| View previous topic :: View next topic |
| Author |
Message |
deagol
n00b
Joined: 12 Jul 2014
Posts: 61
|
 Posted: Mon Mar 25, 2024 8:33 am Post subject: merge-usr breaking selinux labeling |
 |
|
I relabled one of my selinux systems according to https://wiki.gentoo.org/wiki/SELinux/Labels#Relabeling_files.
This broke the system. After booting up no login possible and on the console even the hostname is unset.
The issue seems to be a time bomb: After merge-usr everything is ok. TILL you relabel the files....
Booting with "enforcing=0" and examining the systems shows, that multiple file labes are now wrong.
One of the more critical one is e.g. shown here:
| Code: | # ls -Z /usr/sbin/openrc
system_u:object_r:bin_t /usr/sbin/openrc |
Trying to restore only that file is not working: | Code: | # restorecon /usr/sbin/openrc
# ls -Z /usr/sbin/openrc
system_u:object_r:bin_t /usr/sbin/openrc
# ls -Z /usr/bin/openrc
system_u:object_r:bin_t /usr/bin/openrc
# ls -Z /usr/sbin/openrc
system_u:object_r:bin_t /usr/sbin/openrc |
Setfiles woks better and shows what's probably going on here: | Code: | # setfiles /etc/selinux/strict/contexts/files/file_contexts -dn /usr/sbin/openrc
/usr/sbin/openrc matched by system_u:object_r:rc_exec_t
# setfiles /etc/selinux/strict/contexts/files/file_contexts -dn /usr/bin/openrc
/usr/bin/openrc matched by system_u:object_r:bin_t
# setfiles /etc/selinux/strict/contexts/files/file_contexts /usr/sbin/openrc
# ls -Z /usr/sbin/openrc
system_u:object_r:rc_exec_t /usr/sbin/openrc
# setfiles /etc/selinux/strict/contexts/files/file_contexts /usr/bin/openrc
# ls -Z /usr/sbin/openrc
system_u:object_r:bin_t /usr/sbin/openrc |
--> Looks like the selinux file contexts are not written with the merged-usr and as a result we have now conflicting rules.
Restoring the /usr/sbin labels with setfiles fixes most issues. System boots up again and console login is possible. But ssh login was then failing. So for sure there are more label which must be merged.
Anyone aware of that and how to fix that? |
|
| Back to top |
|
 |
nicop
n00b
Joined: 10 Apr 2014
Posts: 41
|
| Posted: Tue Mar 26, 2024 9:21 am Post subject: |
|
|
Openrc don't use "split-usr" and label for it has not changed recently in policies.
Why relabel after merge-usr ? Procedure is AND
Portage sets labels with that last emerge.
Try the following procedure to relabel :
https://wiki.gentoo.org/wiki/SELinux/Installation#Relabel |
|
| Back to top |
|
|
deagol
n00b
Joined: 12 Jul 2014
Posts: 61
|
| Posted: Tue Mar 26, 2024 12:42 pm Post subject: |
|
|
| nicop wrote: | Openrc don't use "split-usr" and label for it has not changed recently in policies.
|
Openrc supports split-usr and merge-usr. And at least with the new 23.0 profiles merge-usr seems to be the new default. And thus I decided to also use merge-usr for my Openrc selinux systems.
| nicop wrote: |
Why relabel after merge-usr ? Procedure is AND
Portage sets labels with that last emerge. |
I agree. There is no need to relabel after merge-usr. The point is, it's no longer possible to do that after the mere-usr. Since this then causes severe labeling issues!
I did excatly that. And instead of fixing a minor labeling issue it broke the system!
So the next time you try to relablel - immediately after the merge-usr or years after - selinux will break. System won't even be able to boot up.
Or in other words: Anyone using selinux and has done the merge-usr is sitting on a time-bomb: The next (manual) relabeling will break the system. Also restorecon will set incorrect types for many files...
This seems to be caused by the fact, that the selinux policies don't differentiate between spit-usr and merge-usr.
Thus /usr/sbin/openrc gets the correct label. Unfortunately /usr/bin/openrc is the
*same* file after merge-usr and has no dedicated label. Thus the wildcard label sets it to bin_t.
restorecon and rlpk will set /usr/sbin/openrc to the incorrect type bin_t. Next to be sure these detect the symlink and thus follow the labeling instructions for /usr/bin...
A potential fix would be to update all selinux filecontext rules, making sure all directories put together with the symlinks are triggering the same rules.
But prior to going that way I would like to know if I missed something or if this is a known issue. Since for it it looks like there is no way to use selinux on gentoo with merge-usr at this time. (Short of rewriting many file rules yourself...) |
|
| Back to top |
|
|
nicop
n00b
Joined: 10 Apr 2014
Posts: 41
|
| Posted: Tue Mar 26, 2024 6:06 pm Post subject: |
|
|
| deagol wrote: | Openrc supports split-usr and merge-usr. And at least with the new 23.0 profiles merge-usr seems to be the new default. And thus I decided to also use merge-usr for my Openrc selinux systems.
|
Well, there's a bug :
https://github.com/OpenRC/openrc/commit/12e1e884750cc6cf592bbbdaef6f40ceee304b25
I have the same mess with selinux labels. I really don't know why /usr/bin/openrc exists. qfile /usr/bin/openrc returns nothing. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Tue Mar 26, 2024 7:04 pm Post subject: |
|
|
| sys-apps/openrc installs /sbin/openrc. Under a merged-usr profile, everything that is installed in /sbin gets relocated to /usr/bin, hence you have /usr/bin/openrc. |
|
| Back to top |
|
|
nicop
n00b
Joined: 10 Apr 2014
Posts: 41
|
| Posted: Tue Mar 26, 2024 8:02 pm Post subject: |
|
|
Ok, I missed that point :
| Quote: | | In addition, the script applies the "sbin merge" at the same time where /sbin and /usr/sbin are both actually merged to /usr/bin. |
https://wiki.gentoo.org/wiki/Merge-usr
Some of essential programs that I have installed are without right policies (2.20240226-r1) :
| Quote: | /bin/halt
/bin/shutdown
/usr/bin/blkmapd
/usr/bin/dmeventd
/usr/bin/halt
/usr/bin/iftop
/usr/bin/kresd
/usr/bin/mkfs\.f2fs
/usr/bin/multipath
/usr/bin/nginx
/usr/bin/openrc
/usr/bin/openrc-init
/usr/bin/openrc-shutdown
/usr/bin/php-fpm[^/]+
/usr/bin/php.*-fpm
/usr/bin/pwhistory_helper
/usr/bin/rc
/usr/bin/semanage-python.*
/usr/bin/shutdown
/usr/bin/ss
/usr/bin/update-smart-drivedb |
This list is the result of that ugly diff :
| Code: | sudo semanage fcontext -l | grep -e "^/bin" -e "^/usr/bin" | awk -F " " '{print $1}' > bin
sudo semanage fcontext -l | grep -e "^/sbin" -e "^/usr/sbin" | awk -F " " '{print $1}' | sed 's/sbin/bin/g' > sbin
diff -uNr bin sbin | grep "^+" | cut -c2- |
|
|
| Back to top |
|
|
nicop
n00b
Joined: 10 Apr 2014
Posts: 41
|
| Posted: Wed Apr 10, 2024 9:40 am Post subject: |
|
|
Hi,
There's a PR to fix this : https://github.com/SELinuxProject/refpolicy/pull/768
It might be interesting for each to complete the list via this PR, in order to avoid working in step by step for 5 years.
It's quite easy to find files concerned :
| Code: | sudo semanage fcontext -l | grep -e "^/bin" -e "^/usr/bin" | awk -F " " '{print $1}' > bin
sudo semanage fcontext -l | grep -e "^/sbin" -e "^/usr/sbin" | awk -F " " '{print $1}' | sed 's/sbin/bin/g' > sbin
diff -uNr bin sbin | grep "^+" | cut -c2- |
|
|
| Back to top |
|
|
salam
Apprentice
Joined: 29 Sep 2005
Posts: 226
|
| Posted: Fri Apr 12, 2024 8:12 pm Post subject: |
|
|
The whole policy needs to be patched.
| Code: | selinux-base-2.20240226-r1/work # for i in `find . -name \*.fc`; do if grep -q -m 1 '^/usr/sbin' $i; then echo $i; fi; done | wc -l
252
|
But either /usr/sbin is replaced with /usr/bin in every fcontext - this will break the old layout, or added to it - this will make a lot of messy duplicates
I'd go with replacing and setting /usr/sbin to be equal to /usr/bin. In current policy, /bin is already set so, so only /sbin needs to be modified and /usr/sbin created |
|
| Back to top |
|
|
nicop
n00b
Joined: 10 Apr 2014
Posts: 41
|
| Posted: Fri Apr 12, 2024 8:53 pm Post subject: |
|
|
With a diff, the result is only 40 :
| Quote: | /usr/bin/unattended-upgrade
/usr/bin/update-apt-xapian-index
/usr/bin/fapolicyd
/usr/bin/fapolicyd-cli
/usr/bin/fagenrules
/usr/bin/iftop
/usr/bin/ss
/usr/bin/cpio
/bin/halt
/bin/shutdown
/usr/bin/halt
/usr/bin/shutdown
/usr/bin/ns-slapd
/usr/bin/ldap-agent-bin
/usr/bin/nginx
/usr/bin/resolvconf
/usr/bin/vde_tunctl
/usr/bin/php.*-fpm
/usr/bin/php-fpm[^/]+
/usr/bin/nginx
/usr/bin/apt-cacher.*
/usr/bin/jitterentropy-rngd
/usr/bin/pure-ftpd
/usr/bin/hypervkvpd
/usr/bin/hypervvssd
/usr/bin/memlockd
/usr/bin/postfwd.*
/usr/bin/mariadbd
/usr/bin/ntpctl
/usr/bin/rasdaemon
/usr/bin/smartd
/usr/bin/update-smart-drivedb
/usr/bin/pwhistory_helper
/usr/bin/rc
/usr/bin/openrc
/usr/bin/openrc-init
/usr/bin/openrc-shutdown
/usr/bin/charon-systemd
/usr/bin/dmeventd
/usr/bin/semanage-python.* |
EDIT : manual cutoff files with distro condition other than gentoo
https://bpa.st/DJOQ |
|
| Back to top |
|
|
|
Networking & Security
