| View previous topic :: View next topic |
| Author |
Message |
vaxbrat
Guru
Joined: 05 Oct 2005
Posts: 372
Location: DC Burbs
|
 Posted: Mon Jun 18, 2007 4:07 am Post subject: selinux denials due to race conditions? [solved] |
 |
|
I just joined the hardened-gentoo mailing list but thought I might give this a shot here too. I'm on the 2006.1 unstable profile for selinux and think I may have a race condition that results in avc denials before selinux has finished labeling things like /dev. For example, the first denial below appears to be where /etc/hotplug.d/default/default.hotplug is peeking and poking around with /dev/null. The denial has it as a system_u:object_r:file_t, but when I look at it from a running system I see it as a system_u:object_r:null_device_t. Can the hardened folk chime in about whether I'm missing something blatantly obvious? Should I be messing around in /etc/runlevels/boot to put dependencies in various scripts (although selinux isn't a script so how would I make it a dependency?)
snippet from a dmesg:
| Code: | security: 5 users, 5 roles, 1376 types, 81 bools
security: 59 classes, 61906 rules
security: class dccp_socket not defined in policy
security: permission dccp_recv in class node not defined in policy
security: permission dccp_send in class node not defined in policy
security: permission dccp_recv in class netif not defined in policy
security: permission dccp_send in class netif not defined in policy
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev sda5, type ext3), uses xattr
inode_doinit_with_dentry: context_to_sid(unlabeled) returned 22 for dev=sda5 ino=1938273
audit(1182137416.171:2): avc: denied { ioctl } for pid=884 comm="default.hotplug" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.203:3): avc: denied { read } for pid=889 comm="env" name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.204:4): avc: denied { read } for pid=884 comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t tclass=file
audit(1182137416.206:5): avc: denied { search } for pid=884 comm="default.hotplug" name="var" dev=sda5 ino=1254177 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t tclass=dir
audit(1182137416.221:6): avc: denied { search } for pid=884 comm="default.hotplug" name="log" dev=sda5 ino=1255669 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_log_t tclass=dir
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
audit(1182137416.259:7): policy loaded auid=4294967295
audit(1182137416.261:8): avc: denied { read write } for pid=1 comm="init" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.275:9): avc: denied { ioctl } for pid=1 comm="init" name="tty0" dev=sda5 ino=735467 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.277:10): avc: denied { read } for pid=891 comm="hotplug" name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.279:11): avc: denied { write } for pid=891 comm="hotplug" name="tty" dev=sda5 ino=734192 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.296:12): avc: denied { ioctl } for pid=893 comm="default.hotplug" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.758:13): avc: denied { read write } for pid=970 comm="rc" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.033:14): avc: denied { read write } for pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.034:15): avc: denied { search } for pid=994 comm="consoletype" name="dev" dev=sda5 ino=732961 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=dir
audit(1182137417.034:16): avc: denied { getattr } for pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.035:17): avc: denied { ioctl } for pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.082:18): avc: denied { ioctl } for pid=997 comm="stty" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.172:19): avc: denied { getattr } for pid=970 comm="bash" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.196:20): avc: denied { read write } for pid=1001 comm="dmesg" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.220:21): avc: denied { read write } for pid=1004 comm="mount" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
audit(1182137417.478:22): avc: denied { read write } for pid=1038 comm="restorecon" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.716:23): avc: denied { write } for pid=1042 comm="bash" name="null" dev=tmpfs ino=2106 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file
audit(1182137417.875:24): avc: denied { read write } for pid=1062 comm="udevd" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137418.770:25): avc: denied { read } for pid=1194 comm="modprobe" name="console" dev=tmpfs ino=2100 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file
audit(1182137424.374:26): avc: denied { getattr } for pid=2059 comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100 scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t tclass=file
audit(1182137424.376:27): avc: denied { read } for pid=2112 comm="grep" name="modprobe.conf" dev=sda5 ino=1515100 scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t tclass=file
|
Last edited by vaxbrat on Fri Jun 22, 2007 3:21 am; edited 1 time in total |
|
| Back to top |
|
 |
vaxbrat
Guru
Joined: 05 Oct 2005
Posts: 372
Location: DC Burbs
|
| Posted: Thu Jun 21, 2007 3:00 am Post subject: It is a race |
|
|
| Got confirmed that it is indeed a race condition. However I noticed that udev really has taken over everything from hotplug so that it's no longer needed. That got rid of a good number of denials since udev doesn't get around to doing its thing until later and thus avoids the race. |
|
| Back to top |
|
|
vaxbrat
Guru
Joined: 05 Oct 2005
Posts: 372
Location: DC Burbs
|
| Posted: Fri Jun 22, 2007 3:20 am Post subject: Need to label the static /dev |
|
|
Here's the detailed story for the race condition. Until udev has finished doing its thing and mounted its own /dev, the system is using the primordial static /dev from your root's filesystem. Selinux gets /selinux up and running and is still at work doing the genfs context labeling of /dev, /tmp and company when the init process gets kicked. So init initially gets busy using the static nodes. Unfortunately these all have the default labeling of file_t and don't get picked up later by relabeling since udev now overlays the /dev directory with its own.
In order to relabel the static /dev you need to get a bit sneaky by "remounting" your root filesystem somewhere else. Let's say /mnt/rawroot
| Code: | # mkdir /mnt/rawroot
# mount --bind / /mnt/rawroot |
The --bind option remounts the filesystem to a different directory but doesn't apply all of the submounts. Thus the udev version of /dev is left behind to unconver the static /dev as /mnt/rawroot/dev. Now we can use setfilecon to manually relabel contexts. For example, the init process was getting denied access to /dev/console:
audit(1182137416.261: : avc: denied { read write } for pid=1 comm="init" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file
In a running system, the /dev/console device is labeled as system_u:object_r:console_device_t. To label the static console properly I did:
| Code: | # cd /mnt/rawroot/dev
# setfilecon system_u:object_r:console_device_t console |
Some of the other device nodes that were getting hit too early include /dev/tty0 (tty_device_t) and /dev/urandom (urandom_device_t) |
|
| Back to top |
|
|
vaxbrat
Guru
Joined: 05 Oct 2005
Posts: 372
Location: DC Burbs
|
| Posted: Mon Jun 25, 2007 12:52 am Post subject: more for the pot |
|
|
Can't seem to stay away from this thread for some reason 
Here's a couple more things in the rawroot that need proper labeling:
| Code: | # cd /mnt/rawroot2
# setfilecon system_u:object_r:device_t dev
# setfilecon system_u_object_r_security_t security |
The label for security removes a mount denial warning when /selinux is mounted. Sort of a "chicken and egg" thing. |
|
| Back to top |
|
|
R. Bosch
Apprentice
Joined: 07 Jun 2004
Posts: 184
Location: NL
|
| Posted: Tue Jun 26, 2007 10:57 am Post subject: Re: more for the pot |
|
|
| vaxbrat wrote: | Can't seem to stay away from this thread for some reason
| Code: | # cd /mnt/rawroot2
# setfilecon system_u:object_r:device_t dev
# setfilecon system_u_object_r_security_t security |
The label for security removes a mount denial warning when /selinux is mounted. Sort of a "chicken and egg" thing. |
I'm not sure what you mean with the last line, nor with /mnt/rawroot2. For instance I don't see the file /security.
_________________
Greetings / Met vriendelijke groet,
R. Bosch |
|
| Back to top |
|
|
vaxbrat
Guru
Joined: 05 Oct 2005
Posts: 372
Location: DC Burbs
|
| Posted: Tue Jun 26, 2007 11:37 pm Post subject: whoops |
|
|
This:
| Code: | # cd /mnt/rawroot2
# setfilecon system_u:object_r:device_t dev
# setfilecon system_u_object_r_security_t security |
Should be
| Code: | # cd /mnt/rawroot
# setfilecon system_u:object_r:device_t dev
# setfilecon system_u_object_r_security_t selinux
|
That's what I get for not directly cutting and pasting from the server I was working on. The /mnt/rawroot refers to the remount that I had done in an earlier part of the thread. |
|
| Back to top |
|
|
R. Bosch
Apprentice
Joined: 07 Jun 2004
Posts: 184
Location: NL
|
| Posted: Wed Jun 27, 2007 8:59 am Post subject: |
|
|
Thought of that, but failed: | command: | | setfilecon: setfilecon(selinux,system_u_object_r_security_t) failed |
Even if I run it from an other installment of selinux (my second try).
It did accept the device type 
When listed in root the context looks like it should, but not when I take a look under /mnt/rawroot.
This is how it is listed atm: | Code: | | drwxr-xr-x root root system_u:object_r:device_t selinux |
I also tried unmounting /selinux in case there was a lock. Then tried to change, both of them (under / and /mnt/rawroot), to no effect 
I don't understand what would block the change of context. Even in a new build, it won't accept.
Also passing on the context to mkdir doesn't help.
| My status: | ReboliLaptop ~ # sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: strict |
Thanks for sharing this thread 
_________________
Greetings / Met vriendelijke groet,
R. Bosch |
|
| Back to top |
|
|
vaxbrat
Guru
Joined: 05 Oct 2005
Posts: 372
Location: DC Burbs
|
| Posted: Thu Jun 28, 2007 3:49 am Post subject: device_t? |
|
|
So if you do
| Code: | # cd /mnt/rawroot
# ls -Z | grep security |
You see device_t and not file_t or security_t? That's bizarre. What type of filesystem is root (ext3 I hope)?
Also realize that I'm working with the unstable 2006.1 profile and the 20070329 security policy (refpolicy). I haven't looked at the "example" policy and the 2005.1? stable profile in a while but may set up an example at work sometime soon.
One thing that bit me on another server I was playing with is reiserfs. Even though I thought from the kernel filesystem options that it would include extended attribute support, it turned out not to work right for selinux labeling. After my first attempt at labeling, everything came up as nfs_t or something like that after a reboot. Then when I looked at the dmesg log, I noticed selinux mentioning that it was labeling using genfscontexts instead of xattrs. I'm going to have to move that server's root to somewhere else and convert to ext3 I guess.
If I recall, only ext3 and xfs had selinux xattr labeling support. |
|
| Back to top |
|
|
R. Bosch
Apprentice
Joined: 07 Jun 2004
Posts: 184
Location: NL
|
| Posted: Thu Jun 28, 2007 8:16 am Post subject: |
|
|
Yes, but the thing is; I can't repeat this. I removed /selinux and ran mkdir /selinux to see if it would make any difference, but the system still refuses to set the context correctly. | Code: | ReboliLaptop ~ # ls -lZ /
drwxr-xr-x root root system_u:object_r:bin_t bin
drwxr-xr-x root root system_u:object_r:boot_t boot
drwxr-xr-x root root system_u:object_r:device_t dev
drwxr-xr-x root root system_u:object_r:etc_t etc
drwxr-xr-x root root system_u:object_r:home_root_t home
drwxr-xr-x root root system_u:object_r:lib_t lib
drwx------ root root system_u:object_r:lost_found_t lost+found
drwxr-xr-x root root system_u:object_r:mnt_t media
drwxr-xr-x root root system_u:object_r:mnt_t mnt
drwxr-xr-x root root system_u:object_r:usr_t opt
dr-xr-xr-x root root system_u:object_r:proc_t proc
drwx------ root root root:object_r:sysadm_home_dir_t root
drwxr-xr-x root root system_u:object_r:bin_t sbin
drwxr-xr-x root root user_u:object_r:root_t selinux
drwxr-xr-x root root system_u:object_r:sysfs_t sys
drwxrwxrwt root root system_u:object_r:tmp_t tmp
drwxr-xr-x root root system_u:object_r:usr_t usr
drwxr-xr-x root root system_u:object_r:var_t var |
Even tried making such directory in root's homedir: | Code: | ReboliLaptop ~ # mkdir -Z system_u_object_r_security_t selinux
Sorry, cannot set default context to system_u_object_r_security_t. |
| My system:: | ReboliLaptop ~ # ls /etc/make.profile -ld
lrwxrwxrwx 1 root root 40 Jun 19 10:48 /etc/make.profile -> /usr/portage/profiles/selinux/x86/2006.1
software:
libselinux-1.34.0
libsemanage-1.10.0
libsepol-1.16.3
selinux-base-policy-20070329
checkpolicy-1.34.0
policycoreutils-1.34.1
ReboliLaptop ~ # sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: strict
ReboliLaptop ~ # mount
/dev/hda2 on / type ext3 (rw,noatime)
Linux version 2.6.21-suspend2-r6 (root@ReboliLaptop) (gcc version 4.1.2 (Gentoo 4.1.2)) #2 Sun Jun 24 23:05:35 CEST 2007 |
What could prevent me from setting the context in permissive mode? 
_________________
Greetings / Met vriendelijke groet,
R. Bosch |
|
| Back to top |
|
|
vaxbrat
Guru
Joined: 05 Oct 2005
Posts: 372
Location: DC Burbs
|
| Posted: Fri Jun 29, 2007 5:19 am Post subject: role? |
|
|
What role are you in when you try to label? Even in permissive mode, I wonder if context labeling wants you to be a sysadm_t before doing its thing.
It's interesting that the security_t type may only be on the /selinux mount point and the security filesystem itself. I don't see a file labeling rule for security_t in /etc/selinux/strict/contexts/files/file_contexts. It must be hard coded somewhere. |
|
| Back to top |
|
|
R. Bosch
Apprentice
Joined: 07 Jun 2004
Posts: 184
Location: NL
|
| Posted: Sun Jul 22, 2007 11:50 am Post subject: |
|
|
Did not matter... root admin or root the user. Both incapable. A way around it is to compile the kernel with security labels but without selinux support. I use this kernel to install the base system before reboot.
Did any of this made it in any documentation yet?
_________________
Greetings / Met vriendelijke groet,
R. Bosch |
|
| Back to top |
|
|
seventhguardian
Apprentice
Joined: 10 May 2004
Posts: 261
Location: Portugal
|
| Posted: Wed Aug 22, 2007 6:29 pm Post subject: |
|
|
| R. Bosch wrote: |
Even tried making such directory in root's homedir: | Code: | ReboliLaptop ~ # mkdir -Z system_u_object_r_security_t selinux
Sorry, cannot set default context to system_u_object_r_security_t. |
(...)
What could prevent me from setting the context in permissive mode? |
You are repeating vaxbrat's type errors! lol.. note what you are using:
| Code: | | system_u_object_r_security_t |
It should be:
| Code: | | system_u:object_r:security_t |
|
|
| Back to top |
|
|
DeathStar
n00b
Joined: 01 Mar 2007
Posts: 3
|
| Posted: Fri Jun 20, 2008 9:29 pm Post subject: |
|
|
An easier way to fix this along with all other labels is to:
Boot into Permissive mode, then do the following:
mount -o bind / /mnt/rawroot
chroot /mnt/rawroot /bin/bash
env-update && source /etc/profile
rlpkg -avr
This will relabel all files on the system, including all dev devices back to what they should be for SELinux. |
|
| Back to top |
|
|
|
Networking & Security
