View previous topic :: View next topic |
Author |
Message |
KintaroBC n00b
Joined: 15 Feb 2014 Posts: 63 Location: Australia
|
Posted: Sun Jul 18, 2021 7:19 pm Post subject: SELinux starts enforcing during install! |
|
|
Edit: I tried loading a backup and trying the SELinux install again, and the problem is different than I describe in this OP. In this comment I discovered that SELinux is becoming enabled during part one of installing the SELinux utilities.
This topic was originally titled: SELinux boots into enforcing mode
I have been building an SELinux system which now boots, and clearly the policy works and is more secure. Yet despite what I have in /etc/selinux/config the system starts in enforcing mode. I also cannot put the system in permissive mode even though I am running in sysadm_r because of the restrictions.
seinfo...
Code: |
Statistics for policy file: /sys/fs/selinux/policy
Policy Version: 33 (MLS disabled)
Target Policy: selinux
Handle unknown classes: allow
Classes: 131 Permissions: 423
Sensitivities: 0 Categories: 0
Types: 1393 Attributes: 108
Users: 6 Roles: 8
Booleans: 71 Cond. Expr.: 64
Allow: 16137 Neverallow: 0
Auditallow: 1 Dontaudit: 3249
Type_trans: 857 Type_change: 9
Type_member: 6 Range_trans: 0
Role allow: 11 Role_trans: 0
Constraints: 133 Validatetrans: 0
MLS Constrain: 0 MLS Val. Tran: 0
Permissives: 0 Polcap: 5
Defaults: 0 Typebounds: 0
Allowxperm: 0 Neverallowxperm: 0
Auditallowxperm: 0 Dontauditxperm: 0
Ibendportcon: 0 Ibpkeycon: 0
Initial SIDs: 27 Fs_use: 27
Genfscon: 92 Portcon: 486
Netifcon: 0 Nodecon: 0
|
getenforce...
I have switched from staff_u to sysadm_r on the system, and it is working, according to id -Z...
Code: |
# id -Z
root:sysadm_r:sysadm_t
|
It gives this error when I try to 'setenforce 0...
Code: |
setenforce: setenforce() failed
|
This the /etc/selinux/config which clearly states permissive...
Code: |
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=strict
|
The only other configuration I did myself is in /etc/default/grub
Code: |
GRUB_CMDLINE_LINUX="console=ttyS0,115200n8 security=selinux selinux=1"
|
The top of dmesg shows that the system is using those settings...
Code: |
[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.10.49-gentoo-r1-nextgen-004 root=/dev/vda4 ro console=ttyS0,115200n8 security=selinux selinux=0
|
This is not my first SELinux system and I have a few in production, though I have not installed SELinux on Gentoo in a couple of years. I think it might be possible that this is a bug of some kind. It seems to be ignoring /etc/selinux/config on my system.
Last edited by KintaroBC on Mon Jul 19, 2021 1:26 am; edited 3 times in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Sun Jul 18, 2021 7:48 pm Post subject: |
|
|
Do you have these in your .config
Code: |
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
|
If not then plz use a full binary kernel like
gentoo-kernel-bin
No it doesnt boot with selinux enabled
Quote: |
[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.10.49-gentoo-r1-nextgen-004 root=/dev/vda4 ro console=ttyS0,115200n8 security=selinux selinux=0
|
Why is that i wonder........?
All security config i could grep
Code: |
# CONFIG_NFIT_SECURITY_DEBUG is not set
CONFIG_IP_NF_SECURITY=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_EXT4_FS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_F2FS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_UBIFS_FS_SECURITY=y
CONFIG_EROFS_FS_SECURITY=y
CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFSD_V4_SECURITY_LABEL=y
CONFIG_CEPH_FS_SECURITY_LABEL=y
CONFIG_9P_FS_SECURITY=y
# Security options
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_INFINIBAND=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
CONFIG_SECURITY_SMACK=y
CONFIG_SECURITY_SMACK_BRINGUP=y
CONFIG_SECURITY_SMACK_NETFILTER=y
CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/usr/bin/tomoyo-init"
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/usr/lib/systemd/systemd"
# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_SAFESETID=y
CONFIG_SECURITY_LOCKDOWN_LSM=y
# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set
CONFIG_SECURITY_LANDLOCK=y
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
# CONFIG_DEFAULT_SECURITY_SMACK is not set
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
CONFIG_DEFAULT_SECURITY_DAC=y
|
do you think some maybe relevant and/or missing? _________________
|
|
Back to top |
|
|
KintaroBC n00b
Joined: 15 Feb 2014 Posts: 63 Location: Australia
|
Posted: Sun Jul 18, 2021 8:18 pm Post subject: |
|
|
I actually made a mistake and pasted the line from dmesg in my OP, after a reboot where I disabled SELinux.
Here is the SELinux related stuff in my kernel config...
Code: |
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# CONFIG_SECURITY_SELINUX_DEVELOP is not set
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
|
I only have an ext4 file system and it has everything set right.
Code: |
CONFIG_EXT4_FS_SECURITY=y
|
Keep in mind the system is (mostly) working and is just stuck in enforcing mode. |
|
Back to top |
|
|
KintaroBC n00b
Joined: 15 Feb 2014 Posts: 63 Location: Australia
|
Posted: Mon Jul 19, 2021 1:11 am Post subject: |
|
|
I decided to load a backup and try installing SELinux again.
It is failing on part two of installing policies and utilities in the installation guide on the wiki.
Code: |
# FEATURES="-selinux -sesandbox" emerge -1 selinux-base
...
>>> Installing (1 of 1) sec-policy/selinux-base-2.20200818-r2::gentoo
!!! Failed to move /var/tmp/portage/sec-policy/selinux-base-2.20200818-r2/image/etc/selinux/config to /etc/selinux/config
!!! [Errno 61] No data available
|
I think I missed this error when I wrote the OP and this is actually where things went wrong. I have created other SELinux Gentoo systems in the past and this behavior is quite bizarre.
While doing part one of the installing policies and utilities SELinux has someone become enabled prematurely...
SELinux is going into enforcing mode during part one before this step, and the error above is because of that.
emerge --info
Code: |
Portage 3.0.20 (python 3.9.5-final-0, default/linux/amd64/17.1/no-multilib/hardened/selinux, gcc-10.3.0, glibc-2.33-r1, 5.10.49-gentoo-r1-nextgen-006 x86_64)
=================================================================
System uname: Linux-5.10.49-gentoo-r1-nextgen-006-x86_64-Intel_Core_Processor_-Skylake,_IBRS-with-glibc2.33
KiB Mem: 4042932 total, 2008360 free
KiB Swap: 7999484 total, 7999484 free
Timestamp of repository gentoo: Sun, 18 Jul 2021 20:30:01 +0000
Head commit of repository gentoo: 99e07544b3564a426c91f954e1ab7542e316563b
sh bash 5.1_p8
ld GNU ld (Gentoo 2.35.2 p1) 2.35.2
app-shells/bash: 5.1_p8::gentoo
dev-lang/perl: 5.32.1::gentoo
dev-lang/python: 3.9.5_p2::gentoo
dev-util/cmake: 3.18.5::gentoo
sys-apps/baselayout: 2.7::gentoo
sys-apps/openrc: 0.42.1-r1::gentoo
sys-apps/sandbox: 2.24::gentoo
sys-devel/autoconf: 2.69-r5::gentoo
sys-devel/automake: 1.16.3-r1::gentoo
sys-devel/binutils: 2.35.2::gentoo
sys-devel/gcc: 10.3.0-r2::gentoo
sys-devel/gcc-config: 2.4::gentoo
sys-devel/libtool: 2.4.6-r6::gentoo
sys-devel/make: 4.3::gentoo
sys-kernel/linux-headers: 5.10::gentoo (virtual/os-headers)
sys-libs/glibc: 2.33-r1::gentoo
Repositories:
gentoo
location: /var/db/repos/gentoo
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
sync-rsync-extra-opts:
sync-rsync-verify-metamanifest: yes
sync-rsync-verify-max-age: 24
sync-rsync-verify-jobs: 1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe -march=native"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned qa-unresolved-soname-deps sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe -march=native"
GENTOO_MIRRORS="https://gentoo.osuosl.org/"
LANG="C.UTF8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 audit bzip2 caps crypt hardened iconv ipv6 libglvnd libtirpc ncurses nls nptl openmp pam pcre pie python readline seccomp selinux split-usr ssl ssp unicode xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" RUBY_TARGETS="ruby26" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS
|
|
|
Back to top |
|
|
lorenzoi n00b
Joined: 12 Dec 2018 Posts: 12
|
Posted: Wed Aug 11, 2021 3:44 am Post subject: |
|
|
Have you had any luck so far? I'm getting the same issue and it seems like this is the only thread which talks about it. _________________ Install gentoo |
|
Back to top |
|
|
bedwardly-down n00b
Joined: 19 Dec 2021 Posts: 1
|
Posted: Sun Dec 19, 2021 2:38 pm Post subject: Found a possible workaround |
|
|
I know this is a bit of a late reply here but I just ran into the same problem on a new server box. For some reason, setting your profile to an SELinux one (such as the hardened one recommended in the docs) seems to prematurely enforce it. To do the rest of the steps without changing the profile just yet, I've only found a small handful of things that need to be set up for it to work.
1) Manually add these to /etc/portage/package.use/sec-policy/selinux-base (for the correct python modules to get built)
sys-libs/libselinux python
sys-process/audit python
2) Follow the selinux-base installation steps
3) Install the selinux-base-policy (this sometimes kept disconnecting me from the server, though, mid compile; still figuring it out)
EDIT: The server disconnects seem to only be an issue when setting SELINUXTYPE="targeted" in /etc/selinux/config. Switching that to strict but leaving it as targeted in the /etc/portage/make.conf seems to be a workaround.
4) Switch profile over
5) Rebuild system as per instructions |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|