Hi! Thank you for your really fast changes!
With your last commit f86def7e there are 3 new errors for /dev/urandom:
[...]
[ 1.749370] init: - preinit -
[ 2.437887] audit: type=1400 audit(1736810585.360:3): avc: denied {
getattr } for pid=886 comm="jshn" path="/dev/urandom" dev="tmpfs"
ino=31 scontext=sys.id:sys.role:jshn.subj
tcontext=sys.id:sys.role:random.nodedev tclass=chr_file permissive=1
[ 2.438371] audit: type=1400 audit(1736810585.360:4): avc: denied {
read } for pid=886 comm="jshn" name="urandom" dev="tmpfs" ino=31
scontext=sys.id:sys.role:jshn.subj
tcontext=sys.id:sys.role:random.nodedev tclass=chr_file permissive=1
[ 2.439138] audit: type=1400 audit(1736810585.360:5): avc: denied {
open } for pid=886 comm="jshn" path="/dev/urandom" dev="tmpfs" ino=31
scontext=sys.id:sys.role:jshn.subj
tcontext=sys.id:sys.role:random.nodedev tclass=chr_file permissive=1
[ 4.994969] random: crng init done
[...]
And I cannot login on ttyAMA0:
Please press Enter to activate this console.
login: can't get SID for root
Login with ssh is ok. There is already a bug report for this, it's
working fine without selinux:
https://github.com/openwrt/openwrt/issues/17038
After sysupgrade the "sysupgrade.tgz" error remains the same:
[ 12.155085] audit: type=1400 audit(1736811933.100:6): avc: denied {
associate } for pid=1006 comm="mv" name="sysupgrade.tgz"
scontext=sys.id:sys.role:dos.fs tcontext=sys.id:sys.role:xattr.fs
tclass=filesystem permissive=1
And while doing sysupgrade from a local file in /tmp I get a bunch more
(no luci here, just scp file to /tmp and start sysupgrade from ssh):
[ 74.345700] audit: type=1400 audit(1736811834.460:6): avc: denied {
read write } for pid=2854 comm="fwtool"
name="openwrt-armsr-armv8-generic-squashfs-combined.img.gz" dev="tmpfs"
ino=93 scontext=sys.id:sys.role:fwtool.subj
tcontext=sys.id:sys.role:ssh.server.hostkey.file tclass=file permissive=1
[ 74.347589] audit: type=1400 audit(1736811834.460:7): avc: denied {
open } for pid=2854 comm="fwtool"
path="/tmp/openwrt-armsr-armv8-generic-squashfs-combined.img.gz"
dev="tmpfs" ino=93 scontext=sys.id:sys.role:fwtool.subj
tcontext=sys.id:sys.role:ssh.server.hostkey.file tclass=file permissive=1
[ 74.349106] audit: type=1400 audit(1736811834.460:8): avc: denied {
ioctl } for pid=2854 comm="fwtool"
path="/tmp/openwrt-armsr-armv8-generic-squashfs-combined.img.gz"
dev="tmpfs" ino=93 ioctlcmd=0x5413 scontext=sys.id:sys.role:fwtool.subj
tcontext=sys.id:sys.role:ssh.server.hostkey.file tclass=file permissive=1
[ 74.770422] audit: type=1400 audit(1736811834.890:9): avc: denied {
read } for pid=2864 comm="cat" name="cmdline" dev="proc" ino=4026531972
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:cmdline.procfile tclass=file permissive=1
[ 74.771728] audit: type=1400 audit(1736811834.890:10): avc: denied {
open } for pid=2864 comm="cat" path="/proc/cmdline" dev="proc"
ino=4026531972 scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:cmdline.procfile tclass=file permissive=1
[ 74.800695] audit: type=1400 audit(1736811834.920:11): avc: denied {
read } for pid=2865 comm="find" name="/" dev="tmpfs" ino=1
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
[ 74.801449] audit: type=1400 audit(1736811834.920:12): avc: denied {
open } for pid=2865 comm="find" path="/dev" dev="tmpfs" ino=1
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
[ 74.807108] audit: type=1400 audit(1736811834.930:13): avc: denied {
getattr } for pid=2865 comm="find" path="/dev/pts" dev="devpts" ino=1
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:devpts.fs tclass=dir permissive=1
[ 74.807988] audit: type=1400 audit(1736811834.930:14): avc: denied {
read } for pid=2865 comm="find" name="/" dev="devpts" ino=1
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:devpts.fs tclass=dir permissive=1
[ 74.808726] audit: type=1400 audit(1736811834.930:15): avc: denied {
open } for pid=2865 comm="find" path="/dev/pts" dev="devpts" ino=1
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:devpts.fs tclass=dir permissive=1
[ 80.140951] kauditd_printk_skb: 35 callbacks suppressed
[ 80.140985] audit: type=1400 audit(1736811840.260:51): avc: denied {
remove_name } for pid=3459 comm="rm" name="image.bs" dev="tmpfs" ino=96
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
[ 80.141666] audit: type=1400 audit(1736811840.260:52): avc: denied {
unlink } for pid=3459 comm="rm" name="image.bs" dev="tmpfs" ino=96
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:tmp.fs tclass=file permissive=1
[ 87.255570] audit: type=1400 audit(1736811847.370:53): avc: denied {
getattr } for pid=3955 comm="find" path="/dev/hwrng" dev="tmpfs" ino=14
scontext=sys.id:sys.role:validatefirmwareimage.subj
tcontext=sys.id:sys.role:hwrng.nodedev tclass=chr_file permissive=1
This is all done on a fresh openwrt checkout, I added your selinux
updates and build the image with this config:
CONFIG_TARGET_armsr=y
CONFIG_TARGET_armsr_armv8=y
CONFIG_TARGET_armsr_armv8_DEVICE_generic=y
CONFIG_PACKAGE_qemu-ga=y
CONFIG_SELINUX=y
I can send you the compressed image file, if you want to try it yourself
with qemu/virt-manager.
Regards,
Stefan Hellermann
Am 13.01.25 um 18:52 schrieb Dominick Grift:
Dominick Grift <dominick.gr...@defensec.nl> writes:
Dominick Grift <dominick.gr...@defensec.nl> writes:
Hi, Thank you for feedback. Comments inline below:
Stefan Hellermann <ste...@the2masters.de> writes:
<snip>
audit(1736704702.290:4): avc: denied { associate } for pid=1010
comm="mv" name="sysupgrade.tgz" scontext=sys.id:sys.role:dos.fs
tcontext=sys.id:sys.role:xattr.fs tclass=filesystem permissive=1
This is caused by mv'ing the file from a fat filesystem (fat does not
support extended attributes) to an extended attribute file system. When
you mv a file you also mv its associated context with it.
This should not be allowed. Instead you should use cp. mv does not make
much sense anyway cross filesystem.
This bothered me so I would like to explain why I object to this.
mv and cp are more complicated than some think. I see this all the time
where people for example use `cp -a` without realizing the consequences.
But regardless of this, coreutils has extensive support for SELinux and
`mv -Z` would have addressed the above challenge. The issue is that
busybox' `mv` does not support -Z and so eventually I will have to draw
the line somewhere anyway. This seems like a good place to start.
Sun Jan 12 17:58:25 2025 user.warn kernel: urandom-seed: Seed file not
found (/etc/urandom.seed)
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - early -
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:5): avc: denied { write } for pid=1166
comm="mkdir" name="/" dev="tmpfs" ino=1
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:6): avc: denied { add_name } for pid=1166
comm="mkdir" name="virtio-ports"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:7): avc: denied { create } for pid=1166
comm="mkdir" name="virtio-ports"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:8): avc: denied { create } for pid=1167
comm="ln" name="org.qemu.guest_agent.0"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=lnk_file permissive=1
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - ubus -
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - init -
I added support for this. We'll see where this leads. I might end up
reverting it later.
https://git.defensec.nl/?p=selinux-policy.git;a=commitdiff;h=32c0cc897f679b6d2b204bc2935d9de3b7006944
This seems like an 'exotic hotplug script'. I have an accomodation for
this. see if this comment helps:
https://git.defensec.nl/?p=selinux-policy.git;a=blob;f=src/agent/sysagent/hotplugsysagent.cil;h=3987b8540ae537d174a74cceb2c89ce26ef3c813;hb=HEAD#l115
We'll have to see how this will work out practically. I am open to
suggestions for alternative approaches but this seems like a fair
approach.
There are also challenges here. For example in the above event, the
script is trying to create a dir and symlink in /dev. In OpenWrt there
is no (easy) way to make a distinction between devtmpfs and and a common
tmpfs. If I we're to allow this then that would later potentially
present challenges when another script wants to create a dir or symlink in /tmp.
Again, eventually I would have to draw the line somewhere as to what
should be allowed by default and what is to be considered exotic. This
looks like a good place.
Just trying to explain some of the rationale because I am open to better
alternatives. I just don't see any.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
