View previous topic :: View next topic |
Author |
Message |
Belliash Advocate
Joined: 24 Nov 2004 Posts: 2503 Location: Wroclaw, Poland
|
Posted: Mon Nov 20, 2017 7:18 pm Post subject: Switching from Grsecurity to SELinux |
|
|
Hello everyone,
I open this thread as a place to store all problems/solutions/discussion about switching from Grsecurity to SELinux, after Gentoo abandoned hardened-sources.
Today I got some time and I have switched to gentoo-sources and I have enabled SELinux by following https://wiki.gentoo.org/wiki/SELinux/Installation.
Afterwards I have also enable auditd service and actually I stick with permissive mode unfortunately, because there are a lot of avc denied errors in /var/loga/audit/audit.log like:
Code: | type=AVC msg=audit(1511204723.215:549): avc: denied { getattr } for pid=4257 comm="bash" path="/var/log/audit/.keep_sys-process_audit-0" dev="md2" ino=21247966 scontext=user_u:user_r:user_t tcontext=system_u:object_r:auditd_log_t tclass=file permissive=1 |
There are too many of them, to fix individually.
What is your experience with SELinux? Anyone else switched to it successfully from Grsecurity?
How did you resolve all avc-related problems? _________________ Asio Software Technologies
Belliash IT Weblog |
|
Back to top |
|
|
rob_dot_p n00b
Joined: 28 Jan 2017 Posts: 30
|
Posted: Mon Nov 20, 2017 8:39 pm Post subject: |
|
|
> There are too many of them, to fix individually.
> How did you resolve all avc-related problems?
To be honest, I'm too lazy to look up and fix every single complaint. I run SELinux in 'enforcing' mode on my desktop and only look up n fix AVCs when something actually doesn't work. But even though everything works fine I still got a bunch of alarms which I simply ignore. Of course by doing that you're not really taking full advantage of SELinux but it offers a lot of neat features and benefits anyway. I've had no major problems so far.
It's not the best idea to use the ~arch kernel (gentoo-sources), sometimes changes in the kernel can introduce some problems and the policy writers are -obviously- always a bit "behind" (no accusation, that's just in the nature of things).
For example the recent 4.12-4.14 kernels or so are a bit problematic.
Switching from grsecurity to SELinux sounds kind of confusing tbh since both concepts are pretty much orthogonal to each other, even though there's a certain overlap.
SELinux can't truly 'replace' grsecurity, unfortunately. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Mon Nov 20, 2017 9:39 pm Post subject: |
|
|
For the record, grsecurity wasn't dropped from Gentoo by choice. Upstream disallowed any and all use that they didn't approve and they did it through a legal back door. Actually it was very nasty.
I played with SELinux once and I wasn't very impressed. I recommend playing with a virtual machine first to learn the finer points before trying it on a production machine. I've ended up with a genuinely unusable and practically unsalvageable install. Granted that is very difficult to do and requires botching quite a few operations.
If you have completed your setup you should set "enforcing" to see what actually breaks. "permissive" is basically false security. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
rob_dot_p n00b
Joined: 28 Jan 2017 Posts: 30
|
Posted: Mon Nov 20, 2017 10:07 pm Post subject: |
|
|
The Doctor wrote: | I've ended up with a genuinely unusable and practically unsalvageable install. Granted that is very difficult to do and requires botching quite a few operations.
|
How did you do that?
Usually you can always boot with selinux=0, change profile, emerge world and make some minor adjustments (fstab, etc.), no? |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Mon Nov 20, 2017 10:30 pm Post subject: |
|
|
I was actually trying to get rid of it, and failed. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54214 Location: 56N 3W
|
Posted: Tue Nov 21, 2017 12:02 am Post subject: |
|
|
Belliash,
Grsecurity to SELinux defend against two different threat models.
There is some overlap but are you sure that if Grsecurity addressed your perceived threats, SELinux will do likewise?
Gentoo hardened is a lot more that the Grsecurity patch set, which is now no longer available.
You should re-evaluate your perceived threat(s) and deploy suitable defences. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Belliash Advocate
Joined: 24 Nov 2004 Posts: 2503 Location: Wroclaw, Poland
|
Posted: Mon Dec 04, 2017 9:52 am Post subject: |
|
|
I got a quick question after migration to SELinux.
Everytime I try to emerge something i got the following message:
Code: | !!! Failed to set new SELinux execution context. Is your current SELinux context allowed to run Portage? |
What do I miss? _________________ Asio Software Technologies
Belliash IT Weblog |
|
Back to top |
|
|
|