[gentoo-hardened] SELinux policy and openrc

[gentoo-hardened] SELinux policy and openrc

[Sven Vermeulen]

Hi all,

I've put selinux-base-policy-2.20101213-r14 in the hardened-dev.git overlay.
Its main addition is support for openrc (which is now stable and was hunting
for my patience the last few days) which is done by a few labelling
statements (especially for /lib(64)?/rc/... stuff) as well as to "allow
run_init_t initrc_exec_t:file execute_no_trans", this because
/sbin/runscript was previously a binary and is now a wrapper (hence the
additional rule).

In the further future, we might want to relabel runscript to bin_t (as
run_init_t already has execute_no_trans on those) but for those systems that
have not migrated to openrc yet, such a change would mean disaster.

I've added a reminder for myself around August to make this switch /if/
other architectures have also migrated to openrc (ok, I know we do not
support SELinux on those, but (1.) that doesn't mean no-one uses it, and
(2.) there are a few people waiting for openrc migration until things cool
down).

Sadly, to support openrc, SELinux users will also need to add the following
line to their /etc/fstab (wrapped):
  rc-svcdir	/lib64/rc/init.d	tmpfs	\
  rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,\
  nosuid,nodev,noexec,relatime,size=1024k,mode=755	0 0

I tried labelling /lib64/rc to initrc_state_t, but then I had to put a lot
of other allow rules for less related domains towards initrc_state_t.
Mounting the init.d as initrc_state_t requires no additional updates on the
policy (well, perhaps a few cosmetic ones to hide denials that are seemingly
not needed). Perhaps we could have the openrc people update the
/lib64/rc/sh/init.sh file to do this automatically on SELinux systems, but
let us first see how things turn out.

Anyway, this addition to the /etc/fstab has been put in the SELinux handbook
in hardened-doc.git overlay.

Wkr,
	Sven Vermeulen

Re: [gentoo-hardened] SELinux policy and openrc

[Chris Richards]

On 05/13/2011 03:06 PM, Sven Vermeulen wrote:
> Hi all,
>
> I've put selinux-base-policy-2.20101213-r14 in the hardened-dev.git overlay.
> Its main addition is support for openrc (which is now stable and was hunting
> for my patience the last few days) which is done by a few labelling
> statements (especially for /lib(64)?/rc/... stuff) as well as to "allow
> run_init_t initrc_exec_t:file execute_no_trans", this because
> /sbin/runscript was previously a binary and is now a wrapper (hence the
> additional rule).
>
> In the further future, we might want to relabel runscript to bin_t (as
> run_init_t already has execute_no_trans on those) but for those systems that
> have not migrated to openrc yet, such a change would mean disaster.
>
> I've added a reminder for myself around August to make this switch /if/
> other architectures have also migrated to openrc (ok, I know we do not
> support SELinux on those, but (1.) that doesn't mean no-one uses it, and
> (2.) there are a few people waiting for openrc migration until things cool
> down).
>
> Sadly, to support openrc, SELinux users will also need to add the following
> line to their /etc/fstab (wrapped):
>    rc-svcdir	/lib64/rc/init.d	tmpfs	\
>    rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,\
>    nosuid,nodev,noexec,relatime,size=1024k,mode=755	0 0
>
> I tried labelling /lib64/rc to initrc_state_t, but then I had to put a lot
> of other allow rules for less related domains towards initrc_state_t.
> Mounting the init.d as initrc_state_t requires no additional updates on the
> policy (well, perhaps a few cosmetic ones to hide denials that are seemingly
> not needed). Perhaps we could have the openrc people update the
> /lib64/rc/sh/init.sh file to do this automatically on SELinux systems, but
> let us first see how things turn out.
>

Just posting this so that others will know about it.  We determined that 
/lib64/rc/init.d needs to be relabled to initrc_state_t on the file 
system using the same relabel that we do for /dev.  I believe the manual 
is being updated to add this information.  In addition, a rule has to be 
added to init.fc and init.te to relabel this directory ( 
/lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t, 
s0) (or something similar), as well as add the mounton privilege using 
files_mountpoint(initrc_state_t).  Once that is done, there is no longer 
a need for the fstab stuff.

> Anyway, this addition to the /etc/fstab has been put in the SELinux handbook
> in hardened-doc.git overlay.
>
> Wkr,
> 	Sven Vermeulen
>
>

Re: [gentoo-hardened] SELinux policy and openrc

[Sven Vermeulen]

On Sat, May 14, 2011 at 11:59:54AM -0500, Chris Richards wrote:
> Just posting this so that others will know about it.  We determined that 
> /lib64/rc/init.d needs to be relabled to initrc_state_t on the file 
> system using the same relabel that we do for /dev.  I believe the manual 
> is being updated to add this information.  In addition, a rule has to be 
> added to init.fc and init.te to relabel this directory ( 
> /lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t, 
> s0) (or something similar), as well as add the mounton privilege using 
> files_mountpoint(initrc_state_t).  Once that is done, there is no longer 
> a need for the fstab stuff.

Still not there yet.

One major pita is that the various management scripts (rc-update &
rc-status) are now wrappers over /sbin/rc. As a result, when you execute the
scripts, they are all transitioning to the run_init_t domain.

As a result, we have to add several permissions to run_init_t which
were previously managed by sysadm_t. For instance, rc-update needs write
privileges in /etc/runlevels (etc_t). Changing the type isn't that easy,
because the files are also used (read) by various other domains, which would
then also need to be patched, and all that just for Gentoo.

The moment I notice that I'm deviating too much from things because of a
single reason (having wrappers over /sbin/rc) I tend to look for other
answers. I have a few ones up my sleeve, but need to test them out :-(

Wkr,
	Sven Vermeulen

Re: [gentoo-hardened] SELinux policy and openrc

[Sven Vermeulen]

On Sat, May 14, 2011 at 11:59:54AM -0500, Chris Richards wrote:
> Just posting this so that others will know about it.  We determined that 
> /lib64/rc/init.d needs to be relabled to initrc_state_t on the file 
> system using the same relabel that we do for /dev.  I believe the manual 
> is being updated to add this information.  In addition, a rule has to be 
> added to init.fc and init.te to relabel this directory ( 
> /lib64/rc/init\.d((/.*)? gen_context(system_u:object_r:initrc_state_t, 
> s0) (or something similar), as well as add the mounton privilege using 
> files_mountpoint(initrc_state_t).  Once that is done, there is no longer 
> a need for the fstab stuff.

I just pushed selinux-base-policy-2.20101213-r15 to hardened-dev.git
overlay. It does not resolve all problems, but at least Gentoo Hardened with
SELinux now boots up properly with OpenRC (and the Gentoo SELinux handbook
has been updated with that what Chris R. said).

But there is still some work ahead.
- rc-update currently *does* *not* *work*. Not good. I know. 
  The problem is that rc-update (bin_t) calls /sbin/rc (initrc_exec_t) so
  transitions to run_init_t which does not have the rights to write in
  /etc/runlevels (etc_t). Calling rc-update with run_init doesn't help
  either (transitions to initrc_t which also has no rights to write to
  etc_t)
- rc-service works
- rc-status works if you use "run_init rc-status". Allowing rc-status to
  work without run_init is possible as well (-r15 offers the
  gentoo_init_manage_script_status_files interface for this which we can
  apply to run_init_t, but you'll also need to add in a
  term_use_unallocated_ttys(run_init_t)) but I left it out as I find it to
  be an ugly situation then
- rc works if you use "run_init rc". 

Now, this mixed usage of "with run_init" and "without run_init" is a pain,
especially as Gentoo tried hard not to require run_init in the first place
(well, it uses it, but in the background). This can be fixed by using
run_init in the wrappers where needed, but that requires an update on
openrc. Yet this still looks to me like the sanest approach. 

Some methods can be used to work around this, like labelling the wrappers so
that they transition before /sbin/rc is called, but that looks like an ugly
situation too to me.

To fix the rc-update issue, we need to be able to run /sbin/rc without
transitioning. I'm thinking about having a copy of /sbin/rc to
/lib64/rc/sbin and have the rc-update wrapper point to that one. I can then
also do the same for rc-status (no need for run_init then, sysadm_t has the
same privileges). It seems to work fairly well on my systems, but that's
again another change just for SELinux-enabled Gentoo systems :-(

Chris R.: in https://bugs.gentoo.org/351712 the use of the wrappers was
suggested instead of symlinks (which would've caused the same problems here
I think) just for the reason that I'm writing out now. How did you resolve
the problem on your system?

Wkr,
	Sven Vermeulen

Re: [gentoo-hardened] SELinux policy and openrc

[Sven Vermeulen]

On Sun, May 15, 2011 at 12:25:32AM +0200, Sven Vermeulen wrote:
> I just pushed selinux-base-policy-2.20101213-r15 to hardened-dev.git
> overlay. It does not resolve all problems, but at least Gentoo Hardened with
> SELinux now boots up properly with OpenRC (and the Gentoo SELinux handbook
> has been updated with that what Chris R. said).

Small update. I'm going to push out -r16 after the regression tests finish.

> But there is still some work ahead.
> - rc-update currently *does* *not* *work*. Not good. I know. 
>   The problem is that rc-update (bin_t) calls /sbin/rc (initrc_exec_t) so
>   transitions to run_init_t which does not have the rights to write in
>   /etc/runlevels (etc_t). Calling rc-update with run_init doesn't help
>   either (transitions to initrc_t which also has no rights to write to
>   etc_t)

This is fixed; from -r16, my proposal would be to use an intermediate domain
(sysadm_initrc_notrans_t) which, when executing an initrc_exec_t file (like
/sbin/rc) transitions back to sysadm_t.

The intermediate domain can be entered through an initrc_notrans_exec_t
file.

> - rc-status works if you use "run_init rc-status". Allowing rc-status to
>   work without run_init is possible as well (-r15 offers the
>   gentoo_init_manage_script_status_files interface for this which we can
>   apply to run_init_t, but you'll also need to add in a
>   term_use_unallocated_ttys(run_init_t)) but I left it out as I find it to
>   be an ugly situation then

This is fixed as well using the same method.

When installing -r16, you want to relabel the /sbin/rc-* and /bin/rc-* files
to make use of this though.

Wkr,
	Sven Vermeulen