Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458876 - sec-policy/selinux-base-policy "unconfined" USE flag should be set by default
Summary: sec-policy/selinux-base-policy "unconfined" USE flag should be set by default
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r12
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-23 17:11 UTC by Maciej S. Szmigiero
Modified: 2013-03-29 10:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Maciej S. Szmigiero 2013-02-23 17:11:43 UTC
sec-policy/selinux-base-policy "unconfined" USE flag should be set by default,
because otherwise in targeted policy users logging in (who by default land in unconfined_u:unconfined_r) have no allowed domains.

This is because unconfined_r allowed domains are only provided with sec-policy/selinux-unconfined module beginning with selinux-base-policy-2.20120725-r9.

Relevant pam_selinux debug output when logging in via SSH:
Feb 22 21:38:31 server sshd[24551]: pam_selinux(sshd:session): Open Session
Feb 22 21:38:31 server sshd[24551]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 22 21:38:31 server sshd[24551]: pam_selinux(sshd:session): Open Session
Feb 22 21:38:31 server sshd[24551]: pam_selinux(sshd:session): Username= root SELinux User= unconfined_u Level= (null)
Feb 22 21:38:31 server sshd[24551]: pam_selinux(sshd:session): conversation failed
Feb 22 21:38:31 server sshd[24551]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] 
Feb 22 21:38:31 server sshd[24551]: pam_selinux(sshd:session): Unable to get valid context for root
Feb 22 21:38:31 server sshd[24551]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for root
Feb 22 21:38:31 server sshd[24551]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Feb 22 21:38:31 server sshd[24566]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for root

Even when SELinux is in permissive mode this results in portage well-known "selinux.setexeccon(ctx)" error and SSH sessions staying in system_u:system_r:sshd_t context.

I think that the policy should work "out-of-the-box" on default settings,
if that is not possible then at least this information should be added to
SELinux Handbook - Troubleshooting chapter.


Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2013-02-23 17:28:09 UTC
Enabling by default makes many users lose a lot of SELinux protections (I'd have a similar bug report, asking not to set it by default). You're right however that setting the targeted policy and not using USE="unconfined" breaks a system though.

I'm going to check if USE="unconfined" is set if one of the selected policies is "targeted", while making sure it isn't included in the "strict" build.
Comment 2 Maciej S. Szmigiero 2013-02-23 19:50:14 UTC
Hmm, I see that on sec-policy/selinux-base-policy "unconfined" USE flag only pulls in sec-policy/selinux-unconfined.

Do you mean sec-policy/selinux-base where "unconfined" USE flag seems to change
default user to unconfined_u on non-targeted and non-strict policies?
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2013-02-23 20:03:53 UTC
Once it pulls in selinux-unconfined, it means that the unconfined module is loaded in /all/ policy stores, including strict, mcs or mls, even if the user wants to use strict policies rather than the more lax "targeted" one.

Hence I need to make sure that, if we pull it in, it only installs it into the targeted, mls and mcs stores, and that it stays out of the strict one. Also, only if the selected store is "targeted" should we make USE="unconfined" mandatory; for mcs/mls it is optional (hence updates on the documentation are needed as well).
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-09 12:27:42 UTC
I've updated the selinux eclass to not load unconfined when the policy store is "strict", and I'll have USE="unconfined" marked as a default for the packages (IUSE="+unconfined") since we also have targeted as a default policy type.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-09 13:54:04 UTC
Ok, selinux-base-policy now checks for USE=unconfined if POLICY_TYPES=targeted is set. If it isn't, it fails the build (during dependency check, so early on - not in the middle of a build).

Fixed in selinux-base-policy-2.20120725-r12
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-29 10:54:50 UTC
stabilized