selinux denials due to race conditions? [solved]

[vaxbrat]

I just joined the hardened-gentoo mailing list but thought I might give this a shot here too. I'm on the 2006.1 unstable profile for selinux and think I may have a race condition that results in avc denials before selinux has finished labeling things like /dev. For example, the first denial below appears to be where /etc/hotplug.d/default/default.hotplug is peeking and poking around with /dev/null. The denial has it as a system_u:object_r:file_t, but when I look at it from a running system I see it as a system_u:object_r:null_device_t. Can the hardened folk chime in about whether I'm missing something blatantly obvious? Should I be messing around in /etc/runlevels/boot to put dependencies in various scripts (although selinux isn't a script so how would I make it a dependency?)

snippet from a dmesg:

Code: Select all

security:  5 users, 5 roles, 1376 types, 81 bools
security:  59 classes, 61906 rules
security:  class dccp_socket not defined in policy
security:  permission dccp_recv in class node not defined in policy
security:  permission dccp_send in class node not defined in policy
security:  permission dccp_recv in class netif not defined in policy
security:  permission dccp_send in class netif not defined in policy
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev sda5, type ext3), uses xattr
inode_doinit_with_dentry:  context_to_sid(unlabeled) returned 22 for dev=sda5 ino=1938273
audit(1182137416.171:2): avc:  denied  { ioctl } for  pid=884 comm="default.hotplug" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.203:3): avc:  denied  { read } for  pid=889 comm="env" name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.204:4): avc:  denied  { read } for  pid=884 comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t tclass=file
audit(1182137416.206:5): avc:  denied  { search } for  pid=884 comm="default.hotplug" name="var" dev=sda5 ino=1254177 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t tclass=dir
audit(1182137416.221:6): avc:  denied  { search } for  pid=884 comm="default.hotplug" name="log" dev=sda5 ino=1255669 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_log_t tclass=dir
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
audit(1182137416.259:7): policy loaded auid=4294967295
audit(1182137416.261:8): avc:  denied  { read write } for  pid=1 comm="init" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.275:9): avc:  denied  { ioctl } for  pid=1 comm="init" name="tty0" dev=sda5 ino=735467 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.277:10): avc:  denied  { read } for  pid=891 comm="hotplug" name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.279:11): avc:  denied  { write } for  pid=891 comm="hotplug" name="tty" dev=sda5 ino=734192 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.296:12): avc:  denied  { ioctl } for  pid=893 comm="default.hotplug" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137416.758:13): avc:  denied  { read write } for  pid=970 comm="rc" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.033:14): avc:  denied  { read write } for  pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.034:15): avc:  denied  { search } for  pid=994 comm="consoletype" name="dev" dev=sda5 ino=732961 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=dir
audit(1182137417.034:16): avc:  denied  { getattr } for  pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.035:17): avc:  denied  { ioctl } for  pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.082:18): avc:  denied  { ioctl } for  pid=997 comm="stty" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.172:19): avc:  denied  { getattr } for  pid=970 comm="bash" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.196:20): avc:  denied  { read write } for  pid=1001 comm="dmesg" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.220:21): avc:  denied  { read write } for  pid=1004 comm="mount" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
audit(1182137417.478:22): avc:  denied  { read write } for  pid=1038 comm="restorecon" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137417.716:23): avc:  denied  { write } for  pid=1042 comm="bash" name="null" dev=tmpfs ino=2106 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file
audit(1182137417.875:24): avc:  denied  { read write } for  pid=1062 comm="udevd" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1182137418.770:25): avc:  denied  { read } for  pid=1194 comm="modprobe" name="console" dev=tmpfs ino=2100 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file
audit(1182137424.374:26): avc:  denied  { getattr } for  pid=2059 comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100 scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t tclass=file
audit(1182137424.376:27): avc:  denied  { read } for  pid=2112 comm="grep" name="modprobe.conf" dev=sda5 ino=1515100 scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t tclass=file

[vaxbrat]

Got confirmed that it is indeed a race condition. However I noticed that udev really has taken over everything from hotplug so that it's no longer needed. That got rid of a good number of denials since udev doesn't get around to doing its thing until later and thus avoids the race.

[vaxbrat]

Here's the detailed story for the race condition. Until udev has finished doing its thing and mounted its own /dev, the system is using the primordial static /dev from your root's filesystem. Selinux gets /selinux up and running and is still at work doing the genfs context labeling of /dev, /tmp and company when the init process gets kicked. So init initially gets busy using the static nodes. Unfortunately these all have the default labeling of file_t and don't get picked up later by relabeling since udev now overlays the /dev directory with its own.

In order to relabel the static /dev you need to get a bit sneaky by "remounting" your root filesystem somewhere else. Let's say /mnt/rawroot

Code: Select all

# mkdir /mnt/rawroot
# mount --bind / /mnt/rawroot

The --bind option remounts the filesystem to a different directory but doesn't apply all of the submounts. Thus the udev version of /dev is left behind to unconver the static /dev as /mnt/rawroot/dev. Now we can use setfilecon to manually relabel contexts. For example, the init process was getting denied access to /dev/console:

audit(1182137416.261:8): avc: denied { read write } for pid=1 comm="init" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file

In a running system, the /dev/console device is labeled as system_u:object_r:console_device_t. To label the static console properly I did:

Code: Select all

# cd /mnt/rawroot/dev
# setfilecon system_u:object_r:console_device_t console

Some of the other device nodes that were getting hit too early include /dev/tty0 (tty_device_t) and /dev/urandom (urandom_device_t)

[vaxbrat]

Can't seem to stay away from this thread for some reason

Here's a couple more things in the rawroot that need proper labeling:

Code: Select all

# cd /mnt/rawroot2
# setfilecon system_u:object_r:device_t dev
# setfilecon system_u_object_r_security_t security

The label for security removes a mount denial warning when /selinux is mounted. Sort of a "chicken and egg" thing.

[R. Bosch]

Can't seem to stay away from this thread for some reason

Code: Select all

# cd /mnt/rawroot2
# setfilecon system_u:object_r:device_t dev
# setfilecon system_u_object_r_security_t security

The label for security removes a mount denial warning when /selinux is mounted. Sort of a "chicken and egg" thing.

I'm not sure what you mean with the last line, nor with /mnt/rawroot2. For instance I don't see the file /security.

[vaxbrat]

This:

Code: Select all

# cd /mnt/rawroot2
# setfilecon system_u:object_r:device_t dev 
# setfilecon system_u_object_r_security_t security

Should be

Code: Select all

# cd /mnt/rawroot
# setfilecon system_u:object_r:device_t dev 
# setfilecon system_u_object_r_security_t selinux

That's what I get for not directly cutting and pasting from the server I was working on. The /mnt/rawroot refers to the remount that I had done in an earlier part of the thread.

[R. Bosch]

Thought of that, but failed:

Code: Select all

setfilecon:  setfilecon(selinux,system_u_object_r_security_t) failed

Even if I run it from an other installment of selinux (my second try).
It did accept the device type
When listed in root the context looks like it should, but not when I take a look under /mnt/rawroot.
This is how it is listed atm:

Code: Select all

drwxr-xr-x  root root system_u:object_r:device_t       selinux

I also tried unmounting /selinux in case there was a lock. Then tried to change, both of them (under / and /mnt/rawroot), to no effect
I don't understand what would block the change of context. Even in a new build, it won't accept.
Also passing on the context to mkdir doesn't help.

Code: Select all

ReboliLaptop ~ # sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        strict

Thanks for sharing this thread

[vaxbrat]

So if you do

Code: Select all

# cd /mnt/rawroot
# ls -Z | grep security

You see device_t and not file_t or security_t? That's bizarre. What type of filesystem is root (ext3 I hope)?

Also realize that I'm working with the unstable 2006.1 profile and the 20070329 security policy (refpolicy). I haven't looked at the "example" policy and the 2005.1? stable profile in a while but may set up an example at work sometime soon.

One thing that bit me on another server I was playing with is reiserfs. Even though I thought from the kernel filesystem options that it would include extended attribute support, it turned out not to work right for selinux labeling. After my first attempt at labeling, everything came up as nfs_t or something like that after a reboot. Then when I looked at the dmesg log, I noticed selinux mentioning that it was labeling using genfscontexts instead of xattrs. I'm going to have to move that server's root to somewhere else and convert to ext3 I guess.

If I recall, only ext3 and xfs had selinux xattr labeling support.

[R. Bosch]

Yes, but the thing is; I can't repeat this. I removed /selinux and ran mkdir /selinux to see if it would make any difference, but the system still refuses to set the context correctly.

Code: Select all

ReboliLaptop ~ # ls -lZ /
drwxr-xr-x  root root system_u:object_r:bin_t          bin
drwxr-xr-x  root root system_u:object_r:boot_t         boot
drwxr-xr-x  root root system_u:object_r:device_t       dev
drwxr-xr-x  root root system_u:object_r:etc_t          etc
drwxr-xr-x  root root system_u:object_r:home_root_t    home
drwxr-xr-x  root root system_u:object_r:lib_t          lib
drwx------  root root system_u:object_r:lost_found_t   lost+found
drwxr-xr-x  root root system_u:object_r:mnt_t          media
drwxr-xr-x  root root system_u:object_r:mnt_t          mnt
drwxr-xr-x  root root system_u:object_r:usr_t          opt
dr-xr-xr-x  root root system_u:object_r:proc_t         proc
drwx------  root root root:object_r:sysadm_home_dir_t  root
drwxr-xr-x  root root system_u:object_r:bin_t          sbin
drwxr-xr-x  root root user_u:object_r:root_t           selinux
drwxr-xr-x  root root system_u:object_r:sysfs_t        sys
drwxrwxrwt  root root system_u:object_r:tmp_t          tmp
drwxr-xr-x  root root system_u:object_r:usr_t          usr
drwxr-xr-x  root root system_u:object_r:var_t          var

Even tried making such directory in root's homedir:

Code: Select all

ReboliLaptop ~ # mkdir -Z system_u_object_r_security_t selinux
Sorry, cannot set default context to system_u_object_r_security_t.

Code: Select all

ReboliLaptop ~ # ls /etc/make.profile -ld
lrwxrwxrwx 1 root root 40 Jun 19 10:48 /etc/make.profile -> /usr/portage/profiles/selinux/x86/2006.1

software:
libselinux-1.34.0
libsemanage-1.10.0
libsepol-1.16.3
selinux-base-policy-20070329
checkpolicy-1.34.0
policycoreutils-1.34.1

ReboliLaptop ~ # sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        strict

ReboliLaptop ~ # mount  
/dev/hda2 on / type ext3 (rw,noatime)

Linux version 2.6.21-suspend2-r6 (root@ReboliLaptop) (gcc version 4.1.2 (Gentoo 4.1.2)) #2 Sun Jun 24 23:05:35 CEST 2007

What could prevent me from setting the context in permissive mode?

[vaxbrat]

What role are you in when you try to label? Even in permissive mode, I wonder if context labeling wants you to be a sysadm_t before doing its thing.

It's interesting that the security_t type may only be on the /selinux mount point and the security filesystem itself. I don't see a file labeling rule for security_t in /etc/selinux/strict/contexts/files/file_contexts. It must be hard coded somewhere.

[R. Bosch]

Did not matter... root admin or root the user. Both incapable. A way around it is to compile the kernel with security labels but without selinux support. I use this kernel to install the base system before reboot.

Did any of this made it in any documentation yet?

[seventhguardian]

Even tried making such directory in root's homedir:

Code: Select all

ReboliLaptop ~ # mkdir -Z system_u_object_r_security_t selinux
Sorry, cannot set default context to system_u_object_r_security_t.

(...)

What could prevent me from setting the context in permissive mode?

You are repeating vaxbrat's type errors! lol.. note what you are using:

Code: Select all

system_u_object_r_security_t

It should be:

Code: Select all

system_u:object_r:security_t