Hi,
I tried it on a armsr virtual machine today and got a few errors. I set
the selinux mode to permissive to just watch the audit log, this was the
first bootup after sysupgrade, the error on moving sysupgrade.tgz is
gone on further startups:
Sun Jan 12 17:58:25 2025 user.info kernel: init: - preinit -
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704697.530:3): avc: denied { search } for pid=910
comm="board_detect" name="class" dev="sysfs" ino=10
scontext=sys.id:sys.role:boarddetect.subj
tcontext=sys.id:sys.role:class.sysfile tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.info kernel: 8021q: adding VLAN 0 to HW
filter on device eth0
Sun Jan 12 17:58:25 2025 kern.info kernel: loop0: detected capacity
change from 0 to 110592
Sun Jan 12 17:58:25 2025 kern.info kernel: loop0: detected capacity
change from 110592 to 94336
Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: overlay
filesystem in /dev/loop0 has not been formatted yet
Sun Jan 12 17:58:25 2025 kern.info kernel: EXT4-fs (loop0): mounted
filesystem c2e4255e-3024-4256-995d-5c341856b279 r/w with ordered data
mode. Quota mode: disabled.
Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: overlay
filesystem has not been fully initialized yet
Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: switching to ext4
overlay
Sun Jan 12 17:58:25 2025 kern.warn kernel: overlayfs: null uuid detected
in lower fs '/', falling back to xino=off,index=off,nfs_export=off.
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.290:4): avc: denied { associate } for pid=1010
comm="mv" name="sysupgrade.tgz" scontext=sys.id:sys.role:dos.fs
tcontext=sys.id:sys.role:xattr.fs tclass=filesystem permissive=1
Sun Jan 12 17:58:25 2025 user.warn kernel: urandom-seed: Seed file not
found (/etc/urandom.seed)
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - early -
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:5): avc: denied { write } for pid=1166
comm="mkdir" name="/" dev="tmpfs" ino=1
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:6): avc: denied { add_name } for pid=1166
comm="mkdir" name="virtio-ports"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:7): avc: denied { create } for pid=1166
comm="mkdir" name="virtio-ports"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:8): avc: denied { create } for pid=1167
comm="ln" name="org.qemu.guest_agent.0"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=lnk_file permissive=1
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - ubus -
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - init -
[....]
I think the last errors are from qemu-guest-agent, this is expected.
But on login:
Sun Jan 12 18:01:29 2025 kern.notice kernel: audit: type=1400
audit(1736704889.290:69): avc: denied { read write } for pid=3384
comm="uci" path="/dev/ttyAMA0" dev="tmpfs" ino=81
scontext=sys.id:sys.role:uci.subj tcontext=sys.id:sys.role:tmp.fs
tclass=chr_file permissive=1
Maybe you can have a look and fix a few rules.
Regards,
Stefan Hellermann
Am 12.01.25 um 15:23 schrieb Dominick Grift:
Rebased onto dssp5-base. Baseline is:
ss, tc, stubby, irqbalance, usbutils, ethtool, tcpdump, mtr,
bmon, zram-swap, parted, e2fsprogs, gdisk, block-mount,
kmod-fs-ext4, kmod-fs-f2fs, kmod-usb-storage, f2fs-tools-selinux,
kmod-usb-storage-uas, kmod-usb3, wireguard-tools,
openssh-sftp-server, luci-light, resolveip, blockd
Run-tested: ilogic-openwrt_one, ipq40xx-generic-linksys_mr8300
Signed-off-by: Dominick Grift <dominick.gr...@defensec.nl>
---
package/system/selinux-policy/Makefile | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/package/system/selinux-policy/Makefile
b/package/system/selinux-policy/Makefile
index 2834e94cc5..7d5176e043 100644
--- a/package/system/selinux-policy/Makefile
+++ b/package/system/selinux-policy/Makefile
@@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=selinux-policy
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://git.defensec.nl/selinux-policy.git
-PKG_VERSION:=1.2.5
-PKG_MIRROR_HASH:=0b485aefed7ecc1ba3c5f5843cb3b10e9d7c55c09b361cd56933081c0dbdc223
+PKG_VERSION:=2.0
+PKG_MIRROR_HASH:=f0da2933bac4df6e147d419fe98528faf6f6d141502924a3551155ef0c896eb5
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_BUILD_DEPENDS:=secilc/host policycoreutils/host
@@ -44,10 +44,14 @@ endef
define Package/selinux-policy/install
$(INSTALL_DIR) $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
$(INSTALL_DIR) $(1)/etc/selinux/$(PKG_NAME)/policy/
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/policy.*
$(1)/etc/selinux/$(PKG_NAME)/policy/
$(INSTALL_DATA) $(PKG_BUILD_DIR)/customizable_types
$(1)/etc/selinux/$(PKG_NAME)/contexts/
- $(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts.subs_dist
$(1)/etc/selinux/$(PKG_NAME)/contexts/files/
+ $(INSTALL_DATA) $(PKG_BUILD_DIR)/default_contexts
$(1)/etc/selinux/$(PKG_NAME)/contexts/
+ $(INSTALL_DATA) $(PKG_BUILD_DIR)/default_type
$(1)/etc/selinux/$(PKG_NAME)/contexts/
+ $(INSTALL_DATA) $(PKG_BUILD_DIR)/failsafe_context
$(1)/etc/selinux/$(PKG_NAME)/contexts/
$(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts
$(1)/etc/selinux/$(PKG_NAME)/contexts/files/
- $(INSTALL_CONF) $(PKG_BUILD_DIR)/policy.*
$(1)/etc/selinux/$(PKG_NAME)/policy/
+ $(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts.subs_dist
$(1)/etc/selinux/$(PKG_NAME)/contexts/files/
+ $(INSTALL_DATA) $(PKG_BUILD_DIR)/seusers $(1)/etc/selinux/$(PKG_NAME)/
$(INSTALL_DATA) ./files/selinux-config $(1)/etc/selinux/config
endef
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
