Comment 1 Sven Vermeulen (RETIRED) 2012-06-30 10:29:53 UTC

We will need to make this a bit more granular.

For each directory, we need to find out which tool or script creates it. Then we need to figure out how we can adapt the policy to automatically assign the right label for it.

Stuff that is statically defined (i.e. through an ebuild package) should have the right label, since /var/run is var_run_t and so is /run (even more, all file contexts for /run are translated to /var/run).

Comment 2 Sven Vermeulen (RETIRED) 2012-07-01 11:39:27 UTC

Allow me to use this bug as a tracker so I can make the different actions more manageable (like identified issues).

Comment 3 Sven Vermeulen (RETIRED) 2012-07-10 19:39:39 UTC

Ok, the udev stuff (needed to get Xorg working mainly) is in rev 14.

Please, for the other stuff you noticed, can you file new bug reports (depending on this one) for each case, also mention the error(s) you get if you don't relabel the files (if something doesn't start, give the denials and error message, etc.) Without that information, it's impossible to rectify the situation as we don't know what the proper resolution is.

I think there is a lot more that needs fixing for lables in /run.

I have a fairly bare image that I can't even get to the bash prompt when trying to boot with enforced turned on, and a lot of the audit messages are tied to stuff found in /run. Especially /run/utmp.

This is my first real attempt at implementing SELinux, so I may need direction on how to sort through all this to file individual bugs. But I'm not sure how to even start that when even udev fails to load.

In permissive mode here is what the labels in /run look like:

# ls -lZ /run
total 32
-rw-r--r--.  1 root      root  system_u:object_r:tmpfs_t           5 Sep 26 15:54 atd.pid
drwxr-xr-x.  2 avahi     avahi system_u:object_r:tmpfs_t          80 Sep 26 15:54 avahi-daemon
-rw-r--r--.  1 root      root  system_u:object_r:tmpfs_t           5 Sep 26 15:54 cron.pid
drwxr-xr-x.  2 root      root  system_u:object_r:initrc_state_t   60 Sep 26 15:54 dbus
-rw-r--r--.  1 root      root  system_u:object_r:tmpfs_t           5 Sep 26 15:54 dbus.pid
-rw-r--r--.  1 root      root  system_u:object_r:tmpfs_t           5 Sep 26 15:54 gpm.pid
drwxr-xr-x.  2 root      root  system_u:object_r:tmpfs_t          60 Sep 26 15:54 initramfs
drwxrwxr-x.  2 root      uucp  system_u:object_r:tmpfs_t          40 Sep 20 19:35 lock
drwxr-xr-x.  2 memcached root  system_u:object_r:initrc_state_t   60 Sep 26 15:54 memcached
drwxr-xr-x.  2 root      root  system_u:object_r:tmpfs_t          60 Sep 26 15:54 mount
drwxrwxr-x. 14 root      root  system_u:object_r:initrc_state_t  360 Sep 26 15:54 openrc
-rw-r--r--.  1 root      root  system_u:object_r:sshd_tmpfs_t      5 Sep 26 15:54 sshd.pid
srwxr-xr-x.  1 root      root  system_u:object_r:tmpfs_t           0 Sep 26 15:54 syslog-ng.ctl
-rw-r--r--.  1 root      root  system_u:object_r:tmpfs_t           5 Sep 26 15:54 syslog-ng.pid
drwxr-xr-x.  6 root      root  system_u:object_r:tmpfs_t         160 Sep 26 15:54 udev
-rw-rw-r--.  1 root      utmp  system_u:object_r:tmpfs_t        4608 Sep 26 15:55 utmp

and after restorcon:

# ls -lZ /run
total 32
-rw-r--r--.  1 root      root  system_u:object_r:crond_var_run_t           5 Sep 26 15:54 atd.pid
drwxr-xr-x.  2 avahi     avahi system_u:object_r:avahi_var_run_t          80 Sep 26 15:54 avahi-daemon
-rw-r--r--.  1 root      root  system_u:object_r:crond_var_run_t           5 Sep 26 15:54 cron.pid
drwxr-xr-x.  2 root      root  system_u:object_r:system_dbusd_var_run_t   60 Sep 26 15:54 dbus
-rw-r--r--.  1 root      root  system_u:object_r:tmpfs_t                   5 Sep 26 15:54 dbus.pid
-rw-r--r--.  1 root      root  system_u:object_r:tmpfs_t                   5 Sep 26 15:54 gpm.pid
drwxr-xr-x.  2 root      root  system_u:object_r:var_run_t                60 Sep 26 15:54 initramfs
drwxrwxr-x.  2 root      uucp  system_u:object_r:var_lock_t               40 Sep 20 19:35 lock
drwxr-xr-x.  2 memcached root  system_u:object_r:var_run_t                60 Sep 26 15:54 memcached
drwxr-xr-x.  2 root      root  system_u:object_r:var_run_t                60 Sep 26 15:54 mount
drwxrwxr-x. 14 root      root  system_u:object_r:initrc_state_t          360 Sep 26 15:54 openrc
-rw-r--r--.  1 root      root  system_u:object_r:sshd_tmpfs_t              5 Sep 26 15:54 sshd.pid
srwxr-xr-x.  1 root      root  system_u:object_r:var_run_t                 0 Sep 26 15:54 syslog-ng.ctl
-rw-r--r--.  1 root      root  system_u:object_r:tmpfs_t                   5 Sep 26 15:54 syslog-ng.pid
drwxr-xr-x.  6 root      root  system_u:object_r:udev_var_run_t          160 Sep 26 15:54 udev
-rw-rw-r--.  1 root      utmp  system_u:object_r:initrc_var_run_t       4608 Sep 26 15:55 utmp



# emerge --info
Portage 2.1.11.21 (hardened/linux/amd64/no-multilib/selinux, gcc-4.6.3, glibc-2.15-r3, 3.5.4-hardened-r1 x86_64)
=================================================================
System uname: Linux-3.5.4-hardened-r1-x86_64-QEMU_Virtual_CPU_version_1.1.1-with-gentoo-2.2
Timestamp of tree: Wed, 26 Sep 2012 04:30:01 +0000
app-shells/bash:          4.2_p37
dev-lang/python:          2.7.3-r2, 3.2.3-r1
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.10.5
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.69
sys-devel/automake:       1.11.6, 1.12.4
sys-devel/binutils:       2.22.90
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.5 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -mtune=generic -mfpmath=sse -ftree-vectorize -fomit-frame-pointer -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -mtune=generic -mfpmath=sse -ftree-vectorize -fomit-frame-pointer -pipe -fvisibility-inlines-hidden"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--sort-common"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl acpi aio amd64 avahi berkdb bzip2 caps cli cracklib crypt cups cxx dbus dri gdbm git gntls gpm hardened iconv icu ipv6 justify kerberos mbox memcached mmap mmx modules mudflap ncurses nls nptl open_perms openmp pam pax_kernel pcre posix postgres pppd python readline ruby samba sasl selinux session smp snmp sockets sqlite sqlite3 sse sse2 ssl subversion svg syslog sysvipc tcpd threads udev unicode urandom vhosts xattr xml zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="dmraid iscsi lvm mdraid net" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif geo gzip limit_conn limit_req map memcached proxy push referer rewrite split_clients ssi upstream_ip_hash userid upload upload_progress xslt" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON



# dmesg | grep audit
[    0.394088] audit: initializing netlink socket (disabled)
[    0.394400] type=2000 audit(1348692876.390:1): initialized
[    1.071193] type=1403 audit(1348692876.070:2): policy loaded auid=4294967295 ses=4294967295
[    1.074823] type=1400 audit(1348692876.070:3): avc:  denied  { search } for  pid=1 comm="init" name="/" dev="tmpfs" ino=3091 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[    1.075638] type=1400 audit(1348692876.070:4): avc:  denied  { write } for  pid=1 comm="init" name="/" dev="tmpfs" ino=3091 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[    1.076492] type=1400 audit(1348692876.070:5): avc:  denied  { add_name } for  pid=1 comm="init" name="utmp" scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[    1.077324] type=1400 audit(1348692876.070:6): avc:  denied  { create } for  pid=1 comm="init" name="utmp" scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=file
[    1.078177] type=1400 audit(1348692876.070:7): avc:  denied  { write open } for  pid=1 comm="init" path="/run/utmp" dev="tmpfs" ino=125 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=file
[    1.080112] type=1400 audit(1348692876.079:8): avc:  denied  { read } for  pid=1146 comm="init" name="utmp" dev="tmpfs" ino=125 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=file
[    1.081097] type=1400 audit(1348692876.079:9): avc:  denied  { lock } for  pid=1146 comm="init" path="/run/utmp" dev="tmpfs" ino=125 scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t tclass=file
[    1.195354] type=1400 audit(1348692876.190:10): avc:  denied  { setattr } for  pid=1160 comm="rc" name="lock" dev="tmpfs" ino=16 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[    5.439183] audit_printk_skb: 138 callbacks suppressed
[    5.439185] type=1400 audit(1348692880.140:57): avc:  denied  { setcap } for  pid=1793 comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process
[    5.468130] type=1400 audit(1348692880.169:58): avc:  denied  { search } for  pid=1798 comm="syslog-ng" name="/" dev="tmpfs" ino=3091 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[    5.475590] type=1400 audit(1348692880.179:59): avc:  denied  { getcap } for  pid=1798 comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process
[    5.475890] type=1400 audit(1348692880.179:60): avc:  denied  { write } for  pid=1798 comm="syslog-ng" name="/" dev="tmpfs" ino=3091 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[    5.475896] type=1400 audit(1348692880.179:61): avc:  denied  { add_name } for  pid=1798 comm="syslog-ng" name="syslog-ng.pid" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[    5.475909] type=1400 audit(1348692880.179:62): avc:  denied  { create } for  pid=1798 comm="syslog-ng" name="syslog-ng.pid" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file
[    5.475917] type=1400 audit(1348692880.179:63): avc:  denied  { write open } for  pid=1798 comm="syslog-ng" path="/run/syslog-ng.pid" dev="tmpfs" ino=629 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file
[    5.475924] type=1400 audit(1348692880.179:64): avc:  denied  { getattr } for  pid=1798 comm="syslog-ng" path="/run/syslog-ng.pid" dev="tmpfs" ino=629 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file
[    5.476080] type=1400 audit(1348692880.179:65): avc:  denied  { create } for  pid=1798 comm="syslog-ng" name="syslog-ng.ctl" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file
[    5.631939] type=1400 audit(1348692880.340:66): avc:  denied  { search } for  pid=1815 comm="atd" name="/" dev="tmpfs" ino=3091 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[   48.526468] audit_printk_skb: 195 callbacks suppressed
[   48.526471] type=1400 audit(1348692923.239:132): avc:  denied  { search } for  pid=2173 comm="unix_chkpwd" name="/" dev="tmpfs" ino=3091 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[   48.590515] type=1400 audit(1348692923.300:133): avc:  denied  { read } for  pid=2169 comm="sshd" name="utmp" dev="tmpfs" ino=125 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tmpfs_t tclass=file
[   48.590523] type=1400 audit(1348692923.300:134): avc:  denied  { open } for  pid=2169 comm="sshd" path="/run/utmp" dev="tmpfs" ino=125 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tmpfs_t tclass=file
[   48.590540] type=1400 audit(1348692923.300:135): avc:  denied  { lock } for  pid=2169 comm="sshd" path="/run/utmp" dev="tmpfs" ino=125 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tmpfs_t tclass=file
[   48.595129] type=1400 audit(1348692923.300:136): avc:  denied  { write } for  pid=2175 comm="sshd" name="utmp" dev="tmpfs" ino=125 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tmpfs_t tclass=file
[   55.914977] type=1400 audit(1348692930.630:137): avc:  denied  { read } for  pid=2179 comm="dmesg" name="kmsg" dev="devtmpfs" ino=1032 scontext=root:staff_r:staff_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
[   55.914985] type=1400 audit(1348692930.630:138): avc:  denied  { open } for  pid=2179 comm="dmesg" path="/dev/kmsg" dev="devtmpfs" ino=1032 scontext=root:staff_r:staff_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file

Comment 5 Sven Vermeulen (RETIRED) 2012-09-29 07:28:19 UTC

(In reply to comment #4)
> I think there is a lot more that needs fixing for lables in /run.
[...]

We'll need to make separate reports for this to make this manageable. Like for the avahi, atd, cron, ...

Ok, I've been able to work through a lot of this and make more sense of it.

First, I was using a dracut initramfs when booting (needed to be able to mount using UUIDs), so the info in the wiki about /etc/init.d/selinux_enforce helped me work out several issues.

The next big item causing a lot of issues is that the newer openrc mounts /run as a tmpfs now. What happens is that all the files in /run now get assigned tmpfs_t.

I tried adding rootcontext=system_u:object_r:var_run_t mount options to /etc/fstab.sys for /run that dracut is supposed to use when mounting things in initramfs, but that does not seem to have any effect on what happens when openrc takes over. Neither does putting it in /etc/fstab

So, I added the following to the selinux_enforce file:

        mkdir -p /run/lock/subsys
        restorecon -R /run

That fixes some things _after_ that script is run, but there are still quite a few audit warning comming from early on in the openrc process. I created the following module to get around the rest of the issues dealing with tmpfs_r access:

policy_module(tmpfs, 1.0.0)

require {
  type init_t;
  type initrc_t;
  type mount_t;
  type kernel_t;
  type tmpfs_t;

  class file { read write open getattr setattr create lock };
  class dir { read write search open getattr setattr add_name };
}

allow init_t tmpfs_t:file { read write open getattr setattr create lock };
allow init_t tmpfs_t:dir { read write search open getattr setattr add_name };
allow initrc_t tmpfs_t:file { read write open getattr setattr create lock };
allow initrc_t tmpfs_t:dir { read write search open getattr setattr add_name };
allow mount_t tmpfs_t:file { read write open getattr setattr create lock };
allow mount_t tmpfs_t:dir { read write search open getattr setattr add_name };
allow kernel_t tmpfs_t:file { read write open getattr setattr create lock };
allow kernel_t tmpfs_t:dir { read write search open getattr setattr add_name };



However I don't think this is a propper fix. Openrc should be setting those file lables correctly to start with.

After fixing this /run tmpfs_t issue, most of the remaining issues look like they can be fixed with boolean switches and some other small changes.

typo- should read:

I created the following module to get around the rest of the issues dealing with ** tmpfs_t ** access:

after more fixes, I've added more to the tmpfs module I'm using:

policy_module(tmpfs, 1.0.0)

require {
  type init_t;
  type initrc_t;
  type mount_t;
  type kernel_t;
  type udev_t;
  type tmpfs_t;

  class file { read write open getattr setattr create lock rename unlink };
  class dir { read write search open create getattr setattr add_name rename remove_name rmdir };
}

allow init_t tmpfs_t:file { read write open getattr setattr create lock };
allow init_t tmpfs_t:dir { read write search open getattr setattr add_name };
allow initrc_t tmpfs_t:file { read write open getattr setattr create lock };
allow initrc_t tmpfs_t:dir { read write search open getattr setattr add_name };
allow mount_t tmpfs_t:file { read write open getattr setattr create lock };
allow mount_t tmpfs_t:dir { read write search open getattr setattr add_name };
allow kernel_t tmpfs_t:file { read write open getattr setattr create lock };
allow kernel_t tmpfs_t:dir { read write search open getattr setattr add_name };
allow udev_t tmpfs_t:file { read write open getattr setattr create lock rename unlink };
allow udev_t tmpfs_t:dir { read write search open create getattr setattr add_name rename remove_name rmdir };
allow udev_t tmpfs_t:sock_file { create write };
allow udev_t tmpfs_t:lnk_file { create read unlink link };



I also created a few small one or two liner fixes for dmesg, initrc, kernel, syslog, and udev.

That has eliminated all but one audit message I can't quite figure out:

[    1.789720] type=1400 audit(1349116826.780:3): avc:  denied  { rename } for  pid=1229 comm="systemd-udevd" name="watch" dev="tmpfs" ino=1153 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir


The tempfs module above doesn't fix it, and I assume it's because the role is different between the two, however I'm not sure how to get around that. Most of the documentation I'm finding is about using selinux, not writing modules.

Comment 9 Sven Vermeulen (RETIRED) 2012-10-19 17:12:19 UTC

Hi Reuben,

This bug is a tracker bug, which means it is used to keep track of bugs related to a specific topic (in this case, /run support). However, each issue found should be matched with its own bug. These bugs will then block this tracker bug and we can see how much work is still needed for the /run support.

For instance, the fact that you use a dracut initramfs and it mounts /run without the proper rootcontext, that's one bug.

(In reply to comment #9)
> Hi Reuben,
> 
> This bug is a tracker bug, which means it is used to keep track of bugs
> related to a specific topic (in this case, /run support). However, each
> issue found should be matched with its own bug. 

Hi Sven,

Yes, I'm aware of that. ;) I was just having such a big mess of avcs that I wasn't able to scope it out into specific bugs yet.

I've since worked through a lot of it. Maybe not "correctly" per se, but at least I'm able to start sorting in out into bugs elsewhere. (as I'm sure you're well aware since you are the one who had to deal with them)

Thanks for your patience with me. If any of the bugs I'm creating relate to directly to /run, I'll be sure to set them as a blocker for this bug.

Comment 11 Sven Vermeulen (RETIRED) 2012-11-18 08:33:04 UTC

No /run related bugs have been made anymore since. Closing tracker. If you notice new ones, just open bugs for them - no need to block this one.