Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] machine in hardened/selinux boots as disabled
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Brane2
n00b
n00b


Joined: 03 Jul 2011
Posts: 40

PostPosted: Fri Oct 18, 2019 5:24 am    Post subject: [SOLVED] machine in hardened/selinux boots as disabled Reply with quote

I have a couple of AMD AM1 Kabini mchines that I decided to switch from hardened to hardened/selinux profile.

All of them run systemd.

After the profile change, two of them work, but the third one always boots in seliinux=disabled state.

Just as if selinux support was not compiled in the kernel.
dmesg shows no error or special notice about attempt or failure to load the policy etc.

And "cat proc/filesystems" doesn't list selinuxfs as an option.

All three machines use same profile, same kernel version ( gentoo-sources-5.2.20), gcc version ( gcc-9.2.0), essentially the same
kernel .config file, same glibc vesion, selinux-related pacckage versions etc.

I thought that selinux label of the root, polivcy file itself or systemddaemon might be the sissue, so I wrote the the script that would
relabel all the stuff ( setfiles/restorecon onn this box doesn't work), but the effect is the same.

Is there an explanation of the exact streps of policy load during the boot phase and conditions that must be met ?
_________________
On the journey of life I chose the psycho path...


Last edited by Brane2 on Sun Oct 20, 2019 9:27 pm; edited 1 time in total
Back to top
View user's profile Send private message
Brane2
n00b
n00b


Joined: 03 Jul 2011
Posts: 40

PostPosted: Sat Oct 19, 2019 9:24 am    Post subject: I seem to have cracked it Reply with quote

Since I haven't been able to google this out, I suspect answer to that might be useful to others, too and
so I'll leave this here for search engine to pick it up...

Problem had a few facets:

- for some reason, at least with these 5.* kernels one has to select SMACK ( simplified MAC) in order for SELINUX to be selected.
God knows why, but that's how it is.

- under SELINUX selection there is the list of MAC systems which presents an order in which they are to be initialized.
If selinux is not listed there, it will not be initialized and end result will be zilch, just as if you nevere selected in the first place.
For some reason or other, while playing with other options, I managed to get kernel infrastruture scriptine system to drop
selinux from the list.
If you are not using that esoteric, less known sutff, you can delete it and just leave selinux.
capabiilities are set up by default, so they don't have to be listed.

Also, if for some reason your init fails to mount /proc/fs/selinux, your userland stuff will report selinuix as being disabled.
( mount -t selinuxfs selinux /proc/fs/selinux )

It also helps to have securityfs mounted at least for me, it just has lsm pseudo file that has that prevously mentioned lsm list
of the systems initialized ( mount -t securityfs security /porc/kernel/security )
For that to work, securityfs has to be selected in kernel configuration ( under "Security" submenu, a few lines above Selinux selection).


Also, if the state of your linux is listed as "disabled", it seems that tools for labeling ( restorecon/setfiles) won't work correctly
and if you want to relabel system, it might be better to do it manually by scripting your own routine with getfattr/matchpathcon/setfattr...

Hope it helps someone...
_________________
On the journey of life I chose the psycho path...
Back to top
View user's profile Send private message
Brane2
n00b
n00b


Joined: 03 Jul 2011
Posts: 40

PostPosted: Sat Oct 19, 2019 9:30 am    Post subject: Reply with quote

One more thing:

this changes some bits for chrooting, so it won't surprise anyone.

if you want to chroot with such system to soem dir like "/mnt/gentoo", you have to either mount --rbind existing /proc or mount underlying selinux manually.

Without that, you might be surpised to see selinux as working in base, but disabled in chroot...
_________________
On the journey of life I chose the psycho path...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum