:
| Code: | # This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=strict
|
sestatus (permissive):
| Code: |
Mephistopheles ~ # sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: strict
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: disabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
|
The recent evens of SELinux's AVC, ausearch -m avc -ts recent:
| Code: |
----
time->Thu May 30 07:51:32 2024
type=PROCTITLE msg=audit(1717048292.837:1513): proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D6368696C644944003233002D6973466F7242726F77736572002D70726566734C656E003335363834002D707265664D617053697A6500323434313730002D6A73496E69744C656E00323332303634002D706172656E7442
type=PATH msg=audit(1717048292.837:1513): item=0 name="/sys/fs/cgroup/user.slice/user-1000.slice/session-3.scope/cpu.max" inode=4525 dev=00:1a mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1717048292.837:1513): cwd="/home/meself"
type=SYSCALL msg=audit(1717048292.837:1513): arch=c000003e syscall=257 success=yes exit=41 a0=ffffff9c a1=7ffe18ae8568 a2=80000 a3=0 items=1 ppid=1087 pid=53734 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=57656220436F6E74656E74 exe="/usr/lib64/firefox/firefox" subj=staff_u:staff_r:mozilla_t key=(null)
type=AVC msg=audit(1717048292.837:1513): avc: denied { search } for pid=53734 comm=57656220436F6E74656E74 name="/" dev="cgroup2" ino=1 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:cgroup_t tclass=dir permissive=1
----
time->Thu May 30 07:53:01 2024
type=PROCTITLE msg=audit(1717048381.576:1514): proctitle=2F7573722F62696E2F646275732D6461656D6F6E002D2D73657373696F6E002D2D616464726573733D73797374656D643A002D2D6E6F666F726B002D2D6E6F70696466696C65002D2D73797374656D642D61637469766174696F6E002D2D7379736C6F672D6F6E6C79
type=PATH msg=audit(1717048381.576:1514): item=0 name="/run/user/1000/dbus-1/services" inode=41 dev=00:33 mode=040700 ouid=1000 ogid=1000 rdev=00:00 obj=system_u:object_r:user_runtime_t nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1717048381.576:1514): cwd="/home/meself"
type=SYSCALL msg=audit(1717048381.576:1514): arch=c000003e syscall=257 success=yes exit=28 a0=ffffff9c a1=557fe62374c0 a2=90800 a3=0 items=1 ppid=956 pid=974 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null)
type=AVC msg=audit(1717048381.576:1514): avc: denied { search } for pid=974 comm="dbus-daemon" name="user" dev="tmpfs" ino=84 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:user_runtime_root_t tclass=dir permissive=1
----
time->Thu May 30 07:56:19 2024
type=PROCTITLE msg=audit(1717048579.219:1515): proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D6368696C644944003236002D6973466F7242726F77736572002D70726566734C656E003335363834002D707265664D617053697A6500323434313730002D6A73496E69744C656E00323332303634002D706172656E7442
type=SYSCALL msg=audit(1717048579.219:1515): arch=c000003e syscall=257 success=yes exit=40 a0=ffffff9c a1=7fffc706f568 a2=80000 a3=0 items=0 ppid=1087 pid=53986 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=57656220436F6E74656E74 exe="/usr/lib64/firefox/firefox" subj=staff_u:staff_r:mozilla_t key=(null)
type=AVC msg=audit(1717048579.219:1515): avc: denied { open } for pid=53986 comm=57656220436F6E74656E74 path="/sys/fs/cgroup/user.slice/user-1000.slice/session-3.scope/cpu.max" dev="cgroup2" ino=4525 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=1
type=AVC msg=audit(1717048579.219:1515): avc: denied { read } for pid=53986 comm=57656220436F6E74656E74 name="cpu.max" dev="cgroup2" ino=4525 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=1
----
time->Thu May 30 07:56:19 2024
type=PROCTITLE msg=audit(1717048579.219:1516): proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D6368696C644944003236002D6973466F7242726F77736572002D70726566734C656E003335363834002D707265664D617053697A6500323434313730002D6A73496E69744C656E00323332303634002D706172656E7442
type=SYSCALL msg=audit(1717048579.219:1516): arch=c000003e syscall=332 success=yes exit=0 a0=28 a1=7f359adc9183 a2=1000 a3=fff items=0 ppid=1087 pid=53986 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=57656220436F6E74656E74 exe="/usr/lib64/firefox/firefox" subj=staff_u:staff_r:mozilla_t key=(null)
type=AVC msg=audit(1717048579.219:1516): avc: denied { getattr } for pid=53986 comm=57656220436F6E74656E74 path="/sys/fs/cgroup/user.slice/user-1000.slice/session-3.scope/cpu.max" dev="cgroup2" ino=4525 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=1
----
time->Thu May 30 07:56:55 2024
type=PROCTITLE msg=audit(1717048615.232:1517): proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D706172656E744275696C644944003230323430353239303734323332002D70726566734C656E003338333135002D707265664D617053697A6500323434313730002D617070446972002F7573722F6C696236342F666972
type=SYSCALL msg=audit(1717048615.232:1517): arch=c000003e syscall=47 success=yes exit=12 a0=3e a1=7f6fa79fb490 a2=0 a3=7f6fa79fb528 items=0 ppid=1087 pid=1282 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="Renderer" exe="/usr/lib64/firefox/firefox" subj=staff_u:staff_r:mozilla_t key=(null)
type=AVC msg=audit(1717048615.232:1517): avc: denied { write } for pid=1282 comm="Renderer" path=2F6D656D66643A2F2E6E76696469615F6472762E585858585858202864656C6574656429 dev="tmpfs" ino=2052 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:xserver_tmpfs_t tclass=file permissive=1
----
time->Thu May 30 07:56:55 2024
type=PROCTITLE msg=audit(1717048615.232:1518): proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D706172656E744275696C644944003230323430353239303734323332002D70726566734C656E003338333135002D707265664D617053697A6500323434313730002D617070446972002F7573722F6C696236342F666972
type=SYSCALL msg=audit(1717048615.232:1518): arch=c000003e syscall=9 success=yes exit=140117503418368 a0=0 a1=1000 a2=3 a3=1 items=0 ppid=1087 pid=1282 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="Renderer" exe="/usr/lib64/firefox/firefox" subj=staff_u:staff_r:mozilla_t key=(null)
type=AVC msg=audit(1717048615.232:1518): avc: denied { map } for pid=1282 comm="Renderer" path=2F6D656D66643A2F2E6E76696469615F6472762E585858585858202864656C6574656429 dev="tmpfs" ino=2052 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:xserver_tmpfs_t tclass=file permissive=1
----
time->Thu May 30 08:00:01 2024
type=PROCTITLE msg=audit(1717048801.124:1519): proctitle=6175736561726368002D6D00617663002D747300726563656E74
type=PATH msg=audit(1717048801.124:1519): item=0 name="/etc/audit/auditd.conf" inode=1611541866 dev=08:02 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1717048801.124:1519): cwd="/root"
type=SYSCALL msg=audit(1717048801.124:1519): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56383ada3c40 a2=20000 a3=0 items=1 ppid=3574 pid=54218 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ausearch" exe="/usr/bin/ausearch" subj=staff_u:staff_r:staff_t key=(null)
type=AVC msg=audit(1717048801.124:1519): avc: denied { open } for pid=54218 comm="ausearch" path="/etc/audit/auditd.conf" dev="sda2" ino=1611541866 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_etc_t tclass=file permissive=1
type=AVC msg=audit(1717048801.124:1519): avc: denied { read } for pid=54218 comm="ausearch" name="auditd.conf" dev="sda2" ino=1611541866 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_etc_t tclass=file permissive=1
type=AVC msg=audit(1717048801.124:1519): avc: denied { search } for pid=54218 comm="ausearch" name="audit" dev="sda2" ino=1074695057 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_etc_t tclass=dir permissive=1
----
time->Thu May 30 08:00:01 2024
type=PROCTITLE msg=audit(1717048801.124:1520): proctitle=6175736561726368002D6D00617663002D747300726563656E74
type=SYSCALL msg=audit(1717048801.124:1520): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffe84f71bc0 a2=0 a3=0 items=0 ppid=3574 pid=54218 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ausearch" exe="/usr/bin/ausearch" subj=staff_u:staff_r:staff_t key=(null)
type=AVC msg=audit(1717048801.124:1520): avc: denied { getattr } for pid=54218 comm="ausearch" path="/etc/audit/auditd.conf" dev="sda2" ino=1611541866 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_etc_t tclass=file permissive=1
----
time->Thu May 30 08:00:01 2024
type=PROCTITLE msg=audit(1717048801.124:1521): proctitle=6175736561726368002D6D00617663002D747300726563656E74
type=SYSCALL msg=audit(1717048801.124:1521): arch=c000003e syscall=9 success=yes exit=140446199967744 a0=0 a1=372 a2=1 a3=1 items=0 ppid=3574 pid=54218 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ausearch" exe="/usr/bin/ausearch" subj=staff_u:staff_r:staff_t key=(null)
type=AVC msg=audit(1717048801.124:1521): avc: denied { map } for pid=54218 comm="ausearch" path="/etc/audit/auditd.conf" dev="sda2" ino=1611541866 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_etc_t tclass=file permissive=1
----
time->Thu May 30 08:00:01 2024
type=PROCTITLE msg=audit(1717048801.124:1522): proctitle=6175736561726368002D6D00617663002D747300726563656E74
type=SYSCALL msg=audit(1717048801.124:1522): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=56383ada3c60 a2=90800 a3=0 items=0 ppid=3574 pid=54218 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ausearch" exe="/usr/bin/ausearch" subj=staff_u:staff_r:staff_t key=(null)
type=AVC msg=audit(1717048801.124:1522): avc: denied { open } for pid=54218 comm="ausearch" path="/var/log/audit" dev="sda2" ino=537918932 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=1
type=AVC msg=audit(1717048801.124:1522): avc: denied { read } for pid=54218 comm="ausearch" name="audit" dev="sda2" ino=537918932 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=1
----
time->Thu May 30 08:00:01 2024
type=PROCTITLE msg=audit(1717048801.124:1523): proctitle=6175736561726368002D6D00617663002D747300726563656E74
type=SYSCALL msg=audit(1717048801.124:1523): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffe84f71a00 a2=0 a3=0 items=0 ppid=3574 pid=54218 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ausearch" exe="/usr/bin/ausearch" subj=staff_u:staff_r:staff_t key=(null)
type=AVC msg=audit(1717048801.124:1523): avc: denied { getattr } for pid=54218 comm="ausearch" path="/var/log/audit" dev="sda2" ino=537918932 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=1
----
time->Thu May 30 08:00:01 2024
type=PROCTITLE msg=audit(1717048801.124:1524): proctitle=6175736561726368002D6D00617663002D747300726563656E74
type=PATH msg=audit(1717048801.124:1524): item=0 name="/var/log/audit/audit.log" inode=537918917 dev=08:02 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_log_t nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1717048801.124:1524): cwd="/root"
type=SYSCALL msg=audit(1717048801.124:1524): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=7ffe84f71c5b a2=0 a3=0 items=1 ppid=3574 pid=54218 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ausearch" exe="/usr/bin/ausearch" subj=staff_u:staff_r:staff_t key=(null)
type=AVC msg=audit(1717048801.124:1524): avc: denied { open } for pid=54218 comm="ausearch" path="/var/log/audit/audit.log" dev="sda2" ino=537918917 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_log_t tclass=file permissive=1
type=AVC msg=audit(1717048801.124:1524): avc: denied { read } for pid=54218 comm="ausearch" name="audit.log" dev="sda2" ino=537918917 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_log_t tclass=file permissive=1
type=AVC msg=audit(1717048801.124:1524): avc: denied { search } for pid=54218 comm="ausearch" name="audit" dev="sda2" ino=537918932 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=1
----
time->Thu May 30 08:00:01 2024
type=PROCTITLE msg=audit(1717048801.124:1525): proctitle=6175736561726368002D6D00617663002D747300726563656E74
type=SYSCALL msg=audit(1717048801.124:1525): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7ffe84f71ac0 a2=0 a3=0 items=0 ppid=3574 pid=54218 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ausearch" exe="/usr/bin/ausearch" subj=staff_u:staff_r:staff_t key=(null)
type=AVC msg=audit(1717048801.124:1525): avc: denied { getattr } for pid=54218 comm="ausearch" path="/var/log/audit/audit.log" dev="sda2" ino=537918917 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_log_t tclass=file permissive=1
----
time->Thu May 30 08:00:01 2024
type=PROCTITLE msg=audit(1717048801.128:1526): proctitle=6175736561726368002D6D00617663002D747300726563656E74
type=SYSCALL msg=audit(1717048801.128:1526): arch=c000003e syscall=9 success=yes exit=140446185553920 a0=0 a1=5178e3 a2=1 a3=1 items=0 ppid=3574 pid=54218 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ausearch" exe="/usr/bin/ausearch" subj=staff_u:staff_r:staff_t key=(null)
type=AVC msg=audit(1717048801.128:1526): avc: denied { map } for pid=54218 comm="ausearch" path="/var/log/audit/audit.log" dev="sda2" ino=537918917 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:auditd_log_t tclass=file permissive=1
|
From this page I readed and tried to understand as much as I could do the user guides part. It gaves me some knowledge and a better comprehension of SELinux, but still not enough to debug myself.
---
My guess: I think my users (meself and root Unix accounts) are not properly allowed to logs, run some services too, leading to a non-running by default the LightDM services or even log with both (if I try, it hangs then gets back to login).
This is my users permissions:
- meself:
| Code: | | staff_u:staff_r:staff_t |
- root:
| Code: | | staff_u:staff_r:staff_t |
By following the migration process page, I tried to add as explained the permissions, context, label, etc. My /home/meself as /root or even /swapfile are relabelled. The only directories added to the process was /mnt/ because it mounts at boot (from /etc/fstab) two hard drive which are mounted right here, below my actual mount:
| Code: | /dev/sda2 on / type xfs (rw,relatime,lazytime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=4096k,nr_inodes=2031688,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=3259048k,nr_inodes=819200,mode=755,inode64)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=32,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=673)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,seclabel,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,nr_inodes=1048576,inode64)
/dev/sdb1 on /mnt/virtualmachines type xfs (rw,relatime,lazytime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/sdc1 on /mnt/data type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/sda1 on /efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=1629524k,nr_inodes=407381,mode=700,uid=1000,gid=1000,inode64)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
|
---
I do not know if you need more informations to help me out, so please ask if needed.
Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website.
Last edited by kgdrenefort on Mon Jun 03, 2024 9:21 am; edited 1 time in total |
|
| Back to top |
|
 |
xgivolari
Tux's lil' helper
Joined: 26 Jul 2021
Posts: 102
|
| Posted: Thu May 30, 2024 11:21 am Post subject: |
|
|
| If I read correctly, your main goal is confining VMs, right? In that case, SELinux with "targeted" policy probably makes more sense. Getting strict SELinux to work on a normal workstation is a sisyphean task. Things will break with every other update. |
|
| Back to top |
|
|
nicop
Tux's lil' helper
Joined: 10 Apr 2014
Posts: 104
|
|
| Back to top |
|
|
kgdrenefort
Guru
Joined: 19 Sep 2023
Posts: 314
Location: Somewhere in the 77
|
| Posted: Thu May 30, 2024 12:56 pm Post subject: |
|
|
Hello and sorry to not being clear, it was not fully.
This Gentoo is an AMD64 hardened profile, with SystemD, 23.0, with no desktop profile because I mixed things up a little bit from hardened to get a fully working Xfce4/X.org config. This is my emerge --info:
| Code: | Portage 3.0.63 (python 3.11.9-final-0, default/linux/amd64/23.0/hardened/selinux/systemd, gcc-13, glibc-2.39-r6, 6.6.30-gentoo-dist-hardened x86_64)
=================================================================
System uname: Linux-6.6.30-gentoo-dist-hardened-x86_64-AMD_Ryzen_5_2600_Six-Core_Processor-with-glibc2.39
KiB Mem: 16295240 total, 8560680 free
KiB Swap: 16777212 total, 16777212 free
Timestamp of repository gentoo: Thu, 30 May 2024 05:00:01 +0000
Head commit of repository gentoo: 108bff44cc84e22bb06798831b90ecdced07ab40
sh bash 5.1_p16-r6
ld GNU ld (Gentoo 2.42 p3) 2.42.0
app-misc/pax-utils: 1.3.7::gentoo
app-shells/bash: 5.1_p16-r6::gentoo
dev-build/autoconf: 2.13-r8::gentoo, 2.71-r7::gentoo
dev-build/automake: 1.16.5-r2::gentoo
dev-build/cmake: 3.28.5::gentoo
dev-build/libtool: 2.4.7-r4::gentoo
dev-build/make: 4.4.1-r1::gentoo
dev-build/meson: 1.4.0-r1::gentoo
dev-lang/perl: 5.38.2-r3::gentoo
dev-lang/python: 3.11.9::gentoo, 3.12.3::gentoo
dev-lang/rust-bin: 1.77.1::gentoo
sec-policy/selinux-base: 2.20240226-r1::gentoo
sys-apps/baselayout: 2.15::gentoo
sys-apps/sandbox: 2.38::gentoo
sys-apps/systemd: 255.4::gentoo
sys-devel/binutils: 2.42-r1::gentoo
sys-devel/binutils-config: 5.5::gentoo
sys-devel/clang: 17.0.6::gentoo
sys-devel/gcc: 13.2.1_p20240210::gentoo
sys-devel/gcc-config: 2.11::gentoo
sys-devel/lld: 17.0.6::gentoo
sys-devel/llvm: 17.0.6::gentoo
sys-kernel/linux-headers: 6.6-r1::gentoo (virtual/os-headers)
sys-libs/glibc: 2.39-r6::gentoo
sys-libs/libselinux: 3.6-r1::gentoo
Repositories:
gentoo
location: /var/db/repos/gentoo
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
volatile: False
sync-rsync-extra-opts:
sync-rsync-verify-metamanifest: yes
sync-rsync-verify-max-age: 3
sync-rsync-verify-jobs: 1
Binary Repositories:
gentoobinhost
priority: 1
sync-uri: https://distfiles.gentoo.org/releases/amd64/binpackages/23.0/x86-64_hardened
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync merge-wait multilib-strict network-sandbox news parallel-fetch pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="https://mirrors.ircam.fr/pub/gentoo-distfiles/ https://gentoo.mirrors.ovh.net/gentoo-distfiles/ https://mirrors.soeasyto.com/distfiles.gentoo.org/"
LANG="fr_FR.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs"
LEX="flex"
MAKEOPTS="-j7"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/bash"
USE="X a52 aac acl acpi alsa amd64 audit bluetooth branding bzip2 cairo caps cdda cdr cet clamav colord crypt css cups curl cxx dbus dist-kernel dri dts dvd dvdr encode exif fbcon ffmpeg flac fltk gdbm gif gpm gstreamer gtk gui hardened hddtemp iconv icu ipv6 jack jpeg lcms libnotify libtirpc lm-sensors lto lua mad man matroska mng modules modules-compress modules-sign mp3 mp4 mpeg mplayer multilib ncurses networkmanager nls ogg opengl openmp pam pango pcre pdf pic pie png policykit posix ppds profile pulseaudio qt5 readline scanner sdl seccomp selinux sound spell ssl ssp startup-notification svg symlink systemd test-rust tiff truetype udev udisks uefi unicode upower usb vcd vim-syntax vorbis vulkan wxwidgets x264 xattr xcb xft xml xtpax xv xvid zlib" ABI_X86="64" ADA_TARGET="gcc_12" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 f16c fma3 pclmul popcnt rdrand sha sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 ntrip navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" L10N="fr en" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-1" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_11" PYTHON_TARGETS="python3_11" RUBY_TARGETS="ruby31 ruby32" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account"
Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
|
So, it's a workstation. My goal is to have a separated users, let's say vmmanager. This user needs to be confined, not as my everyday user, meself.
Since it's net exactly something you want to see, a workstation acting as an host for Virtual Machines doing services on internet (mostly, web hosting aside database, PHP, etc), I decided to set up SELinux to hardens things a bit more.
This vmmanager Unix users would have no GUI, it'll be used to manage my virtual machines (KVM, Qemu, virt-manager as GUI). I do not want it to do anything else, only here to take care of VM, no accepted connexion from outside or even inside. To login to it, I will use root or meself Unix users.
It seemed that mcs was the best choice between security and usability (but I guess I could be wrong !). I keep strict, for now, because I was afraid to do a little bit anything not "per default" as seen on the wiki's documentation pages, I usually do that and it always (or almost) leads me to several problems.
Before even considering switching to mcs, if it's not a silly idea, I wanted to be able to use my Gentoo with SELinux sets to non-permissive, but if I do, as explained in the original post, I do not have LightDM daemons running, I can't log to root or meself.
Is it more clear like this ?
About sudo, if I can I do not use it. I always prefer to log with:
To get root permissions, even to switch to another user, sometimes. I do not think it's a security problem, as it is, but open minded I am about any best behaviours.
Thanks for the link, I'll take a look and see if it fits my need.
Thanks for your answers.
Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
| Back to top |
|
|
nicop
Tux's lil' helper
Joined: 10 Apr 2014
Posts: 104
|
| Posted: Thu May 30, 2024 2:58 pm Post subject: |
|
|
| kgdrenefort wrote: | | But if I do, as explained in the original post, I do not have LightDM daemons running, I can't log to root or meself. |
As I wrote previously in this post, Gentoo doesn't have SELinux ready out of the box at all.
You'll have to generate many policies by yourself.
To find your way later, create one file for policies/contexts (.te/.fc) per domain (init_t, loadkeys_t ...). And let's go !
| kgdrenefort wrote: | | About sudo, if I can I do not use it. I always prefer to log with: su - |
With SELinux, you'll have to switch to your new user (root) and your new role (https://wiki.gentoo.org/wiki/SELinux/Tutorials/The_purpose_of_SELinux_roles).
In short : | nicop wrote: | | It is indeed more flexible to have an unconfined user-admin with sudo rights." |
|
|
| Back to top |
|
|
kgdrenefort
Guru
Joined: 19 Sep 2023
Posts: 314
Location: Somewhere in the 77
|
| Posted: Mon Jun 03, 2024 9:21 am Post subject: |
|
|
Hello,
After some talking with peoples used to it and thinking, I post-pone for now the SELinux idea of mine:
1/ I lost an amount of time really too important on this
2/ It broke some of my sanity
3/ I'll do it, despite the pain it would be to me on a working system to switch on it.
Apologize for the time I took.
Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
