Hi Nick,
Thanks for the report, but would you be so kind as to open up bug
reports for each of the issues at https://bugs.gentoo.org/
--Tony
On 07/23/2011 04:46 PM, Nick Kossifidis wrote:
> Hello all and thanks a lot for your work on hardened gentoo ;-)
>
> Last time I tried setting up a default hardened gentoo + SElinux setup
> was in 2009 so I gave it a shot again a few weeks ago and it seems
> there are still some bugs that result denials in avc logs etc ( sorry
> for the long mail :-( ):
>
> 1) For start check out /lib/rc/sh/init.sh, in svcdir_restorecon() it
> tries to run /usr/sbin/selinuxenabled but in case /usr is on a
> different partition it won't work (and rc_svcdir will remain
> mis-labeled, resulting extra avc denials) because it gets called
> before mount. It seems weird that packages like
> sys-apps/policycoreutils, sys-libs/libselinux etc are located under
> /usr, after all they are linked with libraries under /lib not /usr/lib
> and are system tools, not user-related. In my case I solved this one
> by just checking if /sbin/restorecon exists (it's what udev-mount also
> does), I don't know if it's the correct solution but it works so far.
>
>
> 2) In order for restorecon to relabel rc_svcdir the following rule is needed
> allow setfiles_t initrc_t:dir relabelto;
> or else I get this:
> avc: denied { relabelto } for pid=979 comm="restorecon" name="/"
> dev=tmpfs ino=2054 scontext=system_u:system_r:setfiles_t
> tcontext=system_u:object_r:initrc_t tclass=dir
>
>
> 3) Even with the correct labels I still got denials for rc operations
> on rc_svcdir:
> can't mount tmpfs under rc_svcdir...
> avc: denied { associate } for pid=979 comm="restorecon" name="/"
> dev=tmpfs ino=2054 scontext=system_u:object_r:initrc_t
> tcontext=system_u:object_r:tmpfs_t tclass=filesystem
> avc: denied { associate } for pid=13300 comm="rc" name="krunlevel"
> scontext=system_u:object_r:initrc_t tcontext=system_u:object_r:tmpfs_t
> tclass=filesystem
>
> and various other operations under rc_svcdir (removed duplicates)...
> avc: denied { write } for pid=980 comm="cp" name="/" dev=tmpfs
> ino=2054 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=dir
> avc: denied { add_name } for pid=980 comm="cp" name="depconfig"
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=dir
> avc: denied { create } for pid=980 comm="cp" name="depconfig"
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=file
> avc: denied { setattr } for pid=980 comm="cp" name="depconfig"
> dev=tmpfs ino=2066 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=file
> avc: denied { create } for pid=960 comm="rc" name="starting"
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=dir
> avc: denied { remove_name } for pid=960 comm="rc"
> name="rc.stopping" dev=tmpfs ino=42
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=dir
> avc: denied { unlink } for pid=2129 comm="rc" name="local"
> dev=tmpfs ino=4514 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=file
> avc: denied { rmdir } for pid=1935 comm="rc" name="rc.starting"
> dev=tmpfs ino=3842 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=dir
> avc: denied { unlink } for pid=13455 comm="rc" name="local"
> dev=tmpfs ino=4077 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:initrc_t tclass=lnk_file
>
> the following rules should fix that:
> allow initrc_t tmpfs_t:filesystem associate;
> allow initrc_t self:dir { write remove_name create add_name rmdir };
> allow initrc_t self:file { create unlink setattr };
> allow initrc_t self:lnk_file { create unlink };
>
>
> 4) More rc stuff under /tmp /var/lib /var/log /var/run...
> avc: denied { setattr } for pid=1538 comm="chmod" name="/" dev=sda5
> ino=2 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:tmp_t tclass=dir
> avc: denied { create } for pid=1550 comm="mkdir" name=".test.1403"
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:var_log_t tclass=dir
> avc: denied { rmdir } for pid=1551 comm="rmdir" name=".test.1403"
> dev=sda6 ino=210166 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:var_log_t tclass=dir
> avc: denied { add_name } for pid=1556 comm="runscript.sh"
> name="unicode" scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:lib_t tclass=dir
> avc: denied { create } for pid=1556 comm="runscript.sh"
> name="unicode" scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:lib_t tclass=file
> avc: denied { write } for pid=1556 comm="runscript.sh"
> name="unicode" dev=sda2 ino=80888 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:lib_t tclass=file
> avc: denied { write } for pid=1424 comm="rm" name="console"
> dev=sda2 ino=80915 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:lib_t tclass=dir
> avc: denied { remove_name } for pid=1424 comm="rm"
> name="default8x16.psfu.gz" dev=sda2 ino=80899
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
> tclass=dir
> avc: denied { unlink } for pid=1424 comm="rm"
> name="default8x16.psfu.gz" dev=sda2 ino=80899
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
> tclass=file
> avc: denied { create } for pid=1425 comm="mkdir" name=".test.1418"
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:var_run_t tclass=dir
> avc: denied { unlink } for pid=1534 comm="rm" name="syslog-ng.ctl"
> dev=sda6 ino=80809 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:devlog_t tclass=sock_file
>
> the following rules should be ok:
> allow initrc_t tmp_t:dir setattr;
> allow initrc_t lib_t:dir { write remove_name add_name };
> allow initrc_t lib_t:file { write create unlink };
> allow initrc_t var_log_t:dir { create rmdir };
> allow initrc_t var_run_t:dir create;
> allow initrc_t devlog_t:sock_file unlink;
>
>
> 5) Fuser-related (ran by bootmisc and rc-mount.sh), I don't know why
> this runs under initrc_t but getattr is not a big deal I guess, I'm
> not sure however about the execmod:
> avc: denied { execmod } for pid=1433 comm="fuser" path="/bin/fuser"
> dev=sda2 ino=185930 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:bin_t tclass=file
> avc: denied { getattr } for pid=1492 comm="fuser"
> path="socket:[2273]" dev=sockfs ino=2273
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t
> tclass=unix_stream_socket
> avc: denied { getattr } for pid=1493 comm="fuser"
> path="socket:[2274]" dev=sockfs ino=2274
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t
> tclass=netlink_kobject_uevent_socket
> avc: denied { getattr } for pid=1526 comm="fuser"
> path="/sys/kernel/debug" dev=debugfs ino=1
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:debugfs_t tclass=dir
>
> the following rules hide this but I'm not sure if it's the correct
> approach, maybe we should modify bootmisc/rc-mount.sh:
> allow initrc_t bin_t:file execmod;
> allow initrc_t debugfs_t:dir getattr;
> allow initrc_t udev_t:netlink_kobject_uevent_socket getattr;
> allow initrc_t udev_t:unix_stream_socket getattr;
>
>
> 6) Udhcp-related (ran by udhcpc-hook.sh and net), again I'm not sure
> what's the right thing to do here, I think dhcp client shouldn't run
> under initrc_t:
> avc: denied { create } for pid=1844 comm="busybox"
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=rawip_socket
> avc: denied { ioctl } for pid=1844 comm="busybox"
> path="socket:[33897]" dev=sockfs ino=33897
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=rawip_socket
> avc: denied { name_bind } for pid=1844 comm="busybox" src=68
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket
> avc: denied { node_bind } for pid=1844 comm="busybox" src=68
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:node_t
> tclass=udp_socket
>
> the following rules clean it up
> allow initrc_t self:rawip_socket { create ioctl };
> allow initrc_t dhcpc_port_t:udp_socket name_bind;
> allow initrc_t node_t:udp_socket node_bind;
>
> switching to dhclient instead results these denials:
> avc: denied { name_bind } for pid=1825 comm="dhclient" src=65059
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:port_t
> tclass=udp_socket
> avc: denied { read write } for pid=1827 comm="ifconfig"
> path="socket:[3855]" dev=sockfs ino=3855
> scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:dhcpc_t tclass=udp_socket
> avc: denied { read write } for pid=1845 comm="hostname"
> path="socket:[3767]" dev=sockfs ino=3767
> scontext=system_u:system_r:hostname_t
> tcontext=system_u:system_r:dhcpc_t tclass=udp_socket
>
> this runs under dhcpc_t so the first one seems ok and ifconfig /
> hostname are meant to tweak network settings (instead of initrc_t) so
> I stayed with dhclient and there are the rules to hide the above and
> get a working dhcp:
> allow dhcpc_t port_t:udp_socket name_bind;
> allow ifconfig_t dhcpc_t:udp_socket { read write };
> allow hostname_t dhcpc_t:udp_socket { read write };
>
>
> 7) Udev-related
> avc: denied { read } for pid=1056 comm="udevd" name="30" dev=tmpfs
> ino=2727 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
> avc: denied { unlink } for pid=1309 comm="udevd" name="30"
> dev=tmpfs ino=2727 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
> avc: denied { open } for pid=1309 comm="udevd" name="root"
> dev=tmpfs ino=2707 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { relabelto } for pid=1055 comm="udevd" name=".udev"
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { search } for pid=1055 comm="udevd" name=".udev"
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { write } for pid=1055 comm="udevd" name=".udev"
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { add_name } for pid=1055 comm="udevd" name="queue.tmp"
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { remove_name } for pid=1055 comm="udevd"
> name="queue.tmp" dev=tmpfs ino=2231 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { getattr } for pid=1056 comm="udevd" path="/dev/.udev"
> dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { create } for pid=1056 comm="udevd" name="data"
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { read } for pid=1089 comm="udevadm" name=".udev"
> dev=tmpfs ino=158 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=dir
> avc: denied { create } for pid=1103 comm="udevd" name="4"
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
>
> these seem ok since they are marked as udev_tbl_t so these rules should be ok
> allow udev_t udev_tbl_t:dir { search read create write getattr
> relabelto remove_name open add_name };
> allow udev_t udev_tbl_t:lnk_file { read create unlink };
>
>
> 8) Cron-related, these come from logrotate.cron and makewhatis
> avc: denied { read } for pid=7385 comm="syslog-ng"
> path="pipe:[21161]" dev=pipefs ino=21161
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:crond_t tclass=fifo_file
> avc: denied { use } for pid=7385 comm="syslog-ng" path="/dev/null"
> dev=tmpfs ino=154 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:logrotate_t tclass=fd
> avc: denied { create } for pid=11730 comm="mkdir"
> name="whatis.tmp.dir.11727"
> scontext=system_u:system_r:system_cronjob_t
> tcontext=system_u:object_r:tmp_t tclass=dir
> avc: denied { rmdir } for pid=11778 comm="rm"
> name="whatis.tmp.dir.11727" dev=sda5 ino=7825
> scontext=system_u:system_r:system_cronjob_t
> tcontext=system_u:object_r:tmp_t tclass=dir
>
> makewhatis looks ok since it works on tmp_t and it seems ok I think
> for syslogd_t to have read access to cron's fifo_file but I'm not sure
> for logrotate_t file descriptor, anyway here are the rules for this:
> allow system_cronjob_t tmp_t:dir { create rmdir };
> allow syslogd_t crond_t:fifo_file read;
> allow syslogd_t logrotate_t:fd use;
>
>
> 9) Sendmail-related, these come from sendmail when trying to put mail
> on user's home folder
> avc: denied { append } for pid=5240 comm="sendmail"
> name="dead.letter" dev=sda2 ino=161795
> scontext=system_u:system_r:system_mail_t
> tcontext=root:object_r:user_home_t tclass=file
> avc: denied { open } for pid=5240 comm="sendmail"
> name="dead.letter" dev=sda2 ino=161795
> scontext=system_u:system_r:system_mail_t
> tcontext=root:object_r:user_home_t tclass=file
> avc: denied { getattr } for pid=5240 comm="sendmail"
> path="/root/dead.letter" dev=sda2 ino=161795
> scontext=system_u:system_r:system_mail_t
> tcontext=root:object_r:user_home_t tclass=file
>
> I think open getattr and append are ok (no create/write) so these
> rules should do it:
> allow system_mail_t user_home_t:file { getattr open append };
>
>
> 10) Apache2 tries to open a tcp port to communicate with the client
> and this is what happens:
> avc: denied { name_connect } for pid=5279 comm="apache2" dest=18083
> ipaddr=x.x.x.x scontext=system_u:system_r:httpd_t
> tcontext=system_u:object_r:port_t tclass=tcp_socket
>
> the following should be ok:
> allow httpd_t port_t:tcp_socket name_connect;
>
>
> 11) Finaly i get denials similar to this one from syslog:
> avc: denied { syslog } for pid=1948 comm="syslog-ng" capability=34
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:syslogd_t tclass=capability2
>
> and this rule should fix them:
> allow syslogd_t self:capability2 syslog;
>
> but i get an error when i try to load it using semodule -i...
>
>
> I also got a few more denials related to su and newrole and I'm trying
> to figure out if it's my mistake or bad policies, I'll let you know.
>
>
> Again thanks a lot for your work and if there is anything I can do to
> help let me know ;-)
>
>
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
