Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Switching from Grsecurity to SELinux
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Belliash
Advocate
Advocate


Joined: 24 Nov 2004
Posts: 2417
Location: Wroclaw, Poland

PostPosted: Mon Nov 20, 2017 7:18 pm    Post subject: Switching from Grsecurity to SELinux Reply with quote

Hello everyone,


I open this thread as a place to store all problems/solutions/discussion about switching from Grsecurity to SELinux, after Gentoo abandoned hardened-sources.
Today I got some time and I have switched to gentoo-sources and I have enabled SELinux by following https://wiki.gentoo.org/wiki/SELinux/Installation.
Afterwards I have also enable auditd service and actually I stick with permissive mode unfortunately, because there are a lot of avc denied errors in /var/loga/audit/audit.log like:

Code:
type=AVC msg=audit(1511204723.215:549): avc:  denied  { getattr } for  pid=4257 comm="bash" path="/var/log/audit/.keep_sys-process_audit-0" dev="md2" ino=21247966 scontext=user_u:user_r:user_t tcontext=system_u:object_r:auditd_log_t tclass=file permissive=1


There are too many of them, to fix individually.
What is your experience with SELinux? Anyone else switched to it successfully from Grsecurity?
How did you resolve all avc-related problems?
_________________
Asio Software Technologies
Belliash IT Weblog
Back to top
View user's profile Send private message
rob_dot_p
n00b
n00b


Joined: 28 Jan 2017
Posts: 30

PostPosted: Mon Nov 20, 2017 8:39 pm    Post subject: Reply with quote

> There are too many of them, to fix individually.

> How did you resolve all avc-related problems?

To be honest, I'm too lazy to look up and fix every single complaint. I run SELinux in 'enforcing' mode on my desktop and only look up n fix AVCs when something actually doesn't work. But even though everything works fine I still got a bunch of alarms which I simply ignore. Of course by doing that you're not really taking full advantage of SELinux but it offers a lot of neat features and benefits anyway. I've had no major problems so far.
It's not the best idea to use the ~arch kernel (gentoo-sources), sometimes changes in the kernel can introduce some problems and the policy writers are -obviously- always a bit "behind" (no accusation, that's just in the nature of things).
For example the recent 4.12-4.14 kernels or so are a bit problematic.

Switching from grsecurity to SELinux sounds kind of confusing tbh since both concepts are pretty much orthogonal to each other, even though there's a certain overlap.
SELinux can't truly 'replace' grsecurity, unfortunately.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2340

PostPosted: Mon Nov 20, 2017 9:39 pm    Post subject: Reply with quote

For the record, grsecurity wasn't dropped from Gentoo by choice. Upstream disallowed any and all use that they didn't approve and they did it through a legal back door. Actually it was very nasty.

I played with SELinux once and I wasn't very impressed. I recommend playing with a virtual machine first to learn the finer points before trying it on a production machine. I've ended up with a genuinely unusable and practically unsalvageable install. Granted that is very difficult to do and requires botching quite a few operations.

If you have completed your setup you should set "enforcing" to see what actually breaks. "permissive" is basically false security.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
rob_dot_p
n00b
n00b


Joined: 28 Jan 2017
Posts: 30

PostPosted: Mon Nov 20, 2017 10:07 pm    Post subject: Reply with quote

The Doctor wrote:
I've ended up with a genuinely unusable and practically unsalvageable install. Granted that is very difficult to do and requires botching quite a few operations.

How did you do that?
Usually you can always boot with selinux=0, change profile, emerge world and make some minor adjustments (fstab, etc.), no?
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2340

PostPosted: Mon Nov 20, 2017 10:30 pm    Post subject: Reply with quote

I was actually trying to get rid of it, and failed. :oops:
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39312
Location: 56N 3W

PostPosted: Tue Nov 21, 2017 12:02 am    Post subject: Reply with quote

Belliash,

Grsecurity to SELinux defend against two different threat models.
There is some overlap but are you sure that if Grsecurity addressed your perceived threats, SELinux will do likewise?

Gentoo hardened is a lot more that the Grsecurity patch set, which is now no longer available.

You should re-evaluate your perceived threat(s) and deploy suitable defences.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Belliash
Advocate
Advocate


Joined: 24 Nov 2004
Posts: 2417
Location: Wroclaw, Poland

PostPosted: Mon Dec 04, 2017 9:52 am    Post subject: Reply with quote

I got a quick question after migration to SELinux.
Everytime I try to emerge something i got the following message:

Code:
!!! Failed to set new SELinux execution context. Is your current SELinux context allowed to run Portage?


What do I miss?
_________________
Asio Software Technologies
Belliash IT Weblog
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum