| Summary: | initramfs (dracut) fails to boot up a SELinux system in enforcing/strict mode | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sven Vermeulen (RETIRED) <swift> |
| Component: | Hardened | Assignee: | SE Linux Bugs <selinux> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | h.v.bruinehsen |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Booting with enforcing=0 and then later switching (setenforce 1) works fine. But SELinux kernels without this (development) support still fail. Current issue seems to be that the /init in the initramfs runs in kernel_t but does too many things before it calls load_policy (which is needed to have knowledge about other domains than kernel_t) so labels are all wrong. But calling load_policy earlier might require that policy.26 is part of the initramfs as well (which is again an issue since the policy file is updated many times compared to the initramfs) Current advise: if you need initramfs support, boot with enforcing=0 (so enable selinux development in the kernel) and then switch to enforcing afterwards (for instance in an initscript). Also, grsec users which configure chroot restrictions will need to /unset/ CONFIG_GRKERNSEC_SYSCTL_ON since an initramfs uses chroot extensively (and grsec would deny most of them). You can set them later (through sysctl.conf) and then lock (grsec_lock) the sysctls. Need to check https://bugs.gentoo.org/attachment.cgi?id=302829 as well here (see if tar needs to be updated) Use of "permissive" boot solution documented in hardened-docs overlay and on gentoo wiki (http://wiki.gentoo.org/wiki/Knowledge_Base:Booting_SELinux_with_an_initramfs) Seems recently initramfs systems might boot pretty far even without the enforcing=0 at the beginning. As long as the initramfs doesn't load the policy itself, it is pretty much running in unconfined (the initramfs is treated as a trusted resource) and when Gentoo's init is called, the policy is loaded. Marking this as fixed, I've been able to boot in enforcing mode immediately using genkernel, where the initramfs is responsible for the LVM (root is on lvm, and separate /usr as well). |
Right after switching SELinux on, the system stalls for several minutes, displaying denials such as: denied { read write } for comm="init" path="/dev/console" dev=tmpfs scontext=init_t tcontext=tmpfs_t class=chr_file denied { search } for comm="init" name="/" dev=tmpfs scontext=init_t tcontext=tmpfs_t class=dir This points to incorrect labels set to the device files. grsec also shows segmentation fails in /sbin/rc: grsec: Segmentation fault occurred at (nil) in /sbin/rc[rc:1552] The error is shown 3 times after which grsec reports "more alerts, logging disabled for 10 seconds". After that (4639 callbacks suppressed), only denials on "/" { search } are displayed. Exactly 5 minutes later (from boot-time 5.51 to 306.06) the search denials and segfaults are shown again. Reproducible: Always