Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[selinux] security_bounded_transition denied run_init
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
llao
n00b
n00b


Joined: 14 Jan 2018
Posts: 2

PostPosted: Sun Jan 14, 2018 11:30 pm    Post subject: [selinux] security_bounded_transition denied run_init Reply with quote

hey folks

I just installed a new gentoo system and can't get selinux to work. Selinux denies every security_bounded_transition i seem to try, ex:

run_init rc-service wpa_supplicant start:
Code:
Authenticating root.
execvp: Permission denied.


dmesg:
Code:
op=security_bounded_transition seresult=denied oldcontext=root:sysadm_r:sysadm_t newcontext=root:system_r:run_init_t
op=security_bounded_transition seresult=denied oldcontext=root:sysadm_r:sysadm_t newcontext=system_u:system_r:initrc_t (I think this error is normal, since run_init already failed before)


sesearch -s sysadm_t -t run_init_t -p transition -A
Code:
allow sysadm_t run_init_t:process transition

sesearch -t run_init_exec_t -p entrypoint -A
Code:
allow run_init_t run_init_exec_t:file { entrypoint ... }


------------------

emerge -1 swig:
Code:
[Errno 13] Permission denied: b'/usr/bin/sandbox'


dmesg:
Code:
op=security_bounded_transition seresult=denied oldcontext=root:sysadm_r:sysadm_t newcontext=root:system_r:portage_t
op=security_bounded_transition seresult=denied oldcontext=root:sysadm_r:sysadm_t newcontext=root:system_r:portage_sandbox_t
op=security_bounded_transition seresult=denied oldcontext=root:sysadm_r:sysadm_t newcontext=root:system_r:portage_t


sesearch -s system_t -t portage_t -c process -p transition -A:
Code:
allow sysadm_t portage_t:process transition

sesearch -t bin_t -c file -p entrypoint -A:
Code:
allow portage_t bin_t:file { entrypoint ...  }


This happens in both permissive mode and enforcing mode.

My guess is that perhaps my policy is not loaded correctly into the kernel or perhaps there is a selinux option that prevents process transitions (I saw something along these lines with https://danwalsh.livejournal.com/76220.html)

If you have any idea as to why it would do this, please tell

thanks for your assistance

EDIT:

more info:
- policycoreutils-2.7, selinux-base-2.20170805-r3 and selinux-base-policy-2.20170805-r3
- I logged in on console as root which is why my user is root
- semanage login -l:
Code:
Login Name    SELinux user
__default__    user_u
root               root

- semanage user -l
Code:
SELinux user   SELinux Roles
root                staff_r sysadm_r
staff_u            staff_r sysadm_r
sysadm_u       sysadm_r
system_u        system_r
unconfined_u   unconfined_r
user_u            user_r

- system_u:object_r:run_init_exec_t is the context for /usr/sbin/run_init
Back to top
View user's profile Send private message
llao
n00b
n00b


Joined: 14 Jan 2018
Posts: 2

PostPosted: Mon Jan 15, 2018 12:58 am    Post subject: Reply with quote

Thanks for @aranea (on #gentoo-hardened), we found the problem, nosuid prevents domain transitions on mount points:
https://danwalsh.livejournal.com/68723.html

To fix this, remove nosuid from your mount points from /etc/fstab
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum