Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Problems with selinux setup
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
michaels70
n00b
n00b


Joined: 30 Jul 2013
Posts: 5

PostPosted: Mon Feb 10, 2014 2:37 pm    Post subject: Problems with selinux setup Reply with quote

I just installed selinux on the AMD64 hardened version of Gentoo and am seeing the following denials when booting in permissive mode. Am I missing a selinux module or is there something else I have to do? I relabeled the whole file-system after installing everything.

Code:
Jan  1 00:00:24 localhost dhcpcd[1811]: eth0: sending IPv6 Router Solicitation
Jan  1 00:00:24 localhost dhcpcd[1811]: eth1: sending IPv6 Router Solicitation
Jan  1 00:00:25 localhost dhcpcd[1811]: eth0: leased 192.168.2.160 for 86400 seconds
Jan  1 00:00:25 localhost kernel: [   17.808711] audit_printk_skb: 6 callbacks suppressed
Jan  1 00:00:25 localhost kernel: [   17.808714] type=1400 audit(1356998425.336:28): avc:  denied  { write } for  pid=1989 comm="dhcpcd-run-hook" name="ntp.conf" dev="sda3" ino=650700 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file
Jan  1 00:00:25 localhost kernel: [   17.813252] type=1400 audit(1356998425.341:29): avc:  denied  { execute } for  pid=1991 comm="rc-service" name="rc" dev="sda3" ino=456696 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file
Jan  1 00:00:25 localhost kernel: [   17.813264] type=1400 audit(1356998425.341:30): avc:  denied  { read open } for  pid=1991 comm="rc-service" path="/sbin/rc" dev="sda3" ino=456696 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file
Jan  1 00:00:25 localhost kernel: [   17.813312] type=1400 audit(1356998425.341:31): avc:  denied  { execute_no_trans } for  pid=1991 comm="rc-service" path="/sbin/rc" dev="sda3" ino=456696 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file
Jan  1 00:00:25 localhost dhcpcd[1811]: eth1: broadcasting for a lease
Jan  1 00:00:28 localhost dhcpcd[1811]: eth0: sending IPv6 Router Solicitation
Jan  1 00:00:28 localhost dhcpcd[1811]: eth0: no IPv6 Routers available
Jan  1 00:00:28 localhost dhcpcd[1811]: eth1: sending IPv6 Router Solicitation
Jan  1 00:00:28 localhost dhcpcd[1811]: eth1: no IPv6 Routers available
Jan  1 00:00:38 localhost kernel: [   31.005795] type=1400 audit(1356998438.523:32): avc:  denied  { read } for  pid=1995 comm="rc" name="profile.env" dev="sda3" ino=650786 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Jan  1 00:00:38 localhost kernel: [   31.005807] type=1400 audit(1356998438.523:33): avc:  denied  { open } for  pid=1995 comm="rc" path="/etc/profile.env" dev="sda3" ino=650786 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Jan  1 00:00:38 localhost kernel: [   31.005821] type=1400 audit(1356998438.523:34): avc:  denied  { getattr } for  pid=1995 comm="rc" path="/etc/profile.env" dev="sda3" ino=650786 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Jan  1 00:00:38 localhost kernel: [   31.007716] type=1400 audit(1356998438.525:35): avc:  denied  { search } for  pid=1995 comm="rc" name="1" dev="proc" ino=1154 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:init_t tclass=dir
Jan  1 00:00:38 localhost kernel: [   31.007733] type=1400 audit(1356998438.525:36): avc:  denied  { read } for  pid=1995 comm="rc" name="environ" dev="proc" ino=1155 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:init_t tclass=file
Jan  1 00:00:38 localhost kernel: [   31.007742] type=1400 audit(1356998438.525:37): avc:  denied  { open } for  pid=1995 comm="rc" path="/proc/1/environ" dev="proc" ino=1155 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:init_t tclass=file
Jan  1 00:00:38 localhost kernel: [   31.007761] type=1400 audit(1356998438.525:38): avc:  denied  { getattr } for  pid=1995 comm="rc" path="/proc/1/environ" dev="proc" ino=1155 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:init_t tclass=file
Jan  1 00:00:38 localhost kernel: [   31.007838] type=1400 audit(1356998438.525:39): avc:  denied  { read } for  pid=1995 comm="rc" name="softlevel" dev="tmpfs" ino=3105 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
Jan  1 00:00:38 localhost kernel: [   31.007848] type=1400 audit(1356998438.525:40): avc:  denied  { open } for  pid=1995 comm="rc" path="/run/openrc/softlevel" dev="tmpfs" ino=3105 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
Jan  1 00:00:38 localhost kernel: [   31.007859] type=1400 audit(1356998438.525:41): avc:  denied  { getattr } for  pid=1995 comm="rc" path="/run/openrc/softlevel" dev="tmpfs" ino=3105 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file


Here's a list of the installed modules...
Code:
application   1.2.0   
authlogin   2.5.0   
automount   1.14.0   
bind   1.13.0   
bootloader   1.14.0   
clock   1.7.0   
consolekit   1.9.0   
consoletype   1.10.0   
cron   2.6.0   
dhcp   1.11.0   
dmesg   1.3.0   
fstools   1.16.0   
getty   1.10.0   
gpg   2.8.0   
hostname   1.8.0   
hotplug   1.16.0   
init   1.20.0   
ipsec   1.14.0   
iptables   1.14.0   
irqbalance   1.6.0   
libraries   2.10.0   
locallogin   1.12.0   
logging   1.20.0   
lvm   1.15.0   
mandb   1.1.0   
miscfiles   1.11.0   
modutils   1.14.0   
mount   1.16.0   
mta   2.7.0   
netutils   1.12.0   
nscd   1.11.0   
ntp   1.11.0   
openrc   0.1   
portage   1.14.0   
raid   1.13.0   
rpc   1.15.0   
rpcbind   1.6.0   
rsync   1.13.0   
screen   2.6.0   
selinuxutil   1.17.0   
setrans   1.8.0   
shutdown   1.2.0   
ssh   2.4.0   
staff   2.4.0   
storage   1.11.0   
su   1.12.0   
sudo   1.10.0   
sysadm   2.6.0   
sysnetwork   1.15.0   
udev   1.16.0   
unprivuser   2.4.0   
userdomain   4.9.0   
usermanage   1.19.0   
xdg   1.0.0


Here's a listings of the bools...
Code:
allow_execheap --> off
allow_execmem --> off
allow_execmod --> off
allow_execstack --> off
allow_gssd_read_tmp --> off
allow_mount_anyfile --> off
allow_nfsd_anon_write --> off
allow_polyinstantiation --> off
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_ssh_keysign --> off
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_ypbind --> off
authlogin_nsswitch_use_ldap --> off
console_login --> on
cron_can_relabel --> off
cron_userdomain_transition --> off
dhcpd_use_ldap --> off
fcron_crond --> off
global_ssp --> on
gpg_agent_env_file --> off
init_upstart --> off
mail_read_content --> off
mmap_low_allowed --> off
named_tcp_bind_http_port --> off
named_write_master_zones --> off
nfs_export_all_ro --> off
nfs_export_all_rw --> off
nscd_use_shm --> off
portage_use_nfs --> off
racoon_read_shadow --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_fusefs --> off
rsync_use_nfs --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
ssh_sysadm_login --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_direct_mouse --> off
user_dmesg --> off
user_ping --> off
user_rw_noexattrfile --> off
user_tcp_server --> off
user_ttyfile_stat --> off


and selinux status...
Code:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             strict
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Max kernel policy version:      28

Process contexts:
Current context:                root:sysadm_r:sysadm_t
Init context:                   system_u:system_r:init_t
/sbin/agetty                    system_u:system_r:getty_t

File contexts:
Controlling terminal:           root:object_r:user_tty_device_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/bin/login                      system_u:object_r:login_exec_t
/sbin/rc                        system_u:object_r:rc_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/sh                         system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash                       system_u:object_r:shell_exec_t
/usr/bin/newrole                system_u:object_r:newrole_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:object_r:ld_so_t


Any ideas?

Michael
Back to top
View user's profile Send private message
spike88
n00b
n00b


Joined: 16 Oct 2012
Posts: 17

PostPosted: Mon Feb 17, 2014 10:53 pm    Post subject: Reply with quote

your enforce mode is permissive?
_________________
Gentoo Rocks thanks!
Back to top
View user's profile Send private message
michaels70
n00b
n00b


Joined: 30 Jul 2013
Posts: 5

PostPosted: Mon Feb 24, 2014 6:52 pm    Post subject: Reply with quote

Yea I wanted to see what would be denied by selinux. It seems to have a lot of denials with the default installation. It makes me think I must be missing a module or something.
Back to top
View user's profile Send private message
spike88
n00b
n00b


Joined: 16 Oct 2012
Posts: 17

PostPosted: Fri Feb 28, 2014 2:49 am    Post subject: Reply with quote

by default enforce setting denies everything you have to set up access i believe like manually
_________________
Gentoo Rocks thanks!
Back to top
View user's profile Send private message
landdie
n00b
n00b


Joined: 10 Sep 2013
Posts: 26
Location: Southern Sweden

PostPosted: Fri Feb 28, 2014 11:57 am    Post subject: Reply with quote

OK I'm far from an expert there's two things you can do here. Simplest/safest is
Code:
semodule -i /usr/share/selinux/strict/dhcp.pp

Which will insert the official dhcp policy module to your running policy. You can see a lot of the AVC denied lines you posted above are about dhcp. Not sure if this will get rid of the comm"rc" denials.

But, if you're feeling adventurous you could also build your own policy for the whole problem. Make a directory to work in and then take your denied lines from above and put them in a file called avc_lines (or whatever name you like) and then do,
Code:
cat avc_lines | audit2allow -m mymod > mymod.te

You will get an output to a file called mymod.te that looks like this.
Code:
module mymod 1.0;

require {
        type initrc_state_t;
        type init_t;
        type dhcpc_t;
        type rc_exec_t;
        type etc_runtime_t;
        type etc_t;
        type run_init_t;
        class dir search;
        class file { execute read execute_no_trans write getattr open };
}

#============= dhcpc_t ==============
allow dhcpc_t etc_t:file write;
allow dhcpc_t rc_exec_t:file { read execute open execute_no_trans };

#============= run_init_t ==============
allow run_init_t etc_runtime_t:file { read getattr open };
allow run_init_t init_t:dir search;
allow run_init_t init_t:file { read getattr open };
allow run_init_t initrc_state_t:file { read getattr open };

The mymod name could and proberbly should have been dhcpmod so you remember what it's for. It doesn't matter what you call it just be consistant/descriptive from start to end here. Oh and don't use numbers!

If you then do.
Code:
checkmodule -m -o mymod.mod mymod.te

You will generate a file called mymod.mod This is the base module for building your own selinux policy module for the denials your getting.

Next you will need to do,
Code:
semodule_package -o mymod.pp -m mymod.mod

This will generate an selinux policy called mymod.pp

Then you will need to insert it into your current running policy with
Code:
semodule -i mymod.pp

This will survive a reboot and become a permenent part of you system policy. You can remove it again with
Code:
semodule -r mymod

Note the .pp suffix is not used.

This is a simple way to get rid of AVC denials. The running policy won't allow you to make idiot additions to it but be aware that the first thing to do when getting AVC denials is to check your file contexts, which I see you did, and have a look at the official policy modules in
Code:
/usr/share/selinux/strict/
otherwise you might be in for a lot of work! ;)

Whatever if you are going to be running SELinux you will need to get used to writing policy.pp's and fiddling with file contexts! :)

I'd recommend creating a working directory in which to build all you policy.pp's in and build each one in it's own sub directory. It's also not a silly idea to keep a record of the AVC denial lines you've used to build your policy.pp with in the same directory, just for future reference!

If you are systematic with your module names you will be able to see them all in the future with a simple
Code:
semodule -l | grep yourmodending
Which I promise will make you very happy at some point! :)

Hope this helps a bit!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum