Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Failed profile change to add selinux to hardened/systemd
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tithom
n00b
n00b


Joined: 19 Nov 2022
Posts: 24

PostPosted: Sun Jun 16, 2024 9:32 pm    Post subject: Failed profile change to add selinux to hardened/systemd Reply with quote

Hello all,

Perhaps a thread similar to this one. I have installed a system with the hardened systemd stage3. As there are no stage3 with all hardened + selinux + systemd, I thought switching to selinux is easier than changing init. I followed the installation guide though I had initially tried to go straight for mcs. After a number of trial and errors, I can narrow down the possible issue to modules not compiling.

In the portage output I have the following for all sec-policy modules:
342 │ WARN: postinst
343 │ SELinux module load failed. Trying full reload...
344 │ Failed to reload SELinux policies.
...
355 │ To reload, run the following command from within /usr/share/selinux/mcs:
356 │ semodule -i base.pp -i $(ls *.pp | grep -v base.pp)

Runing the above command gives the following:
1 │ Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/selinuxutil/cil:234
2 │ Failed to resolve AST
3 │ semodule: Failed!

And if I exclude selinuxutil, I have the same for acpi, apache, git, etc. Looking up what statements are at these lines, respectively:
selinuxutil: (typeattributeset cil_gen_require policykit_t)
acpi: (typeattributeset cil_gen_require selinux_config_t)
apache: (typeattributeset cil_gen_require selinux_config_t)
git: (booleanif (and (and (httpd_enable_cgi) (httpd_unified)) (httpd_builtin_scripting))

So I am not seeing any specific logic to it? Except that using seinfo -t policykit_t returns 0 (same for selinux_config_t). While I don't have the first 3 installed, I do have git so not seeing a logic there either (and tried to install acpi thinking that perhaps that'll sort out the issue).

Also, perhaps anecdotally, I noted the following weird things:
- first attempt did not work out, could not even mount mountpoints, I followed the installed guide to the letter so rebooted before relabelling. Perhaps this?
- currently, id -Z returns system_u:system_r:kernel_t... Also ps -eZ | grep systemd returns kernel_t. When I set to enforcing, selinux blocks the boot refusing all actions to systemd (which then has a kernel_t type)
- /etc/selinux/targeted/contexts does not have a file for systemd while my Fedora laptop has one, this and the above makes me think something is missing with regards to systemd...

Well, considering that the only semodule that seem to have installed is base.pp, perhaps that makes sense.

Let me know if anything from the system may be useful beyond emerge --info:
Code:

Portage 3.0.63 (python 3.12.3-final-0, default/linux/amd64/23.0/hardened/selinux/systemd, gcc-13, glibc-2.39-r6, 6.6.32-gentoo-dist x86_64)
=================================================================
System uname: Linux-6.6.32-gentoo-dist-x86_64-12th_Gen_Intel-R-_Core-TM-_i7-1250U-with-glibc2.39
KiB Mem:     8112992 total,   7489528 free
KiB Swap:    4056060 total,   4056060 free
Timestamp of repository gentoo: Sun, 16 Jun 2024 13:00:00 +0000
Head commit of repository gentoo: d5f9a655ee84529a0d6efe573322fef28c2cc351
sh bash 5.1_p16-r11
ld GNU ld (Gentoo 2.42 p3) 2.42.0
app-misc/pax-utils:        1.3.7::gentoo
app-shells/bash:           5.1_p16-r11::gentoo
dev-build/autoconf:        2.71-r7::gentoo
dev-build/automake:        1.16.5-r2::gentoo
dev-build/cmake:           3.28.5::gentoo
dev-build/libtool:         2.4.7-r4::gentoo
dev-build/make:            4.4.1-r1::gentoo
dev-build/meson:           1.4.0-r1::gentoo
dev-lang/perl:             5.38.2-r3::gentoo
dev-lang/python:           3.11.9-r1::gentoo, 3.12.3-r1::gentoo
dev-lang/rust-bin:         1.77.1::gentoo
sec-policy/selinux-base:   2.20240226-r2::gentoo
sys-apps/baselayout:       2.15::gentoo
sys-apps/sandbox:          2.38::gentoo
sys-apps/systemd:          255.7::gentoo
sys-devel/binutils:        2.42-r1::gentoo
sys-devel/binutils-config: 5.5::gentoo
sys-devel/gcc:             13.2.1_p20240210::gentoo
sys-devel/gcc-config:      2.11::gentoo
sys-kernel/linux-headers:  6.6-r1::gentoo (virtual/os-headers)
sys-libs/glibc:            2.39-r6::gentoo
sys-libs/libselinux:       3.6-r1::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    volatile: False
    sync-rsync-verify-max-age: 3
    sync-rsync-extra-opts:
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-jobs: 1

Binary Repositories:

gentoobinhost
    priority: 1
    sync-uri: https://distfiles.gentoo.org/releases/amd64/binpackages/23.0/x86-64_hardened

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE @BINARY-REDISTRIBUTABLE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync merge-wait multilib-strict network-sandbox news parallel-fetch pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs"
LEX="flex"
MAKEOPTS="-j4"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/bash"
USE="acl amd64 audit bzip2 caps cet crypt gdbm hardened iconv ipv6 libtirpc multilib ncurses nls openmp pam pcre pic pie readline seccomp secureboot selinux ssl ssp systemd test-rust udev unicode xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gcc_12" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 f16c fma3 pclmul popcnt rdrand sha sse3 sse4_1 sse4_2 ssse3 vpclmulqdq" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 ntrip navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-2" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_12" PYTHON_TARGETS="python3_12" RUBY_TARGETS="ruby31 ruby32" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account"
Unset:  ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
Back to top
View user's profile Send private message
BurningMemory
n00b
n00b


Joined: 17 Jan 2023
Posts: 54

PostPosted: Mon Jun 17, 2024 5:09 am    Post subject: Re: Failed profile change to add selinux to hardened/systemd Reply with quote

tithom wrote:
Hello all,

Perhaps a thread similar to this one. I have installed a system with the hardened systemd stage3. As there are no stage3 with all hardened + selinux + systemd, I thought switching to selinux is easier than changing init. I followed the installation guide though I had initially tried to go straight for mcs. After a number of trial and errors, I can narrow down the possible issue to modules not compiling.

Hello there. I've encountered a similar, though not exact same, issue. Here's what you can try:
disable the SELinux profile, do a depclean of selinux-base and selinux-base-policy if they
are emerged. Then it's a good idea to rm /etc/selinux and /usr/share/selinux.
Once all that is done, boot from a livecd, mount /sys,/dev/,run,/proc and chroot.
When chrooted enable the selinux profile, emerge both packages normally,
then verify /usr/share/selinux/<policytype> directories for the module files you need
(i.e. init.pp, base.pp, authlogin.pp, etc.). If they are there and once you reboot into
permissive mode, which is important, the /etc/selinux/*policy/ directories are not empty,
containing policy files, you're good to go.

NOTE:
Fedora workstation uses the 'targeted' policy by default, which is the most suitable
policy for workstations with a graphical interface. Because if you use the strict
policy you will need to make a gigantic amount of adjustments, leading to the policy
to be less strict and more of a pain.
Back to top
View user's profile Send private message
tithom
n00b
n00b


Joined: 19 Nov 2022
Posts: 24

PostPosted: Mon Jun 17, 2024 9:53 am    Post subject: Reply with quote

Hello, thanks for this.

I have tried, but that fails at the same points. So I did change profile (eselect profile set ....) back to only hardened/systemd. I did emerge changed-use and then depclean, this did remove all selinux bits of which it did remove selinux-base and selinux-base-policy. Then, in a live CD / chroot, switched back profile. I am not sure what you meant by emerge both packages normally (the install manual speaks of using FEATURES=-selinux and -sesandbox, but so I emerged without this bit.

I noticed the same issues as the initial install, eg. portage failing to reload modules:
WARN: postinst
SELinux module load failed. Trying full reload...
Failed to reload SELinux policies.

I rebooted in permissive, this fails to boot at all with lsm=selinux. Removing it, booting it, and then running: semodule -i base.pp -i $(ls *.pp | grep -v base.pp) in /usr/share/selinux/strict gives the same error warning as before, eg:
Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/selinuxutil/cil:234
Failed to resolve AST
semodule: Failed!

However, loading base.pp at least lets me reboot in permissive mode (lsm=selinux on the kernel cmdline). Then, same issues, a lot of my processes (incl systemd) are labelled "kernel_t" and things don't work.

Looking more into details, emerging selinux-base-policy gives the following issues
Inserting the following modules, with base, into the strict module store: application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg
Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/authlogin/cil:134
Failed to resolve AST
semodule: Failed!

So still the same issues but perhaps earlier on than when I noticed. If that matters, I have not yet created users so running everything as root, though I don't see why that should give issues?

PS: on the comparison with Fedora, I believe they're running a heavily adapted version of targeted because running ls -Z on qemu images would give:
-rw-------+ 1 qemu qemu system_u:object_r:svirt_image_t:s0:c729,c872
So seems like it has mcs to me...

Edit: continuing to dig, this is seems very similar to the following 2023 bug: https://bugs.gentoo.org/show_bug.cgi?id=891771

Installing selinux policies fails to load modules and before running manually semodule -i base.pp (which succeeds although loading other modules fail), /etc/selinux/*/contexts/files/file_contexts were also all missing.
Back to top
View user's profile Send private message
tithom
n00b
n00b


Joined: 19 Nov 2022
Posts: 24

PostPosted: Thu Jul 11, 2024 8:06 pm    Post subject: Reply with quote

As an update, after checking on IRC, I was advised to install selinux-dbus and selinux-policykit. I did so and then reinstalled selinux-base-policy.

Indeed that did (part) of the trick, now I can load modules without problems. I'm still not booting but that may be due to other issues or trying to get the system to work. I'll try with another clean install one of these days to see if I can get everything in order.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum