Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Switching to Hardened SELinux : how to resolve denies?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Shiru
n00b
n00b


Joined: 20 Oct 2014
Posts: 63

PostPosted: Sun Sep 11, 2022 1:41 pm    Post subject: Switching to Hardened SELinux : how to resolve denies? Reply with quote

Hello guys,

I have read the Gentoo Tutorials but still, I am not sure to understand how everything works. Should I make my own policy module? Should I change the context of a file? Should I toggle boolean? I am lost as I tried everything but nothing worked.

Note: SELINUX variable is set to permissive...but encountered the issue explained below.

Objective: displaying a wallpaper: I have a bash script, running by cron, downloading and displaying an image.
Code:
#!/bin/sh
imagepath="/home/shiru/Pictures/Bing/bing-wallpaper.jpg"
urlpath=$( \
sleep 2
curl "https://www.bing.com/HPImageArchive.aspx?format=rss&idx=0&n=1&mkt=en-US" \
| xmllint --xpath "/rss/channel/item/link/text()" - \
| sed 's/1366x768/1920x1080/g' \
)
curl "https://www.bing.com$urlpath" -o $imagepath
feh --bg-fill $imagepath


This works perfectly on NON Hardened SELinux system, but failed even in permissive mode.

Since It is my first, I have check in the /var/log/audit/audit.log but nothing. In fact, audit logs were in the /var/log/messages and I still do not understand why (if you have clue, please tell me).
Then, I decided to make my own policy module (I really don't know if it is the best solution...), so here is my localpolicy.te file's content:
Code:
policy_module(localpolicy, 1.0)

gen_require(`
  type staff_t;
  type xdm_t;
  type xdg_pictures_t;
  type xdg_config_t;
  type user_t;
  type crond_t;
  type user_home_t;
  type user_home_dir_t;
  type http_port_t;
  type gnome_xdg_config_t;
  type sysadm_t;
  type xserver_t;
  type xdg_data_t;
')

allow xdm_t xdg_pictures_t:file { read open getattr };
allow staff_t xdg_pictures_t:file { read open };
allow user_t xdg_pictures_t:file { read open };
allow crond_t user_home_t:dir { execute read open getattr ioctl search };
allow crond_t user_home_t:file { execute read open execute_no_trans getattr ioctl };
allow crond_t xdg_config_t:dir { search };
allow crond_t http_port_t:tcp_socket { name_connect };
allow crond_t xdg_pictures_t:file { write open getattr };
allow staff_t user_home_dir_t:dir { write add_name };
allow sysadm_t gnome_xdg_config_t:dir { watch };
allow sysadm_t xdg_pictures_t:dir { watch };
allow crond_t xserver_t:unix_stream_socket { connectto };
allow sysadm_t xdg_data_t:dir { watch };


As you can see, I did stupid things, tried everything to get it worked.
I noticed that if I run the bing.sh script, the file (the image) is downloaded but is not displayed, nor appears in the xfdesktop-settings window when choosing the file. If I try to open the downloaded image via ristretto, it failed (error> cannot open the image). I check the file's properties and the Image tab is not here. So I launched Gimp to open it, it succeed but when trying to export the file with the same extension (.jpg), error occurred: permission denied.
I also tried using the feh command to set the image as a wallpaper but nothing changed: black screen.
If i set a different image in the same folder or form a different one, it works! So it seems, the issue comes with the script itself.

By the way, I tried to set the SELINUX variable to enforcing (just to see how things goes). I was able to log in via sddm but when the desktop was displayed, I was unable to move the mouse, nor interact at all (freeze?) so I had to forced reboot.

Any help would be greatly appreciated. I really want to understand SELinux, I do not want to give up and switch to my previous profile.

Thanks,
Shiru
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3875

PostPosted: Wed Sep 14, 2022 3:20 pm    Post subject: Reply with quote

Plz
try
Code:

mkdir /var/log/audit
touch  /var/log/audit/audit.log
rc-update add auditd default
rc-service auditd start
setenforce 0 # also in config set to permissive
#### THEN LET YOUR SYSTEM RUN FOR SOME TIME MAYBE A DAY OR TWO THEN
ausearch -m AVC | audit2allow -w ##see why
ausearch -m AVC | audit2allow -a ##see what needs to be done
ausearch -m AVC | audit2allow -a -M custom_pol01 # generate policy
semodule -i custom_pol01.pp # install policy

Before reaching the point to create policy
FIRST use getsebool setsebool ##the above commands will let you know if some denials can be resolved by flipping a boolean
SECOND use semanage
A piece of advice:
Code:

In /etc/selinux/semage.conf set

expand-check=0

Not all desktops work well with selinux
Try lxde.
it works just fine.
Plz avoid setting policy to strict.
Start with targeted and work your way up.
If you do so plz modify relabel to
Code:

setfiles -r /mnt/gentoo /etc/selinux/targeted/contexts/files/file_contexts /mnt/gentoo/{dev,home,proc,run,sys,tmp}

Quote:

By the way, I tried to set the SELINUX variable to enforcing (just to see how things goes). I was able to log in via sddm but when the desktop was displayed, I was unable to move the mouse, nor interact at all (freeze?) so I had to forced reboot.

Try
Code:

for i in $(getsebool -a | grep xserver | awk '{ print $1 }');do setsebool -P $i on;done

Do not force reboot.Enable "sysrq_always_enabled=1" in grub and use either that or ctrl+alt+f2 etc
As for your script first
Code:

truncate --size=0 /var/log/audit/audit.log

then run your script then use the above ausearch commands to see whats going on.
_________________
:)
Back to top
View user's profile Send private message
Shiru
n00b
n00b


Joined: 20 Oct 2014
Posts: 63

PostPosted: Mon Sep 26, 2022 10:09 pm    Post subject: Reply with quote

Thanks alamahant!
Sorry for this late reply.
I will give it a try.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum