View previous topic :: View next topic |
Author |
Message |
Shiru n00b
Joined: 20 Oct 2014 Posts: 63
|
Posted: Sun Sep 11, 2022 1:41 pm Post subject: Switching to Hardened SELinux : how to resolve denies? |
|
|
Hello guys,
I have read the Gentoo Tutorials but still, I am not sure to understand how everything works. Should I make my own policy module? Should I change the context of a file? Should I toggle boolean? I am lost as I tried everything but nothing worked.
Note: SELINUX variable is set to permissive...but encountered the issue explained below.
Objective: displaying a wallpaper: I have a bash script, running by cron, downloading and displaying an image.
Code: | #!/bin/sh
imagepath="/home/shiru/Pictures/Bing/bing-wallpaper.jpg"
urlpath=$( \
sleep 2
curl "https://www.bing.com/HPImageArchive.aspx?format=rss&idx=0&n=1&mkt=en-US" \
| xmllint --xpath "/rss/channel/item/link/text()" - \
| sed 's/1366x768/1920x1080/g' \
)
curl "https://www.bing.com$urlpath" -o $imagepath
feh --bg-fill $imagepath |
This works perfectly on NON Hardened SELinux system, but failed even in permissive mode.
Since It is my first, I have check in the /var/log/audit/audit.log but nothing. In fact, audit logs were in the /var/log/messages and I still do not understand why (if you have clue, please tell me).
Then, I decided to make my own policy module (I really don't know if it is the best solution...), so here is my localpolicy.te file's content:
Code: | policy_module(localpolicy, 1.0)
gen_require(`
type staff_t;
type xdm_t;
type xdg_pictures_t;
type xdg_config_t;
type user_t;
type crond_t;
type user_home_t;
type user_home_dir_t;
type http_port_t;
type gnome_xdg_config_t;
type sysadm_t;
type xserver_t;
type xdg_data_t;
')
allow xdm_t xdg_pictures_t:file { read open getattr };
allow staff_t xdg_pictures_t:file { read open };
allow user_t xdg_pictures_t:file { read open };
allow crond_t user_home_t:dir { execute read open getattr ioctl search };
allow crond_t user_home_t:file { execute read open execute_no_trans getattr ioctl };
allow crond_t xdg_config_t:dir { search };
allow crond_t http_port_t:tcp_socket { name_connect };
allow crond_t xdg_pictures_t:file { write open getattr };
allow staff_t user_home_dir_t:dir { write add_name };
allow sysadm_t gnome_xdg_config_t:dir { watch };
allow sysadm_t xdg_pictures_t:dir { watch };
allow crond_t xserver_t:unix_stream_socket { connectto };
allow sysadm_t xdg_data_t:dir { watch };
|
As you can see, I did stupid things, tried everything to get it worked.
I noticed that if I run the bing.sh script, the file (the image) is downloaded but is not displayed, nor appears in the xfdesktop-settings window when choosing the file. If I try to open the downloaded image via ristretto, it failed (error> cannot open the image). I check the file's properties and the Image tab is not here. So I launched Gimp to open it, it succeed but when trying to export the file with the same extension (.jpg), error occurred: permission denied.
I also tried using the feh command to set the image as a wallpaper but nothing changed: black screen.
If i set a different image in the same folder or form a different one, it works! So it seems, the issue comes with the script itself.
By the way, I tried to set the SELINUX variable to enforcing (just to see how things goes). I was able to log in via sddm but when the desktop was displayed, I was unable to move the mouse, nor interact at all (freeze?) so I had to forced reboot.
Any help would be greatly appreciated. I really want to understand SELinux, I do not want to give up and switch to my previous profile.
Thanks,
Shiru |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3875
|
Posted: Wed Sep 14, 2022 3:20 pm Post subject: |
|
|
Plz
try
Code: |
mkdir /var/log/audit
touch /var/log/audit/audit.log
rc-update add auditd default
rc-service auditd start
setenforce 0 # also in config set to permissive
#### THEN LET YOUR SYSTEM RUN FOR SOME TIME MAYBE A DAY OR TWO THEN
ausearch -m AVC | audit2allow -w ##see why
ausearch -m AVC | audit2allow -a ##see what needs to be done
ausearch -m AVC | audit2allow -a -M custom_pol01 # generate policy
semodule -i custom_pol01.pp # install policy
|
Before reaching the point to create policy
FIRST use getsebool setsebool ##the above commands will let you know if some denials can be resolved by flipping a boolean
SECOND use semanage
A piece of advice:
Code: |
In /etc/selinux/semage.conf set
expand-check=0
|
Not all desktops work well with selinux
Try lxde.
it works just fine.
Plz avoid setting policy to strict.
Start with targeted and work your way up.
If you do so plz modify relabel to
Code: |
setfiles -r /mnt/gentoo /etc/selinux/targeted/contexts/files/file_contexts /mnt/gentoo/{dev,home,proc,run,sys,tmp}
|
Quote: |
By the way, I tried to set the SELINUX variable to enforcing (just to see how things goes). I was able to log in via sddm but when the desktop was displayed, I was unable to move the mouse, nor interact at all (freeze?) so I had to forced reboot.
|
Try
Code: |
for i in $(getsebool -a | grep xserver | awk '{ print $1 }');do setsebool -P $i on;done
|
Do not force reboot.Enable "sysrq_always_enabled=1" in grub and use either that or ctrl+alt+f2 etc
As for your script first
Code: |
truncate --size=0 /var/log/audit/audit.log
|
then run your script then use the above ausearch commands to see whats going on. _________________
|
|
Back to top |
|
|
Shiru n00b
Joined: 20 Oct 2014 Posts: 63
|
Posted: Mon Sep 26, 2022 10:09 pm Post subject: |
|
|
Thanks alamahant!
Sorry for this late reply.
I will give it a try. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|