Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo hardened/selinux beginner question
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lupusbytes
n00b
n00b


Joined: 08 Oct 2019
Posts: 2

PostPosted: Mon Oct 14, 2019 9:57 pm    Post subject: Gentoo hardened/selinux beginner question Reply with quote

Hello.

I'm in the process of setting up a Gentoo amd64 router, for my network.
I have chosen the profile 'default/linux/amd64/17.1/no-multilib/hardened/selinux' as I would like to learn about SELinux.

I followed the installation guides on the wiki and now have a running system with SELinux labels and SELinux mapped users.
I have not yet continued with setting up firewalls, NAT and so on, because SELinux spawns permission errors in audit.log.
The plan is to run this system in enforcing strict mode, but right now I'm in still in permissive mode.
I realize it is expected that I write my own policies, but I'm not sure if the AVC denied messages I see are expected or due to a deeper misconfiguration.
Because the system is so minimal at this point, I did not expect to see errors already.

Code:

# grep avc audit.log
type=AVC msg=audit(1571087491.044:62): avc:  denied  { read } for  pid=4765 comm="openrc-run.sh" name="rsyslog.conf" dev="md127p1" ino=2770080 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:syslog_conf_t tclass=file permissive=1
type=AVC msg=audit(1571087491.071:63): avc:  denied  { write } for  pid=4449 comm="rsyslogd" name="dev" dev="md127p1" ino=2770106 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=dir permissive=1
type=AVC msg=audit(1571087491.071:63): avc:  denied  { remove_name } for  pid=4449 comm="rsyslogd" name="log" dev="md127p1" ino=2752548 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=dir permissive=1
type=AVC msg=audit(1571087491.071:63): avc:  denied  { unlink } for  pid=4449 comm="rsyslogd" name="log" dev="md127p1" ino=2752548 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=sock_file permissive=1
type=AVC msg=audit(1571087491.636:64): avc:  denied  { use } for  pid=5231 comm="udevadm" path="/dev/console" dev="devtmpfs" ino=2055 scontext=system_u:system_r:udevadm_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
type=AVC msg=audit(1571087491.636:64): avc:  denied  { read write } for  pid=5231 comm="udevadm" path="/dev/console" dev="devtmpfs" ino=2055 scontext=system_u:system_r:udevadm_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087492.583:68): avc:  denied  { getattr } for  pid=5460 comm="start-stop-daem" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
type=AVC msg=audit(1571087516.297:30): avc:  denied  { use } for  pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:system_r:init_t tclass=fd permissive=1
type=AVC msg=audit(1571087516.297:30): avc:  denied  { read write } for  pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087516.300:31): avc:  denied  { ioctl } for  pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 ioctlcmd=0x5401 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087516.300:31): avc:  denied  { sys_tty_config } for  pid=4294 comm="dhcpcd-run-hook" capability=26  scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:system_r:dhcpc_script_t tclass=capability permissive=1
type=AVC msg=audit(1571087516.300:32): avc:  denied  { getattr } for  pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087516.300:33): avc:  denied  { open } for  pid=4294 comm="dhcpcd-run-hook" path="/dev/console" dev="devtmpfs" ino=4108 scontext=system_u:system_r:dhcpc_script_t tcontext=system_u:object_r:console_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1571087527.803:34): avc:  denied  { read } for  pid=4437 comm="openrc-run.sh" name="rsyslog.conf" dev="md127p1" ino=2770080 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:syslog_conf_t tclass=file permissive=1
type=AVC msg=audit(1571087527.843:35): avc:  denied  { getattr } for  pid=4444 comm="start-stop-daem" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
type=AVC msg=audit(1571087527.857:36): avc:  denied  { write } for  pid=4446 comm="rsyslogd" name="dev" dev="md127p1" ino=2770106 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=dir permissive=1
type=AVC msg=audit(1571087527.857:36): avc:  denied  { add_name } for  pid=4446 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=dir permissive=1
type=AVC msg=audit(1571087527.857:36): avc:  denied  { create } for  pid=4446 comm="rsyslogd" name="log" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=sock_file permissive=1
type=AVC msg=audit(1571087527.857:37): avc:  denied  { setattr } for  pid=4446 comm="rsyslogd" name="log" dev="md127p1" ino=2752548 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=sock_file permissive=1
type=AVC msg=audit(1571087610.667:45): avc:  denied  { search } for  pid=4536 comm="sudo" name="4533" dev="proc" ino=2740 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_t tclass=dir permissive=1
type=AVC msg=audit(1571087610.667:45): avc:  denied  { read } for  pid=4536 comm="sudo" name="stat" dev="proc" ino=1642 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_t tclass=file permissive=1
type=AVC msg=audit(1571087610.667:45): avc:  denied  { open } for  pid=4536 comm="sudo" path="/proc/4533/stat" dev="proc" ino=1642 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_t tclass=file permissive=1


If i pull this into audit2allow, it will look like this:

Code:

# audit2allow < audit.log


#============= dhcpc_script_t ==============
allow dhcpc_script_t console_device_t:chr_file { getattr ioctl open read write };
allow dhcpc_script_t init_t:fd use;
allow dhcpc_script_t self:capability sys_tty_config;

#============= initrc_t ==============
allow initrc_t nsfs_t:file getattr;
allow initrc_t syslog_conf_t:file read;

#============= sysadm_sudo_t ==============
allow sysadm_sudo_t sysadm_t:dir search;
allow sysadm_sudo_t sysadm_t:file { open read };

#============= syslogd_t ==============
allow syslogd_t var_t:dir { add_name remove_name write };
allow syslogd_t var_t:sock_file { create setattr unlink };

#============= udevadm_t ==============
allow udevadm_t console_device_t:chr_file { read write };
allow udevadm_t init_t:fd use;


The dhcpc_script_t is getting triggered from /etc/conf.d/net config_eno1="dhcp".
Should we not be allowed to get a DHCP lease by default, on Gentoo SELinux ?
Does any of these permissions look suspicious to you ?
I'm tempted to just allow them all, but as i said, because the system is so minimal, I wonder if i forgot a step somewhere and seek your advice.

Thanks in advance !
/lupus
Back to top
View user's profile Send private message
e3k
Guru
Guru


Joined: 01 Oct 2007
Posts: 520
Location: Inner Space

PostPosted: Tue Oct 15, 2019 6:42 pm    Post subject: Reply with quote

not sure about gentoo but i worked with selinux on RHEL and if it is an unconfigured install then you have to permit a lot of stuff before it starts to work. also you are in permissive mode which means all is allowed and will be just logged. that means selinux is not protecting you in any way just logs events.
_________________
CLOSED|||||||||||LISTEN
SYN-SENT --> SYN-RECEIVED
ESTABLISHED <-- SYN-RECEIVED
ESTABLISHED --> ESTABLISHED
ESTABLISHED --> <DATA> --> ESTABLISHED
Back to top
View user's profile Send private message
lupusbytes
n00b
n00b


Joined: 08 Oct 2019
Posts: 2

PostPosted: Tue Oct 15, 2019 7:29 pm    Post subject: Reply with quote

e3k wrote:
not sure about gentoo but i worked with selinux on RHEL and if it is an unconfigured install then you have to permit a lot of stuff before it starts to work. also you are in permissive mode which means all is allowed and will be just logged. that means selinux is not protecting you in any way just logs events.


Thanks for the reply !
Yes, I do realize the implications of permissive mode :D
I was under the impresseion that the sec-policy/selinux-base-policy that is included in the Gentoo SELinux profile would cover my system at this early this stage.
To quote the package description:
Quote:
Gentoo SELinux base policy. This contains policy for a system at the end of system installation. There is no extra policy in this package.

My thread/questions are about wether or not the AVC errors that are logged in audit.log should be covered by a base policy.

If I'm supposed to write policies for these myself, I will simply do it, but first I wanted to check with someone experienced, if I'm supposed to :)


EDIT:
setting modules="dhclient", in /etc/conf.d/net, fixed the dhcp errors.
Back to top
View user's profile Send private message
e3k
Guru
Guru


Joined: 01 Oct 2007
Posts: 520
Location: Inner Space

PostPosted: Wed Oct 16, 2019 7:18 pm    Post subject: Reply with quote

in this case sorry i am not a SELinux expert. the only thumb rule for i would use for a freshly installed system is to allow all to make it work and then watch the logs to see if something unexpected comes.
_________________
CLOSED|||||||||||LISTEN
SYN-SENT --> SYN-RECEIVED
ESTABLISHED <-- SYN-RECEIVED
ESTABLISHED --> ESTABLISHED
ESTABLISHED --> <DATA> --> ESTABLISHED
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum