Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Selinux reports a lot of avc denied messages
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
droman
n00b
n00b


Joined: 30 Jan 2017
Posts: 1

PostPosted: Thu May 31, 2018 8:54 pm    Post subject: Selinux reports a lot of avc denied messages Reply with quote

Hi.

Yesterday I was configuring a server and wanted to try the hardened/selinux profile, so I switched to that profile, and after following the SELinux installation guide ( https://wiki.gentoo.org/wiki/SELinux/Installation ) and emerging all the needed packages I see a lot of denials. All needed selinux packages seems to be emerged. Of course I could try to use audit2allow, but I think that I have done something wrong because I have denials of very basic programs that should be covered by default, like init or dmesg.
btw, It's the first time that I try to use SELinux.


The following are some of the denials that I see:

Code:
[    5.794901] audit: type=1403 audit(1527797934.153:2): policy loaded auid=4294967295 ses=4294967295
[    6.100019] audit: type=1400 audit(1527797934.457:3): avc:  denied  { map } for  pid=245 comm="restorecon" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:setfiles_t tcontext=root:object_r:etc_t tclass=file permissive=1
[    6.264110] audit: type=1400 audit(1527797934.621:4): avc:  denied  { map } for  pid=256 comm="mount" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:mount_t tcontext=root:object_r:etc_t tclass=file permissive=1
[    6.394093] audit: type=1400 audit(1527797934.753:5): avc:  denied  { map } for  pid=264 comm="checkpath" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:tmpfiles_t tcontext=root:object_r:etc_t tclass=file permissive=1
[    7.406777] audit: type=1400 audit(1527797935.765:6): avc:  denied  { getattr } for  pid=521 comm="restorecon" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[    7.550513] audit: type=1400 audit(1527797935.909:7): avc:  denied  { map } for  pid=588 comm="cgroup-release-" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=root:object_r:etc_t tclass=file permissive=1
[    7.589767] audit: type=1400 audit(1527797935.949:8): avc:  denied  { read } for  pid=609 comm="dmesg" name="ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file permissive=1
[    7.589887] audit: type=1400 audit(1527797935.949:9): avc:  denied  { open } for  pid=609 comm="dmesg" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file permissive=1
[    7.590004] audit: type=1400 audit(1527797935.949:10): avc:  denied  { getattr } for  pid=609 comm="dmesg" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file permissive=1
[    7.590121] audit: type=1400 audit(1527797935.949:11): avc:  denied  { map } for  pid=609 comm="dmesg" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:dmesg_t tcontext=root:object_r:etc_t tclass=file permissive=1
[   15.530863] audit: type=1400 audit(1527797943.915:28): avc:  denied  { map } for  pid=1681 comm="cgroup-release-" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=root:object_r:etc_t tclass=file permissive=1
[   15.591436] audit: type=1400 audit(1527797943.975:29): avc:  denied  { map } for  pid=1704 comm="named-checkconf" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:named_t tcontext=root:object_r:etc_t tclass=file permissive=1
[   15.675894] audit: type=1400 audit(1527797944.059:30): avc:  denied  { map } for  pid=1706 comm="checkpath" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:tmpfiles_t tcontext=root:object_r:etc_t tclass=file permissive=1
[   15.854157] audit: type=1400 audit(1527797944.239:31): avc:  denied  { map } for  pid=1748 comm="mount" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:mount_t tcontext=root:object_r:etc_t tclass=file permissive=1
[   15.981069] audit: type=1400 audit(1527797944.367:32): avc:  denied  { map } for  pid=1780 comm="ssh-keygen" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:etc_t tclass=file permissive=1
[   15.982079] audit: type=1400 audit(1527797944.367:33): avc:  denied  { read } for  pid=1780 comm="ssh-keygen" name="locale-archive" dev="sda3" ino=4212902 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:locale_t tclass=file permissive=1
[   15.982081] audit: type=1400 audit(1527797944.367:34): avc:  denied  { open } for  pid=1780 comm="ssh-keygen" path="/usr/lib64/locale/locale-archive" dev="sda3" ino=4212902 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:locale_t tclass=file permissive=1
[   15.982082] audit: type=1400 audit(1527797944.367:35): avc:  denied  { getattr } for  pid=1780 comm="ssh-keygen" path="/usr/lib64/locale/locale-archive" dev="sda3" ino=4212902 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:locale_t tclass=file permissive=1
[   15.982083] audit: type=1400 audit(1527797944.367:36): avc:  denied  { map } for  pid=1780 comm="ssh-keygen" path="/usr/lib64/locale/locale-archive" dev="sda3" ino=4212902 scontext=system_u:system_r:ssh_keygen_t tcontext=root:object_r:locale_t tclass=file permissive=1
[   16.001305] audit: type=1400 audit(1527797944.387:37): avc:  denied  { map } for  pid=1781 comm="sshd" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:sshd_t tcontext=root:object_r:etc_t tclass=file permissive=1
[ 1684.529559] kauditd_printk_skb: 1 callbacks suppressed
[ 1684.529561] audit: type=1400 audit(1527799612.915:39): avc:  denied  { map } for  pid=1838 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="sda3" ino=4231530 scontext=system_u:system_r:chkpwd_t tcontext=root:object_r:etc_t tclass=file permissive=1
[ 1685.104077] audit: type=1400 audit(1527799613.491:40): avc:  denied  { getattr } for  pid=1 comm="init" path="/run/initctl" dev="tmpfs" ino=5288 scontext=system_u:system_r:init_t tcontext=system_u:object_r:var_run_t tclass=fifo_file permissive=1
[ 1687.610857] audit: type=1400 audit(1527799615.995:41): avc:  denied  { read } for  pid=1843 comm="dmesg" name="kmsg" dev="devtmpfs" ino=1035 scontext=root:staff_r:staff_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file permissive=1
[ 1687.610861] audit: type=1400 audit(1527799615.995:42): avc:  denied  { open } for  pid=1843 comm="dmesg" path="/dev/kmsg" dev="devtmpfs" ino=1035 scontext=root:staff_r:staff_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file permissive=1


Thanks in advance
Back to top
View user's profile Send private message
Melunlina
n00b
n00b


Joined: 04 Jun 2018
Posts: 1

PostPosted: Mon Jun 04, 2018 4:40 am    Post subject: Reply with quote

Hello

Similar problem.
I have system built on Sakaki's EFI Install Guide https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide with Selinux MCS on top.
Started to migrate from old 4.8 hardened kernel to newest 4.16 to confront CPU vulnerabilities and got Selinux not working. Unmasking latest Selinux to 2.20180114-r2 didn`t help.
The problem seems that some classes and permission are not defined according to messages log:
Code:
kernel: SELinux: 8192 avtab hash slots, 32441 rules.
kernel: SELinux: 8192 avtab hash slots, 32441 rules.
kernel: SELinux:  7 users, 8 roles, 1972 types, 156 bools, 1 sens, 1024 cats
kernel: SELinux:  123 classes, 32441 rules
kernel: SELinux:  Permission getrlimit in class process not defined in policy.
kernel: SELinux:  Class process2 not defined in policy.
kernel: SELinux:  Permission map in class file not defined in policy.
kernel: SELinux:  Permission map in class dir not defined in policy.
kernel: SELinux:  Permission map in class lnk_file not defined in policy.
kernel: SELinux:  Permission map in class chr_file not defined in policy.
kernel: SELinux:  Permission map in class blk_file not defined in policy.
kernel: SELinux:  Permission map in class sock_file not defined in policy.
kernel: SELinux:  Permission map in class fifo_file not defined in policy.
kernel: SELinux:  Permission map in class socket not defined in policy.
kernel: SELinux:  Permission map in class tcp_socket not defined in policy.
kernel: SELinux:  Permission map in class udp_socket not defined in policy.
kernel: SELinux:  Permission map in class rawip_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_socket not defined in policy.
kernel: SELinux:  Permission map in class packet_socket not defined in policy.
kernel: SELinux:  Permission map in class key_socket not defined in policy.
kernel: SELinux:  Permission map in class unix_stream_socket not defined in policy.
kernel: SELinux:  Permission map in class unix_dgram_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_route_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_tcpdiag_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_nflog_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_xfrm_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_selinux_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_iscsi_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_audit_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_fib_lookup_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_connector_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_netfilter_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_dnrt_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_kobject_uevent_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_generic_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_scsitransport_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_rdma_socket not defined in policy.
kernel: SELinux:  Permission map in class netlink_crypto_socket not defined in policy.
kernel: SELinux:  Permission map in class appletalk_socket not defined in policy.
kernel: SELinux:  Permission map in class dccp_socket not defined in policy.
kernel: SELinux:  Permission map in class tun_socket not defined in policy.
kernel: SELinux:  Permission map in class sctp_socket not defined in policy.
kernel: SELinux:  Permission map in class icmp_socket not defined in policy.
kernel: SELinux:  Permission map in class ax25_socket not defined in policy.
kernel: SELinux:  Permission map in class ipx_socket not defined in policy.
kernel: SELinux:  Permission map in class netrom_socket not defined in policy.
kernel: SELinux:  Permission map in class atmpvc_socket not defined in policy.
kernel: SELinux:  Permission map in class x25_socket not defined in policy.
kernel: SELinux:  Permission map in class rose_socket not defined in policy.
kernel: SELinux:  Permission map in class decnet_socket not defined in policy.
kernel: SELinux:  Permission map in class atmsvc_socket not defined in policy.
kernel: SELinux:  Permission map in class rds_socket not defined in policy.
kernel: SELinux:  Permission map in class irda_socket not defined in policy.
kernel: SELinux:  Permission map in class pppox_socket not defined in policy.
kernel: SELinux:  Permission map in class llc_socket not defined in policy.
kernel: SELinux:  Permission map in class can_socket not defined in policy.
kernel: SELinux:  Permission map in class tipc_socket not defined in policy.
kernel: SELinux:  Permission map in class bluetooth_socket not defined in policy.
kernel: SELinux:  Permission map in class iucv_socket not defined in policy.
kernel: SELinux:  Permission map in class rxrpc_socket not defined in policy.
kernel: SELinux:  Permission map in class isdn_socket not defined in policy.
kernel: SELinux:  Permission map in class phonet_socket not defined in policy.
kernel: SELinux:  Permission map in class ieee802154_socket not defined in policy.
kernel: SELinux:  Permission map in class caif_socket not defined in policy.
kernel: SELinux:  Permission map in class alg_socket not defined in policy.
kernel: SELinux:  Permission map in class nfc_socket not defined in policy.
kernel: SELinux:  Permission map in class vsock_socket not defined in policy.
kernel: SELinux:  Permission map in class kcm_socket not defined in policy.
kernel: SELinux:  Permission map in class qipcrtr_socket not defined in policy.
kernel: SELinux:  Class smc_socket not defined in policy.
kernel: SELinux:  Class infiniband_pkey not defined in policy.
kernel: SELinux:  Class infiniband_endport not defined in policy.
kernel: SELinux:  Class bpf not defined in policy.
kernel: SELinux: the above unknown classes and permissions will be denied
kernel: SELinux:  policy capability network_peer_controls=1
kernel: SELinux:  policy capability open_perms=1
kernel: SELinux:  policy capability extended_socket_class=0
kernel: SELinux:  policy capability always_check_network=0
kernel: SELinux:  policy capability cgroup_seclabel=0
kernel: SELinux:  policy capability nnp_nosuid_transition=0
The audit2allow command says:
Code:
libsepol.sepol_string_to_av_perm: could not convert map to av bit

Tried to generate .te policy in fedora 4.16.3 kernel, including `dontaudit` logs. Audit2allow generates .te policy which is compiled and inserted in Gentoo, but when Selinux is been enabling the problem remains.

Found this information in web https://android-review.googlesource.com/c/platform/system/sepolicy/+/432339
Quote:
sepolicy: Define and allow map permission

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying). The kernel commit is anticipated to
be included in Linux 4.13.

This change defines map permission for the Android policy. It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets. This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.

and https://lkml.org/lkml/2017/7/6/441
Quote:

The short version is that this is the expected behavior given your
SELinux policy configuration and isn't a regression; your SELinux
policy is configured to not be overly permissive when new access
control points are introduced and that is what it is doing.

The slightly longer version is that your SELinux policy is set to deny
access to any new object classes or permissions that are not defined
in the policy, and we can see from your boot output your SELinux
policy does not define the new "map" permission for a number of object
classes. The solution is to either update your SELinux policy to
include the SELinux policy, or to allow unknown object classes and
permissions.

So, I see the following options:

  • use kernel version <4.13
  • wait for new Gentoo Selinux policy version release
  • allow
    Quote:
    SELinux policy access to any new object classes or permissions that are not defined
    in the policy
    but how? have not investigated it yet, need a help of Selinux Master.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum