Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 528674 - [TRACKER] Support systemd with SELinux
Summary: [TRACKER] Support systemd with SELinux
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal with 6 votes (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords: PullRequest, Tracker
Depends on: 508390 568754 801217
Blocks:
  Show dependency tree
 
Reported: 2014-11-08 17:18 UTC by Sven Vermeulen (RETIRED)
Modified: 2022-10-25 19:22 UTC (History)
37 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emerge.info,4.71 KB, application/octet-stream)
2015-12-15 04:56 UTC, Naftuli Tzvi Kay
Details
systemd-231-selinux-encorcing-1.patch (systemd-231-selinux-encorcing-1.patch,2.37 KB, patch)
2017-02-16 20:44 UTC, Krzysztof Nowicki
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Vermeulen (RETIRED) gentoo-dev 2014-11-08 17:18:37 UTC
This tracker is to keep track of all bugs for systemd and SELinux support.

Reproducible: Always
Comment 1 Jason Zaman gentoo-dev 2014-12-04 15:24:58 UTC
for reference: 
http://oss.tresys.com/pipermail/refpolicy/2014-October/007430.html
Comment 2 Naftuli Tzvi Kay 2015-12-15 04:56:32 UTC
Created attachment 419244 [details]
emerge --info
Comment 3 Naftuli Tzvi Kay 2015-12-15 04:57:24 UTC
I'm unable to install SystemD on hardened/linux/amd64/selinux. My emerge info is above.
Comment 4 Naftuli Tzvi Kay 2015-12-15 22:21:33 UTC
SystemD is still blocked by all SELinux profiles: http://bit.ly/1MfIcoN

According to the wiki, it should be possible to install SystemD on a SELinux profile: https://wiki.gentoo.org/wiki/SELinux/FAQ#Can_I_use_SELinux_with_systemd.3F

Can we get the SELinux package.mask updated to remove SystemD or at least update the wiki detailing _why_ it can't be installed?
Comment 5 Dainius Masiliūnas 2015-12-15 22:59:38 UTC
Huh, looks like an incorrect statement on the wiki to me (blame: https://wiki.gentoo.org/index.php?title=SELinux/FAQ&diff=prev&oldid=361810 ), likely an edit without actually testing it. Last time I tested it, the system didn't boot in enforce mode due to missing policy. For it to work, the policy mentioned in Comment 1 would have to be integrated, and I'd expect this very bug entry to be updated once that is done (or, indeed, if the change was in progress).
Comment 6 Naftuli Tzvi Kay 2015-12-16 03:41:50 UTC
I'm happy to help test with that if any assistance is required. Sooner it gets merged, the sooner I can start using Gentoo :)
Comment 7 Jason Zaman gentoo-dev 2015-12-19 03:36:58 UTC
The systemd policies have been merged in to 2.20141203-r10 which I just stabilized. I am not going to lift the mask yet because I have not had the time to fully test it.

(In reply to Dainius Masiliūnas from comment #5)
> Huh, looks like an incorrect statement on the wiki to me
Weird, I have no idea who edited that. I did not intend to change that till it was fully tested to be working.

(In reply to Naftuli Tzvi Kay from comment #6)
> I'm happy to help test with that if any assistance is required.
I'd love for as many people to help testing as possible. You can negate the mask locally on your machine in /etc/portage/profile/package.use.mask (put a - in front) and /etc/portage/package.unmask (just put the packages in here).

It *should* install and all work, our gentoo policy is fairly close to upstream and they tested it but I dont want to lift it until I am sure. I had too many reports of people failing to boot and getting locked out so Im going to err on the side of caution.

If you test it and there are any issues, please open new bugs and make them block this one.
Comment 8 Xake 2015-12-19 11:44:13 UTC
Wanted to try this out, but got hit by #568754.
Comment 9 Nils Freydank 2016-09-29 21:21:04 UTC
Mea culpa! Sorry to everyone for possible inconvenience, non booting machines etc.! :-(

I wrote that wiki FAQ section primarily as a fix for the ”systemd” writing and with only a small glimpse onto this bug (with two RESOLVED deps). After I stumbled onto this bug here some minutes ago I rewrote the FAQ entry again:
https://wiki.gentoo.org/index.php?title=SELinux/FAQ&diff=546388&oldid=361824&rcid=&curid=2169.

SELinux + systemd tests will follow.
Comment 10 Nelson 2016-10-15 15:51:06 UTC
What are the exact steps to unmask systemd (and dbus and policy) with selinux under the hardened amd64 profile? (sorry but not that familiar with all the portage details), so I can test systemd+selinux?
Comment 11 Nils Freydank 2016-10-17 18:17:46 UTC
(In reply to Nelson from comment #10)
> What are the exact steps to unmask systemd (and dbus and policy) with
> selinux under the hardened amd64 profile? (sorry but not that familiar with
> all the portage details), so I can test systemd+selinux?

I went to the steps the SELinux installing article (in wiki.gentoo.org) suggests and took a look for everything I had to unmask at every small step.

Currently I have

<path to tree>/profiles/features/selinux/package.mask (symlinked or copied to /etc/portage/package.unmask

The -systemd masks via profile’s package.use.mask are a bit more ugly (there is only this ’negative syntax’):

$ cat /etc/portage/profile/package.use.mask/SELinux-systemd:
# negate the USE masking.
# see https://bugs.gentoo.org/show_bug.cgi?id=528674
app-admin/elektra -systemd
dev-db/mariadb -systemd
dev-qt/qtcore -systemd
...

As of 2016-10-17, 8:15 pm UTC+2,  *can’t* boot systemd with selinux in enforcing mode and strict policy module (systemd-udev and -logind and some other fail to start).
Comment 12 Nils Freydank 2017-01-10 23:46:20 UTC
Yeay, works for me! (pun intended ;)

I can boot into enforcing and strict SELinux now (and start X, play music and use my GPU). However, I had to put these domains into permissive mode:

#-----------------------
NetworkManager_t
alsa_t
devicekit_disk_t
devicekit_power_t
gpg_agent_t
init_t
initrc_t
mplayer_t
policykit_t
sysadm_dbusd_t
sysadm_ssh_agent_t
sysadm_t
syslogd_t
system_dbusd_t
systemd_coredump_t
systemd_hostnamed_t
systemd_logind_t
systemd_resolved_t
systemd_sessions_t
udev_t
xauth_t
xserver_t
#-----------------------
That was more or less audit2allow copy’n’pasted; there might be some domains I will able to remove from this list, too.

I hope this will help some other testers.
Comment 13 Krzysztof Nowicki 2017-02-16 20:44:27 UTC
Created attachment 464016 [details, diff]
systemd-231-selinux-encorcing-1.patch

I have managed to get systemd up in enforced mode. Of course several changes to the policy were needed including adding some more types. I've committed all changes into Git. The repository is available on GitHub (https://github.com/KrissN/hardened-refpolicy).

In addition to policy changes some minor tweaks were needed to systemd itself:
 - The systemd-tmpfiles service tries to forcibly update contexts of files that already exist and have the right context. The patch makes systemd-tmpfiles check if the existing file has the proper context already and avoid changing it in such case.
 - There is a chicken-and-egg problem with the root cgroup filesystem. It is mounted early during boot in rw mode. Next subsequent cgroup filesystems are mounted and finally the root of the cgroup filesystem is remounted read-only. At this stage the policy is not loaded so it's impossible to set proper contexts. Once the policy is loaded later it is impossible to reset the contexts as the filesystem is now read-only. The patch adds a workaround - once the SELinux policy is loaded the cgroup root filesystem is temporarily remounted read-write only to set proper contexts and then remounted back in read-only mode.

The patch introducing the changes is attached.

The changes work on my pretty minimal installation and I'm sure there are more changes to be done depending on individually enabled set of services. I hope however that they can be used as a baseline for further improvements.
Comment 14 Jason Zaman gentoo-dev 2017-02-24 16:24:34 UTC
(In reply to Krzysztof Nowicki from comment #13)
> I have managed to get systemd up in enforced mode. Of course several changes
> to the policy were needed including adding some more types. I've committed
> all changes into Git. The repository is available on GitHub
> (https://github.com/KrissN/hardened-refpolicy).

Hey! this is pretty awesome! Would you be up for sending these patches upstream to refpolicy? (the mailing list is  http://oss.tresys.com/mailman/listinfo/refpolicy) 

Russell Coker from debian has also been adding a ton of stuff lately for systemd so i'd be great if you could coordinate a bit so the best stuff gets merged in :).
Comment 15 Krzysztof Nowicki 2017-11-30 12:41:54 UTC
Git this in today to fix some more denials related to cgroups - should be out in 263: https://github.com/systemd/systemd/pull/7496

Of course the above needs an accompanying patch to the policy in order to work.

Overall there is progress - systemd is able to start to a local shell with current reference policy. There are some errors related to systemd-tmpfiles for Gentoo-specific files. I would also not expect shutdown/reboot to work in enforcing mode.

More patches to both upstream and Gentoo policy are underway.
Comment 16 maxmodulo 2018-07-06 19:10:18 UTC
I want to test this also, but how do I remove the mask for:  
- sec-policy/selinux-base-policy-9999::gentoo (masked by: missing keyword)

Adding an unmask for `sec-policy/selinux-base-policy` didn't help.

I'm new to Gentoo, but not new to systemd or selinux.
Comment 17 Nils Freydank 2018-07-06 19:47:16 UTC
(In reply to maxmodulo from comment #16)
> I want to test this also, but how do I remove the mask for:  
> - sec-policy/selinux-base-policy-9999::gentoo (masked by: missing keyword)
> 
> Adding an unmask for `sec-policy/selinux-base-policy` didn't help.
> 
> I'm new to Gentoo, but not new to systemd or selinux.

This is actually a keyword (see "missing keyword" in the error message you pasted), so an entry to package.accept_keywords is necessary instead:

echo "=sec-policy/selinux-base-policy-9999 **" >> /etc/portage/package.accept_keywords

For more details see https://wiki.gentoo.org/wiki/Knowledge_Base:Accepting_a_keyword_for_a_single_package.

By the way: For future questions about portage configuration the forum, the plenty IRC channels on freenode (#gentoo-hardened), and the mailing lists might better places than bug reports. :)

Best regards,
Nils
Comment 18 maxmodulo 2018-07-06 19:58:20 UTC
(In reply to Nils Freydank from comment #17)
> (In reply to maxmodulo from comment #16)
> > I want to test this also, but how do I remove the mask for:  
> > - sec-policy/selinux-base-policy-9999::gentoo (masked by: missing keyword)
> > 
> > Adding an unmask for `sec-policy/selinux-base-policy` didn't help.
> > 
> > I'm new to Gentoo, but not new to systemd or selinux.
> 
> This is actually a keyword (see "missing keyword" in the error message you
> pasted), so an entry to package.accept_keywords is necessary instead:
> 
> echo "=sec-policy/selinux-base-policy-9999 **" >>
> /etc/portage/package.accept_keywords
> 
> For more details see
> https://wiki.gentoo.org/wiki/Knowledge_Base:
> Accepting_a_keyword_for_a_single_package.
> 
> By the way: For future questions about portage configuration the forum, the
> plenty IRC channels on freenode (#gentoo-hardened), and the mailing lists
> might better places than bug reports. :)
> 
> Best regards,
> Nils

Understood, Nils.  Many thanks for your kind reply. :)
Comment 19 Amel Hodzic 2019-12-11 12:34:07 UTC
With planned upstream changes in gnome-3.34 using systemd --user for session management, stabilizing SELinux + systemd becomes more urgent.  

Links to relevant updates and upstream bugs:

* https://blogs.gnome.org/benzea/2019/10/01/gnome-3-34-is-now-managed-using-systemd/ 
* https://github.com/systemd/systemd/issues/1941 [systemd --user + selinux discussion]
Comment 20 dan 2020-09-05 06:26:01 UTC
As another interested user, I'm wondering what the progress is in ensuring that systemd and SELinux can play well together. It's disheartening to see the last comment on this bug is nearly NINE MONTHS old
Comment 21 Krzysztof Nowicki 2020-09-07 14:11:21 UTC
Have no fear - I haven't forgotten about the topic. Due to family commitments the progres has gone very slow.

Recently - after a long time - I came back to the subject. Unfortunately I have noticed, that the Gentoo SELinux policy development has stopped. Luckily I was able to switch to upstream reference policy and after doing some minor tweaks to the ebuilds I was able to install it.

Surprisingly there were not too many problems. The system did not start in enforcing mode, but after doing some patching I was able to get it to work. This work is of course not finished, but I'm happy with the progress so far.

Patches will be heading upstream soon.

My only concern is lack of development on Gentoo SELinux policy, but regardless of what happens, upstream changes will be merged to it eventually.
Comment 22 dan 2020-09-18 09:39:47 UTC
Any time estimates? I know that other distros have SELinux running fine with Systemd. And on my Gentoo box (my PREFERRED Distro!) I really miss having Systemd.
Comment 23 Krzysztof Nowicki 2021-02-12 19:48:08 UTC
Fixes keep coming:

https://github.com/SELinuxProject/refpolicy/pull/353

With this I'm able to boot the system in enforcing mode with systemd 246 and set-up network with systemd-networkd.
Comment 24 dan 2021-02-13 05:37:28 UTC
Extremely glad to hear it. I'll be watching for a portage profile that puts systemd and SELinux together. I'm one of the security paranoid folks and while SELinux may not be a miracle cure to security, it sure helps more than any other method I've used.
Comment 25 Larry the Git Cow gentoo-dev 2021-11-22 01:19:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efc1c320336a1e0eb46c1faff68c3f797a101f18

commit efc1c320336a1e0eb46c1faff68c3f797a101f18
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-22 01:18:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-22 01:19:39 +0000

    profiles: add arm64 SELinux + systemd profiles too (exp)
    
    Bug: https://bugs.gentoo.org/528674
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/default/linux/arm64/17.0/systemd/selinux/eapi   | 1 +
 profiles/default/linux/arm64/17.0/systemd/selinux/parent | 2 ++
 profiles/profiles.desc                                   | 1 +
 3 files changed, 4 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1e89f43018c8f341752d4869e35b29b19ea80f2

commit d1e89f43018c8f341752d4869e35b29b19ea80f2
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-08-30 11:40:09 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-22 01:19:35 +0000

    profiles/profiles.desc: Marked systemd/selinux profiles as experimental.
    
    Bug: https://bugs.gentoo.org/528674
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/22152
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/profiles.desc | 2 ++
 1 file changed, 2 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2d79035ada08bd4024bcba359e65d3e7976e7c1

commit e2d79035ada08bd4024bcba359e65d3e7976e7c1
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-08-30 11:38:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-22 01:19:31 +0000

    profiles: amd64/17.1: Defined selinux profiles for systemd and no-multilib/systemd.
    
    Bug: https://bugs.gentoo.org/528674
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/default/linux/amd64/17.1/no-multilib/systemd/selinux/eapi   | 1 +
 profiles/default/linux/amd64/17.1/no-multilib/systemd/selinux/parent | 2 ++
 profiles/default/linux/amd64/17.1/systemd/selinux/eapi               | 1 +
 profiles/default/linux/amd64/17.1/systemd/selinux/parent             | 2 ++
 4 files changed, 6 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70dad6cc2e4cf98714601f97e88b777cd7209991

commit 70dad6cc2e4cf98714601f97e88b777cd7209991
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-08-29 22:56:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-22 01:19:26 +0000

    selinux: use.mask: Removed blocker on systemd USE flag.
    
    Bug: https://bugs.gentoo.org/528674
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/features/selinux/use.mask | 1 -
 1 file changed, 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d787a1ad45a7911f61a2a3099f958eb5c003a63f

commit d787a1ad45a7911f61a2a3099f958eb5c003a63f
Author:     Jonathan Davies <jpds@protonmail.com>
AuthorDate: 2021-08-29 22:55:54 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-22 01:19:14 +0000

    selinux: package.mask: Removed file for systemd enablement.
    
    Bug: https://bugs.gentoo.org/528674
    Signed-off-by: Jonathan Davies <jpds@protonmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/features/selinux/package.mask | 38 ----------------------------------
 1 file changed, 38 deletions(-)
Comment 26 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-25 19:19:30 UTC
Just to give an update: obviously the profiles exist (see above) but there's been a huge amount of policy work by concord et al to make things work.