Summary: | sys-apps/openrc: add direct SELinux support | ||
---|---|---|---|
Product: | Gentoo Hosted Projects | Reporter: | Sven Vermeulen (RETIRED) <swift> |
Component: | OpenRC | Assignee: | OpenRC Team <openrc> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | perfinion, selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=517450 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 481182 | ||
Attachments: |
patch for tmpfiles.sh
tmpfiles patch 0002-Fix-SELinux-contexts-in-dev-after-it-is-mounted.patch 0003-checkpath-restore-the-SELinux-context.patch 0001-Add-SELinux-support-to-the-build-system.patch |
Description
Sven Vermeulen (RETIRED)
2014-07-12 15:15:52 UTC
So tmpfiles is used to initialize various directories. The following cats out all the rules that are used: cat /usr/lib/tmpfiles.d/* /etc/tmpfiles.d/* /run/tmpfiles.d/* It looks like anything that is set in /run gets labelled initrc_var_run_t which is almost certainly wrong. We will need to use init_daemon_pid_file to set the labels for all the dirs that are wrong. Here is the output on my system: # cat /usr/lib/tmpfiles.d/* /etc/tmpfiles.d/* /run/tmpfiles.d/* d /run/lock/lvm 0700 root root - d /run/lvm 0700 root root - d /var/run/mysqld 0755 mysql mysql - d /var/lib/nfs/rpc_pipefs d /var/lib/nfs/v4recovery d /var/lib/nfs/v4root # openldap runtime directory for slapd.arg and slapd.pid d /var/run/openldap 0755 ldap ldap - d /run/sepermit 0755 root root D /run/vpnc 0755 root root - cat: /etc/tmpfiles.d/*: No such file or directory d /dev/net 0755 - - - c /dev/net/tun 0600 - - - 10:200 d /dev/mapper 0755 - - - c /dev/mapper/control 0600 - - - 10:236 c /dev/vhost-net 0600 - - - 10:238 # ls -alZ /run/ total 68 drwxr-xr-x. 21 root root system_u:object_r:var_run_t 800 Jul 12 21:36 ./ drwxr-xr-x. 1 root root system_u:object_r:root_t 148 Jul 7 13:44 ../ drwxr-xr-x. 2 root root system_u:object_r:consolekit_var_run_t 80 Jul 12 21:36 ConsoleKit/ drwxr-xr-x. 2 root root system_u:object_r:NetworkManager_var_run_t 60 Jul 12 21:35 NetworkManager/ -rw-r--r--. 1 root root system_u:object_r:apmd_var_run_t 5 Jul 12 21:35 acpid.pid srw-rw-rw-. 1 root root system_u:object_r:apmd_var_run_t 0 Jul 12 21:35 acpid.socket= -rw-r--r--. 1 root root system_u:object_r:auditd_var_run_t 5 Jul 12 21:35 auditd.pid -rw-r--r--. 1 root root system_u:object_r:cachefilesd_var_run_t 5 Jul 12 21:35 cachefilesd.pid drwxr-xr-x. 2 root root system_u:object_r:pam_var_console_t 60 Jul 12 21:36 console/ -rw-r--r--. 1 root root system_u:object_r:crond_var_run_t 5 Jul 12 21:35 cron.pid drwxr-xr-x. 2 root root system_u:object_r:system_dbusd_var_run_t 60 Jul 12 21:35 dbus/ -rw-r--r--. 1 root root system_u:object_r:system_dbusd_var_run_t 5 Jul 12 21:35 dbus.pid -rw-r--r--. 1 root root system_u:object_r:dhcpc_var_run_t 5 Jul 12 21:36 dhcpcd-wlp3s0.pid drwx--x--x. 3 root root system_u:object_r:xdm_var_run_t 60 Jul 12 21:35 lightdm/ -rw-r--r--. 1 root root system_u:object_r:xdm_var_run_t 5 Jul 12 21:35 lightdm.pid drwxrwxr-x. 3 root uucp system_u:object_r:var_lock_t 60 Jul 12 21:35 lock/ drwx------. 2 root root system_u:object_r:initrc_var_run_t 40 Jul 12 21:35 lvm/ drwxr-xr-x. 2 root root system_u:object_r:mount_var_run_t 60 Jul 12 21:35 mount/ drwxr-xr-x. 2 mysql mysql system_u:object_r:mysqld_var_run_t 40 Jul 12 21:35 mysqld/ -rw-r--r--. 1 root root system_u:object_r:ntpd_var_run_t 4 Jul 12 21:35 ntpd.pid drwxr-xr-x. 2 ldap ldap system_u:object_r:slapd_var_run_t 40 Jul 12 21:35 openldap/ drwxrwxr-x. 14 root root system_u:object_r:initrc_state_t 380 Jul 12 21:35 openrc/ drwxr-xr-x. 4 root root system_u:object_r:devicekit_var_run_t 80 Jul 12 21:35 pm-utils/ -rw-r--r--. 1 root root system_u:object_r:privoxy_var_run_t 5 Jul 12 21:36 privoxy.pid drwxr-xr-x. 4 root root system_u:object_r:initrc_var_run_t 80 Jul 12 21:35 resolvconf/ -rw-r--r--. 1 root root system_u:object_r:restorecond_var_run_t 5 Jul 12 21:35 restorecond.pid -rw-r--r--. 1 root root system_u:object_r:rpcd_var_run_t 5 Jul 12 21:35 rpc.statd.pid -r--r--r--. 1 root root system_u:object_r:rpcbind_var_run_t 0 Jul 12 21:35 rpcbind.lock srw-rw-rw-. 1 root root system_u:object_r:rpcbind_var_run_t 0 Jul 12 21:35 rpcbind.sock= drwxr-xr-x. 2 root root system_u:object_r:pam_var_run_t 40 Jul 12 21:35 sepermit/ -rw-------. 1 root root system_u:object_r:rpcd_var_run_t 5 Jul 12 21:35 sm-notify.pid -rw-r--r--. 1 root root system_u:object_r:sshd_var_run_t 5 Jul 12 21:35 sshd.pid srwxr-xr-x. 1 root root system_u:object_r:devlog_t 0 Jul 12 21:35 syslog-ng.ctl= -rw-r--r--. 1 root root system_u:object_r:syslogd_var_run_t 5 Jul 12 21:35 syslog-ng.pid drwxrwxr-x. 2 root root system_u:object_r:initrc_var_run_t 60 Jul 12 21:35 tmpfiles.d/ drwxr-xr-x. 2 tor tor system_u:object_r:tor_var_run_t 60 Jul 12 21:36 tor/ drwxr-xr-x. 7 root root system_u:object_r:udev_var_run_t 180 Jul 12 22:38 udev/ drwx------. 2 root root system_u:object_r:devicekit_var_run_t 40 Jul 12 21:36 udisks2/ -rw-rw-r--. 1 root utmp system_u:object_r:initrc_var_run_t 4224 Jul 12 21:36 utmp drwxr-xr-x. 2 root root system_u:object_r:initrc_var_run_t 40 Jul 12 21:35 vpnc/ For reference, here is similar output from feandil on #gentoo-hardened. openvpn / openvpn.pid are good examples of where the label is wrong. # cat /usr/lib/tmpfiles.d/* d /var/lib/dhcp/ 0755 dhcp dhcp f /var/lib/dhcp/dhcpd.leases 0644 dhcp dhcpd /run/lock/lvm 0700 root root - d /run/lvm 0700 root root - d /run/mdadm 0710 root root - d /run/named 0755 named root - D /var/run/openvpn 0710 root openvpn - d /run/php-fpm 755 root root d /run/postgresql 0775 postgres postgres - D /var/run/samba 0755 root root # openldap runtime directory for slapd.arg and slapd.pid d /var/run/openldap 0755 ldap ldap - d /run/sepermit 0755 root root Fea ~ # ls -alZ /run/ total 80K drwxr-xr-x. 21 root root system_u:object_r:var_run_t 760 2014-07-09 12:29 ./ drwxr-xr-x. 22 root root system_u:object_r:root_t 4.0K 2014-07-06 13:15 ../ -rw-r--r--. 1 root root system_u:object_r:auditd_var_run_t 5 2014-06-06 22:23 auditd.pid drwxr-xr-x. 2 bitlbee bitlbee system_u:object_r:initrc_var_run_t 60 2014-06-06 22:23 bitlbee/ drwxr-xr-x. 2 root root system_u:object_r:var_run_t 80 2014-06-06 22:23 blkid/ -rw-r--r--. 1 root collectd system_u:object_r:collectd_var_run_t 6 2014-07-05 15:26 collectd.pid -rw-r--r--. 1 root root system_u:object_r:crond_var_run_t 5 2014-06-06 22:23 cron.pid drwxr-xr-x. 4 root root system_u:object_r:dhcpc_var_run_t 80 2014-07-12 20:36 dhcpcd/ -rw-r--r--. 1 root root system_u:object_r:dhcpc_var_run_t 5 2014-06-06 22:23 dhcpcd-enp0s25.pid drwxr-xr-x. 5 root root system_u:object_r:dovecot_var_run_t 680 2014-06-06 22:28 dovecot/ drwxrwxr-x. 3 root uucp system_u:object_r:var_lock_t 60 2014-06-06 22:23 lock/ drwx------. 2 root root system_u:object_r:initrc_var_run_t 40 2014-06-06 22:23 lvm/ drwxr-xr-x. 2 root root system_u:object_r:mdadm_var_run_t 120 2014-06-06 22:23 mdadm/ -rw-r--r--. 1 root root system_u:object_r:mdadm_var_run_t 5 2014-06-06 22:23 mdadm.pid drwxr-xr-x. 2 root root system_u:object_r:mount_var_run_t 60 2014-06-06 22:23 mount/ drwxrwx---. 2 root named system_u:object_r:named_var_run_t 80 2014-06-22 08:42 named/ -rw-r--r--. 1 root root system_u:object_r:nginx_var_run_t 6 2014-07-09 12:29 nginx.pid -rw-r--r--. 1 root root system_u:object_r:ntpd_var_run_t 4 2014-06-06 22:23 ntpd.pid drwxr-xr-x. 2 milter milter system_u:object_r:dkim_milter_data_t 80 2014-06-06 22:23 opendkim/ drwxr-xr-x. 2 ldap ldap system_u:object_r:slapd_var_run_t 40 2014-06-06 22:23 openldap/ drwxrwxr-x. 14 root root system_u:object_r:initrc_state_t 360 2014-06-06 22:23 openrc/ drwx--x---. 2 root openvpn system_u:object_r:initrc_var_run_t 40 2014-06-06 22:23 openvpn/ -rw-r--r--. 1 root root system_u:object_r:openvpn_var_run_t 5 2014-06-06 22:23 openvpn.pid drwxr-xr-x. 2 root root system_u:object_r:initrc_var_run_t 40 2014-06-06 22:23 php-fpm/ -rw-r--r--. 1 root root system_u:object_r:phpfpm_var_run_t 5 2014-07-09 08:34 php-fpm.pid drwxr-xr-x. 2 root root system_u:object_r:var_run_t 60 2014-07-09 08:34 php5-fpm/ drwxrwxr-x. 2 postgres postgres system_u:object_r:postgresql_var_run_t 80 2014-06-06 22:23 postgresql/ -rw-r--r--. 1 root root system_u:object_r:rsync_var_run_t 5 2014-06-06 22:23 rsyncd.pid -rw-r--r--. 1 root root system_u:object_r:syslogd_var_run_t 5 2014-06-06 22:23 rsyslogd-remote.pid -rw-r--r--. 1 root root system_u:object_r:syslogd_var_run_t 5 2014-06-06 22:23 rsyslogd.pid drwxr-xr-x. 2 root root system_u:object_r:initrc_var_run_t 80 2014-06-06 22:25 samba/ -rw-r--r--. 1 root root system_u:object_r:initrc_var_run_t 5 2014-06-06 22:23 sensord.pid drwxr-xr-x. 2 root root system_u:object_r:pam_var_run_t 40 2014-06-06 22:23 sepermit/ -rw-------. 1 root root system_u:object_r:fsdaemon_var_run_t 5 2014-06-06 22:23 smartd.pid -rw-r--r--. 1 root root system_u:object_r:sshd_var_run_t 5 2014-06-06 22:23 sshd.pid drwxr-xr-x. 6 root root system_u:object_r:udev_var_run_t 160 2014-07-11 09:06 udev/ -rw-r--r--. 1 root root system_u:object_r:nut_var_run_t 5 2014-06-29 10:28 upsmon.pid -rw-rw-r--. 1 root utmp system_u:object_r:initrc_var_run_t 11K 2014-07-12 20:34 utmp root@lerya /home/feandil # cat /usr/lib/tmpfiles.d/* d /run/clamav 0710 clamav clamav d /var/lock/ejabberdctl 0750 jabber jabber D /run/fail2ban 0755 root root -d /run/lock/lvm 0700 root root - d /run/lvm 0700 root root - d /var/run/mysqld 0755 mysql mysql - d /run/named 0755 named root - D /var/run/openvpn 0710 root openvpn - d /run/php-fpm 755 root root d /run/postgresql 0775 postgres postgres - d /run/sepermit 0755 root root root@lerya /home/feandil # ls -alZ /run/ total 56K drwxr-xr-x. 18 root root system_u:object_r:var_run_t 620 2014-07-08 23:56 ./ drwxr-xr-x. 23 root root system_u:object_r:root_t 4.0K 2014-06-07 12:32 ../ drwxr-xr-x. 2 asterisk root system_u:object_r:asterisk_var_run_t 40 2014-06-07 17:16 asterisk/ -rw-r--r--. 1 root root system_u:object_r:auditd_var_run_t 5 2014-07-08 22:48 auditd.pid drwx--x---. 2 clamav clamav system_u:object_r:initrc_var_run_t 40 2014-06-07 17:15 clamav/ drwxr-xr-x. 2 root root system_u:object_r:var_run_t 60 2014-07-12 17:59 collectd/ -rw-r--r--. 1 root root system_u:object_r:crond_var_run_t 6 2014-07-08 23:56 cron.pid drwxr-xr-x. 5 root root system_u:object_r:dovecot_var_run_t 680 2014-06-07 17:15 dovecot/ drwxrwxr-x. 4 root uucp system_u:object_r:var_lock_t 80 2014-06-07 17:15 lock/ drwx------. 2 root root system_u:object_r:initrc_var_run_t 40 2014-06-07 17:15 lvm/ srwxr-xr-x. 1 root root system_u:object_r:mcelog_var_run_t 0 2014-06-07 17:15 mcelog-client= -rw-r--r--. 1 root root system_u:object_r:mcelog_var_run_t 4 2014-06-07 17:15 mcelog.pid drwxr-xr-x. 2 root root system_u:object_r:mount_var_run_t 60 2014-06-07 17:15 mount/ drwxr-xr-x. 2 mysql mysql system_u:object_r:mysqld_var_run_t 40 2014-06-07 17:15 mysqld/ drwxrwx---. 2 root named system_u:object_r:named_var_run_t 80 2014-06-07 17:15 named/ -rw-r--r--. 1 root root system_u:object_r:nginx_var_run_t 6 2014-07-08 23:44 nginx.pid -rw-r--r--. 1 root root system_u:object_r:ntpd_var_run_t 4 2014-06-07 17:15 ntpd.pid drwxrwxr-x. 14 root root system_u:object_r:initrc_state_t 360 2014-06-07 17:15 openrc/ drwx--x---. 2 root openvpn system_u:object_r:initrc_var_run_t 40 2014-06-07 17:15 openvpn/ -rw-r--r--. 1 root root system_u:object_r:openvpn_var_run_t 5 2014-07-08 22:48 openvpn.pid drwxr-xr-x. 2 root root system_u:object_r:initrc_var_run_t 40 2014-06-07 17:15 php-fpm/ -rw-r--r--. 1 root root system_u:object_r:phpfpm_var_run_t 4 2014-07-08 22:59 php-fpm.pid drwxr-xr-x. 2 root root system_u:object_r:var_run_t 60 2014-07-08 22:59 php5-fpm/ drwxrwxr-x. 2 postgres postgres system_u:object_r:postgresql_var_run_t 80 2014-07-08 23:55 postgresql/ drwxr-xr-x. 2 root root system_u:object_r:pam_var_run_t 40 2014-06-07 17:15 sepermit/ -rw-------. 1 root root system_u:object_r:fsdaemon_var_run_t 6 2014-07-08 23:56 smartd.pid -rw-r--r--. 1 root root system_u:object_r:sshd_var_run_t 5 2014-06-07 17:15 sshd.pid srwxr-xr-x. 1 root root system_u:object_r:devlog_t 0 2014-07-08 23:56 syslog-ng.ctl= -rw-r--r--. 1 root root system_u:object_r:syslogd_var_run_t 6 2014-07-08 23:56 syslog-ng.pid drwxr-xr-x. 6 root root system_u:object_r:udev_var_run_t 160 2014-07-08 22:48 udev/ -rw-rw-r--. 1 root utmp system_u:object_r:initrc_var_run_t 9.0K 2014-07-12 20:41 utmp root@lerya /home/feandil # llaZ /run/clamav total 0 root@lerya /home/feandil # llaZ /run/openvpn total 0 root@lerya /home/feandil # llaZ /run/php-fpm total 0 root@lerya /home/feandil # llaZ /run/php5-fpm total 0 0 srw-rw----. 1 phpfpm phpfpm system_u:object_r:phpfpm_var_run_t 0 2014-07-08 22:59 php-fpm.sock= okay I have narrowed this down to two sort of separate problems. One is /lib64/rc/sh/tmpfiles.sh (run from tmpfiles.setup, tmpfiles.dev) to parse and create the dirs. It runs in the initrc_t domain so everything gets created based on that which is incorrect. tmpfiles.sh needs to restorecon the dir after it is created. I have verified that from the systemd source and have a patch for tmpfiles.sh that needs a little more testing. The second problem is in checkpath which is used from many init scripts. It also needs to set the label when it creates the dir otherwise it ends up in initrc_t. This requires patching openrc's src/rc/checkpath.c. Does this seem sane? If the patch can make sure that restorecon is called after creating the resources and before applications are using it further (i.e. no chance that the small period between creation and restorecon where the label will be "incorrect" will be causing application troubles) then I can agree with calling restorecon in tmpfiles.sh. From the looks of it, it is indeed quite configurable and thus could be difficult to track policy-wise if we want to include file transitions for everything. I'll look into the checkpath.c code Created attachment 380714 [details, diff]
patch for tmpfiles.sh
This is the patch to fix tmpfiles. It basically just calls restorecon when it creates anything. I used a function to wrap restorecon to so that it first checks if it exists on the system. My system boots fine with the patch applied manually to /lib64/rc/sh/tmpfiles.sh.
Comments?
The restorecon application might be installed but SELinux can still be disabled. You might want to check for SELinux being enabled (run selinuxenabled, check returncode - RC=0 is SELinux is enabled, RC=1 is disabled). The command is part of libselinux (so yes, need to check for selinuxenabled existence as well). I'm wondering if the restorecon command shouldn't use recursive either (will tmpfiles.sh always create just a single file/path). Also, what if restorecon fails when the $path no longer exists (there's a find $path ... rm -rf {} + )? (In reply to Sven Vermeulen from comment #6) > The restorecon application might be installed but SELinux can still be > disabled. You might want to check for SELinux being enabled (run > selinuxenabled, check returncode - RC=0 is SELinux is enabled, RC=1 is > disabled). The command is part of libselinux (so yes, need to check for > selinuxenabled existence as well). Good point. I will fix the patch. > I'm wondering if the restorecon command shouldn't use recursive either (will > tmpfiles.sh always create just a single file/path). http://0pointer.de/public/systemd-man/tmpfiles.d.html The definitions of each of the types are at this link. I only made it restorecon on: b c f F d D L p. (x and X already called restorecon) The only ones that recursing would apply is d and D but those are for empty dirs so it should not be required. > Also, what if restorecon fails when the $path no longer exists (there's a > find $path ... rm -rf {} + )? the find one is "D" which is to empty out a directory but leave the dir itself there so that one is fine. "R" and "r" are to rm -rf the whole thing, so I do not call restorecon for those. Created attachment 380732 [details, diff]
tmpfiles patch
This replaces the old tmpfiles patch.
I booted without selinux enabled and running restorecon is a no-op so checking /sys/fs/selinux is not required.
Created attachment 380734 [details, diff]
0002-Fix-SELinux-contexts-in-dev-after-it-is-mounted.patch
the labels on /dev are all device_t on boot which is wrong so must restorecon immediately after mounting /dev.
Created attachment 380736 [details, diff]
0003-checkpath-restore-the-SELinux-context.patch
this patch sets the labels on the dirs right after checkpath has created it. It builds fine and I have tested it manually with a few test cases but I have not booted my system with it yet. It checks if selinux is enabled before doing anything and if only exits with errors if selinux is in enforcing mode. I have left some printf debug lines in this version still, will clean them up before the final patch.
Any comments on this patch series?
Currently OpenRc depends on a Gentoo-specific package for SELinux support. The Gentoo SELinux team is working with me to add SELinux support directly to OpenRc and remove that dependency. Created attachment 380762 [details, diff]
0001-Add-SELinux-support-to-the-build-system.patch
This is the first patch we will need for SELinux support.
This patch defines the HAVE_SELINUX pre-processor macro and adds
-lselinux to the libraries when MKSELINUX=yes is passed to make.
The patches that perfinion sent apply against openrc-9999. A full SELinux-enforcing system with openrc-9999 + patches work as expected (service stop/start, etc.) I do get a massive amount of "runscript is deprecated; please use openrc-run instead" but except for the messages the init scripts work. All of the below commits add SELinux support. Now OpenRc links directly to libselinux if SELinux support is needed. This will all be included in OpenRc-0.13. I would like to thank Jason Zaman for the patches. 4a1afa69 4f784bd4 525d7140 9c689542 99939b98 |