Mailing List Archive: selinux novice

selinux novice

ivanogot at gmail

Jul 21, 2012, 6:51 AM

Post #1 of 7 (2680 views)

hello,

I have just installed selinux on my gentoo box, and getting difficulties in
permissive mode. If someone can have a look at this and point me
somewhere...

Emerge doesn't work If i run it from terminal in X11 - it call traces,
cant merge anything. In dmesg I can find:

----------------
type=1400 audit(1342877962.365:424): avc: denied { read write } for
pid=15719 comm="sh" name="1" dev="devpts" ino=4
scontext=system_u:system_r:portage_fetch_t
tcontext=system_u:object_r:devpts_t tclass=chr_file
type=1400 audit(1342877962.367:425): avc: denied { search } for
pid=15719 comm="sh" name="ivan" dev="dm-3" ino=20709377
scontext=system_u:system_r:portage_fetch_t
tcontext=staff_u:object_r:user_home_dir_t tclass=dir
type=1400 audit(1342877962.394:426): avc: denied { search } for
pid=15720 comm="id" name="/" dev="sysfs" ino=1
scontext=system_u:system_r:portage_fetch_t
tcontext=system_u:object_r:sysfs_t tclass=dir
type=1400 audit(1342878036.496:428): avc: denied { read write } for
pid=15894 comm="emerge" name="1" dev="devpts" ino=4
scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t
tclass=chr_file
type=1400 audit(1342878036.500:429): avc: denied { ioctl } for pid=15894
comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t
tclass=chr_file
type=1400 audit(1342878036.505:430): avc: denied { getattr } for
pid=15894 comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
scontext=system_u:system_r:portage_t tcontext=system_u:object_r:devpts_t
tclass=chr_file
type=1400 audit(1342878083.667:431): avc: denied { read write } for
pid=16890 comm="sh" name="1" dev="devpts" ino=4
scontext=system_u:system_r:portage_fetch_t
tcontext=system_u:object_r:devpts_t tclass=chr_file
type=1400 audit(1342878083.671:432): avc: denied { search } for
pid=16892 comm="id" name="/" dev="sysfs" ino=1
scontext=system_u:system_r:portage_fetch_t
tcontext=system_u:object_r:sysfs_t tclass=dir
----------------
I'm running xdm - gdm3 to be more accurate - and as normal user in terminal
I switch to root and then do newrole -t sysadm_t - after that I'm trying to
emerge something.
Ofcourse from raw console a.k.a. non X env, emerging works.

Additional info:
----------------
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Max kernel policy version: 26
----------------
# id -Z // after switching to root and changing newrole
system_u:system_r:sysadm_t
----------------
all installed sec-policy packages are from hardened-devel overlay =
2.20120215-r14
----------------
I did rlpkg -a -r so many times.. :-)

thanks in advance

Ivan Gooten

Re: selinux novice [ In reply to ]

h.v.bruinehsen at fu-berlin

Jul 21, 2012, 7:01 AM

Post #2 of 7 (2647 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21.07.2012 15:51, Ivan Gooten wrote:
> hello,
>
> I have just installed selinux on my gentoo box, and getting
> difficulties in permissive mode. If someone can have a look at this
> and point me somewhere...
>
> Emerge doesn't work If i run it from terminal in X11 - it call
> traces, cant merge anything. In dmesg I can find:
>
> ---------------- type=1400 audit(1342877962.365:424): avc: denied
> { read write } for pid=15719 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342877962.367:425): avc: denied { search } for pid=15719
> comm="sh" name="ivan" dev="dm-3" ino=20709377
> scontext=system_u:system_r:portage_fetch_t
> tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=1400
> audit(1342877962.394:426): avc: denied { search } for pid=15720
> comm="id" name="/" dev="sysfs" ino=1
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:sysfs_t tclass=dir type=1400
> audit(1342878036.496:428): avc: denied { read write } for
> pid=15894 comm="emerge" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878036.500:429): avc: denied { ioctl } for pid=15894
> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878036.505:430): avc: denied { getattr } for pid=15894
> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878083.667:431): avc: denied { read write } for
> pid=16890 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878083.671:432): avc: denied { search } for pid=16892
> comm="id" name="/" dev="sysfs" ino=1
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:sysfs_t tclass=dir ---------------- I'm
> running xdm - gdm3 to be more accurate - and as normal user in
> terminal I switch to root and then do newrole -t sysadm_t - after
> that I'm trying to emerge something. Ofcourse from raw console
> a.k.a. non X env, emerging works.
>
> Additional info: ---------------- # sestatus SELinux status:
> enabled SELinuxfs mount: /sys/fs/selinux SELinux
> root directory: /etc/selinux Loaded policy name:
> targeted Current mode: permissive Mode from
> config file: permissive Policy MLS status:
> disabled Policy deny_unknown status: denied Max kernel policy
> version: 26 ---------------- # id -Z // after switching to
> root and changing newrole system_u:system_r:sysadm_t
> ---------------- all installed sec-policy packages are from
> hardened-devel overlay = 2.20120215-r14 ---------------- I did
> rlpkg -a -r so many times.. :-)
>
> thanks in advance
>
> Ivan Gooten
>

Hi,

the first few things I notice are that it's "newrole -r sysadm_r" -
"newrole -t" just switches the type.
You shouldn't be in system_u, either, but in staff_u.
Since you are using a targeted policy you acually would have more
rights, if you remove the selinux usermapping for your user at all,
because you would be in "unconfined_r:unconfined_t" which means that
there aren't really any restrictions for you user except they're
stated explicitly.

WKR

Hinnerk

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQCrYjAAoJEJwwOFaNFkYcbysH/37pEdkLN/kp8S+Hr9O7rrbI
20cQI6IoDnWc4KtzBK9lhbI8RV3xSvsKSG2/nS8kY9CmMEwEdrXnnRrOtPDuxOez
4KXCQH4CSVARmU3YW/HxPDfm5/PL2h4npOuPjGU2ZQ9oQNt89CKS6zPc/OmWhqJe
PnTZwioVdRH5bHvcsjAsO2niSYCvoex7mjxTZB2RzniRHV0ZsGRzCHj6qiVwQeE4
xAP1Rk3Gzr9kwfIDOWDq47/mlhnUEIp3E6fNmsscta8FcZjh/kGxtOwNlfxwu1hg
+zS/Q7iREffLAsBOGlICbMkm4859bW1dDi9IW+VT5CzTQkUygTbQ/t2dYQJ3NUU=
=Lvu6
-----END PGP SIGNATURE-----

Re: selinux novice [ In reply to ]

swift at gentoo

Jul 21, 2012, 10:14 AM

Post #3 of 7 (2643 views)

On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote:
> I have just installed selinux on my gentoo box, and getting difficulties in
> permissive mode. If someone can have a look at this and point me
> somewhere...
>
> Emerge doesn't work If i run it from terminal in X11 - it call traces,
> cant merge anything. In dmesg I can find:
>
> ----------------
> type=1400 audit(1342877962.365:424): avc: denied { read write } for
> pid=15719 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file

Looking at this first message already shows something weird: it sais that
the source context is "system_u:system_r:portage_fetch_t", whereas this
should be either "staff_u:sysadm_r:portage_fetch_t" or
"root:sysadm_r:portage_fetch_t".

[...]
> I switch to root and then do newrole -t sysadm_t - after that I'm trying to
> emerge something.
> Ofcourse from raw console a.k.a. non X env, emerging works.
[...]
> # id -Z // after switching to root and changing newrole
> system_u:system_r:sysadm_t

It looks like there is no proper transitioning after logon.

First, make sure you ran "dispatch-conf" or "etc-update" to make sure
changes are made to your PAM configuration files.

Next, for the graphical logon (including GDM), you might need to manually
update to add in pam_selinux.so (see
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3)

Make sure that, when logged on, your "id -Z" shows you as being staff_u (or
user_u, but then you won't be able to adminster the system), or if you log
on as root, probably the "root" SELinux user.

Only then can we go further. And as already mentioned, it's "newrole -r
sysadm_r" as we need to change our (operational) role towards the system
administration role.

Wkr,
Sven Vermeulen

Re: selinux novice [ In reply to ]

ivanogot at gmail

Jul 22, 2012, 4:55 AM

Post #4 of 7 (2638 views)

On Sat, Jul 21, 2012 at 7:14 PM, Sven Vermeulen <swift@gentoo.org> wrote:

> On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote:
> > I have just installed selinux on my gentoo box, and getting difficulties
> in
> > permissive mode. If someone can have a look at this and point me
> > somewhere...
> >
> > Emerge doesn't work If i run it from terminal in X11 - it call traces,
> > cant merge anything. In dmesg I can find:
> >
> > ----------------
> > type=1400 audit(1342877962.365:424): avc: denied { read write } for
> > pid=15719 comm="sh" name="1" dev="devpts" ino=4
> > scontext=system_u:system_r:portage_fetch_t
> > tcontext=system_u:object_r:devpts_t tclass=chr_file
>
> Looking at this first message already shows something weird: it sais that
> the source context is "system_u:system_r:portage_fetch_t", whereas this
> should be either "staff_u:sysadm_r:portage_fetch_t" or
> "root:sysadm_r:portage_fetch_t".
>
> [...]
> > I switch to root and then do newrole -t sysadm_t - after that I'm trying
> to
> > emerge something.
> > Ofcourse from raw console a.k.a. non X env, emerging works.
> [...]
> > # id -Z // after switching to root and changing newrole
> > system_u:system_r:sysadm_t
>
> It looks like there is no proper transitioning after logon.
>
> First, make sure you ran "dispatch-conf" or "etc-update" to make sure
> changes are made to your PAM configuration files.
>
> Next, for the graphical logon (including GDM), you might need to manually
> update to add in pam_selinux.so (see
>
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3
> )
>
> Make sure that, when logged on, your "id -Z" shows you as being staff_u (or
> user_u, but then you won't be able to adminster the system), or if you log
> on as root, probably the "root" SELinux user.
>

Thank all you for your replies :-)

So after messing with semanage/pam I have:
--------------------
#semanage login -l

Login Name SELinux User

__default__ user_u
root root
system_u system_u
ivan staff_u
--------------------

which results in console for user root context like
"root:sysadm_r:sysadm_t",
whereas in X11 terminal, (after switching from ivan user to root by su -)
-> "staff_u:staff_r:staff_t".
I understand that in X11 term I'll have to "newrole -r sysadm_r" for root
everytime, when I will want to administrate the system?
And what about the context's difference between root (root:...) logged from
console and root (staff_u:...) logged via x11 terminal - is that wrong?

Ivan

>
> Only then can we go further. And as already mentioned, it's "newrole -r
> sysadm_r" as we need to change our (operational) role towards the system
> administration role.
>
> Wkr,
> Sven Vermeulen
>
>

Re: selinux novice [ In reply to ]

swift at gentoo

Jul 22, 2012, 9:07 AM

Post #5 of 7 (2641 views)

On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote:
[...]
> which results in console for user root context like
> "root:sysadm_r:sysadm_t",

That's good.

> whereas in X11 terminal, (after switching from ivan user to root by su -)
> -> "staff_u:staff_r:staff_t".

That's almost good ;-)

> I understand that in X11 term I'll have to "newrole -r sysadm_r" for root
> everytime, when I will want to administrate the system?

Yes, you need to switch roles (first switch roles, then use su(do)) every
time you need to do administrative changes (or queries) on the system. The
staff_r role is for regular operations (user) whereas sysadm_r is for system
administration.

> And what about the context's difference between root (root:...) logged from
> console and root (staff_u:...) logged via x11 terminal - is that wrong?

No, that's not wrong. If you log on directly as root, then your SELinux user
(the first part in the context) is "root". If you log on as someone else,
you get that SELinux user (such as "staff_u") which remains throughout your
session (SELinux users don't change, even when you do "su").

Wkr,
Sven Vermeulen

Re: selinux novice [ In reply to ]

ivanogot at gmail

Jul 27, 2012, 2:59 AM

Post #6 of 7 (2615 views)

ok so now I get it a bit, anyway selinux is still misconfigured here.
I've created a pastebin with my current denials, if could you look at it:
http://pastebin.com/uNRcaeUT

and semodule -l prints out:
------
alsa 1.11.0
application 1.2.0
arpwatch 1.10.0
authlogin 2.3.0
automount 1.13.0
bootloader 1.13.0
cgroup 1.1.0
clock 1.6.0
consolekit 1.8.0
consoletype 1.10.0
courier 1.12.0
cpufreqselector 1.3.0
cron 2.4.0
daemontools 1.2.0
dbus 1.16.0
dhcp 1.9.0
dmesg 1.3.0
dnsmasq 1.9.0
fstools 1.15.0
getty 1.9.0
gnome 2.2.0
gpg 2.5.0
gpm 1.8.0
hostname 1.7.0
hotplug 1.15.0
init 1.18.0
iptables 1.13.0
java 2.5.0
libraries 2.8.0
locallogin 1.11.0
logging 1.18.0
logrotate 1.14.0
lvm 1.13.0
miscfiles 1.9.0
modutils 1.12.0
mono 1.8.0
mount 1.14.0
mozilla 2.5.0
mplayer 2.4.0
mta 2.4.0
netutils 1.11.0
networkmanager 1.14.0
nscd 1.10.0
openvpn 1.11.0
policykit 1.2.0
portage 1.12.0
privoxy 1.11.0
psad 1.0.0
qemu 1.6.0
qmail 1.5.0
raid 1.11.0
rsync 1.11.0
samba 1.14.0
screen 2.5.0
selinuxutil 1.16.0
ssh 2.3.0
staff 2.3.0
storage 1.10.0
su 1.12.0
sudo 1.9.0
sysadm 2.4.0
sysnetwork 1.13.0
thunderbird 2.3.0
tor 1.8.0
ucspitcp 1.3.0
udev 1.14.0
ulogd 1.2.0
unconfined 3.4.0
unprivuser 2.3.0
userdomain 4.7.0
usermanage 1.17.0
virt 1.4.0
wine 1.10.0
wireshark 2.3.0
xdg 1.0.0
xfs 1.6.0
xscreensaver 1.1.0
xserver 3.7.0
------

thanks

Ivan

On Sun, Jul 22, 2012 at 6:07 PM, Sven Vermeulen <swift@gentoo.org> wrote:

> On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote:
> [...]
> > which results in console for user root context like
> > "root:sysadm_r:sysadm_t",
>
> That's good.
>
> > whereas in X11 terminal, (after switching from ivan user to root by su -)
> > -> "staff_u:staff_r:staff_t".
>
> That's almost good ;-)
>
> > I understand that in X11 term I'll have to "newrole -r sysadm_r" for root
> > everytime, when I will want to administrate the system?
>
> Yes, you need to switch roles (first switch roles, then use su(do)) every
> time you need to do administrative changes (or queries) on the system. The
> staff_r role is for regular operations (user) whereas sysadm_r is for
> system
> administration.
>
> > And what about the context's difference between root (root:...) logged
> from
> > console and root (staff_u:...) logged via x11 terminal - is that wrong?
>
> No, that's not wrong. If you log on directly as root, then your SELinux
> user
> (the first part in the context) is "root". If you log on as someone else,
> you get that SELinux user (such as "staff_u") which remains throughout your
> session (SELinux users don't change, even when you do "su").
>
> Wkr,
> Sven Vermeulen
>
>

Re: selinux novice [ In reply to ]

swift at gentoo

Jul 27, 2012, 5:08 AM

Post #7 of 7 (2607 views)

On Fri, Jul 27, 2012 at 11:59:14AM +0200, Ivan Gooten wrote:
> ok so now I get it a bit, anyway selinux is still misconfigured here.
> I've created a pastebin with my current denials, if could you look at it:
> http://pastebin.com/uNRcaeUT

Can you please take a look at
http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml ? It
describes the information we need in order to structurally solve problems
you might be facing.

With denials alone we can't do much - there is no proof that the denials are
actually interfering something (which is why we also need the errors you get
from the applications) and they're not filtered so we don't know what to
look for first (which is why we suggest to structure issues one at a time).

Wkr,
Sven Vermeulen