[gentoo-hardened] SELinux (targeted policy) and invalid context

[gentoo-hardened] SELinux (targeted policy) and invalid context

[luc nac]

Thanks to all of you who have been interested in my previous message.
I'm encountering much more problems than expected and I can't find a
forum where to discuss about SELinux in Gentoo. I didn't find much
help in this one http://forums.gentoo.org/viewforum-f-18.html . If
this is not the right place to ask help, please tell me!

Now I'm trying to install the targeted policy but I can't succeed.
Trying to relabel the filesystem I obtain an error:
localhost ~ # rlpkg -a -r
Relabeling filesystem types: ext2 ext3 jfs xfs
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21
has invalid context user_u:object_r:user_tmp_t
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 32
has invalid context root:object_r:user_tmp_t
Scanning for shared libraries with text relocations...
0 libraries with text relocations, 0 not relabeled.
Scanning for PIE binaries with text relocations...
0 binaries with text relocations detected.

The same error appears trying to emerge any package.

Commenting this line:
/tmp/gconfd-USER	-d	system_u:object_r:ROLE_tmp_t
in /etc/selinux/targeted/contexts/files/homedir_template
and then launching the genhomedircon command, successive rlpk (and
emerge) succeed until next reboot.
I think that this is a bad solution!

In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3
(section 3.f. Setfiles error messages ) it's written that "If /selinux
is mounted, then most likely there is new policy that has not yet been
loaded; therefore, the contexts have not yet become valid."

I emerged a lot of modules, much more than needed considering that
this is a Gentoo stage 3 system.

localhost ~ # equery list selinux-
[ Searching for package 'selinux-' in all categories among: ]
 * installed packages
[I--] [  ] sec-policy/selinux-apache-20070928 (0)
[I--] [  ] sec-policy/selinux-arpwatch-20070928 (0)
[I--] [  ] sec-policy/selinux-base-policy-20070928 (0)
[I--] [  ] sec-policy/selinux-bind-20070928 (0)
[I--] [  ] sec-policy/selinux-dbus-20070928 (0)
[I--] [  ] sec-policy/selinux-desktop-20070928 (0)
[I--] [  ] sec-policy/selinux-dhcp-20070928 (0)
[I--] [  ] sec-policy/selinux-dnsmasq-20070928 (0)
[I--] [  ] sec-policy/selinux-games-20070928 (0)
[I--] [  ] sec-policy/selinux-gnupg-20070928 (0)
[I--] [  ] sec-policy/selinux-gpm-20070928 (0)
[I--] [  ] sec-policy/selinux-logrotate-20070928 (0)
[I--] [  ] sec-policy/selinux-nfs-20070928 (0)
[I--] [  ] sec-policy/selinux-openldap-20070928 (0)
[I--] [  ] sec-policy/selinux-portmap-20070928 (0)
[I--] [  ] sec-policy/selinux-samba-20070928 (0)
[I--] [  ] sec-policy/selinux-sudo-20070928 (0)
[I--] [  ] sec-policy/selinux-tcpd-20070928 (0)
[I--] [  ] sec-policy/selinux-tftpd-20070928 (0)

localhost ~ # semodule -l
apache	1.8.0
arpwatch	1.4.0
bind	1.5.0
dbus	1.7.0
dhcp	1.4.0
dnsmasq	1.4.0
games	1.4.0
gpg	1.4.0
gpm	1.3.0
java	1.6.0
ldap	1.5.0
logrotate	1.6.0
mono	1.3.0
mozilla	1.4.0
mplayer	1.3.0
portmap	1.5.0
rpc	1.6.0
samba	1.6.0
sudo	1.2.0
tftp	1.5.0
wine	1.4.0
xfs	1.2.0
xserver	1.6.0

localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template
HOME_DIR/.+	system_u:object_r:ROLE_home_t
HOME_DIR/((www)|(web)|(public_html))(/.+)?	system_u:object_r:httpd_user_content_t
HOME_ROOT/lost\+found/.*	<<none>>
HOME_DIR	-d	system_u:object_r:ROLE_home_dir_t
HOME_ROOT	-d	system_u:object_r:home_root_t
/tmp/gconfd-USER	-d	system_u:object_r:ROLE_tmp_t
HOME_ROOT/\.journal	<<none>>
HOME_ROOT/lost\+found	-d	system_u:object_r:lost_found_t

Re: [gentoo-hardened] SELinux (targeted policy) and invalid context

[Chris Richards]

On 11/14/2010 06:44 PM, luc nac wrote:
> Thanks to all of you who have been interested in my previous message.
> I'm encountering much more problems than expected and I can't find a
> forum where to discuss about SELinux in Gentoo. I didn't find much
> help in this one http://forums.gentoo.org/viewforum-f-18.html . If
> this is not the right place to ask help, please tell me!
>
> Now I'm trying to install the targeted policy but I can't succeed.
> Trying to relabel the filesystem I obtain an error:
> localhost ~ # rlpkg -a -r
> Relabeling filesystem types: ext2 ext3 jfs xfs
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21
> has invalid context user_u:object_r:user_tmp_t
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 32
> has invalid context root:object_r:user_tmp_t
> Scanning for shared libraries with text relocations...
> 0 libraries with text relocations, 0 not relabeled.
> Scanning for PIE binaries with text relocations...
> 0 binaries with text relocations detected.
>
> The same error appears trying to emerge any package.
>
> Commenting this line:
> /tmp/gconfd-USER	-d	system_u:object_r:ROLE_tmp_t
> in /etc/selinux/targeted/contexts/files/homedir_template
> and then launching the genhomedircon command, successive rlpk (and
> emerge) succeed until next reboot.
> I think that this is a bad solution!
>
> In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3
> (section 3.f. Setfiles error messages ) it's written that "If /selinux
> is mounted, then most likely there is new policy that has not yet been
> loaded; therefore, the contexts have not yet become valid."
>
> I emerged a lot of modules, much more than needed considering that
> this is a Gentoo stage 3 system.
>
> localhost ~ # equery list selinux-
> [ Searching for package 'selinux-' in all categories among: ]
>   * installed packages
> [I--] [  ] sec-policy/selinux-apache-20070928 (0)
> [I--] [  ] sec-policy/selinux-arpwatch-20070928 (0)
> [I--] [  ] sec-policy/selinux-base-policy-20070928 (0)
> [I--] [  ] sec-policy/selinux-bind-20070928 (0)
> [I--] [  ] sec-policy/selinux-dbus-20070928 (0)
> [I--] [  ] sec-policy/selinux-desktop-20070928 (0)
> [I--] [  ] sec-policy/selinux-dhcp-20070928 (0)
> [I--] [  ] sec-policy/selinux-dnsmasq-20070928 (0)
> [I--] [  ] sec-policy/selinux-games-20070928 (0)
> [I--] [  ] sec-policy/selinux-gnupg-20070928 (0)
> [I--] [  ] sec-policy/selinux-gpm-20070928 (0)
> [I--] [  ] sec-policy/selinux-logrotate-20070928 (0)
> [I--] [  ] sec-policy/selinux-nfs-20070928 (0)
> [I--] [  ] sec-policy/selinux-openldap-20070928 (0)
> [I--] [  ] sec-policy/selinux-portmap-20070928 (0)
> [I--] [  ] sec-policy/selinux-samba-20070928 (0)
> [I--] [  ] sec-policy/selinux-sudo-20070928 (0)
> [I--] [  ] sec-policy/selinux-tcpd-20070928 (0)
> [I--] [  ] sec-policy/selinux-tftpd-20070928 (0)
>
> localhost ~ # semodule -l
> apache	1.8.0
> arpwatch	1.4.0
> bind	1.5.0
> dbus	1.7.0
> dhcp	1.4.0
> dnsmasq	1.4.0
> games	1.4.0
> gpg	1.4.0
> gpm	1.3.0
> java	1.6.0
> ldap	1.5.0
> logrotate	1.6.0
> mono	1.3.0
> mozilla	1.4.0
> mplayer	1.3.0
> portmap	1.5.0
> rpc	1.6.0
> samba	1.6.0
> sudo	1.2.0
> tftp	1.5.0
> wine	1.4.0
> xfs	1.2.0
> xserver	1.6.0
>
> localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template
> HOME_DIR/.+	system_u:object_r:ROLE_home_t
> HOME_DIR/((www)|(web)|(public_html))(/.+)?	system_u:object_r:httpd_user_content_t
> HOME_ROOT/lost\+found/.*	<<none>>
> HOME_DIR	-d	system_u:object_r:ROLE_home_dir_t
> HOME_ROOT	-d	system_u:object_r:home_root_t
> /tmp/gconfd-USER	-d	system_u:object_r:ROLE_tmp_t
> HOME_ROOT/\.journal	<<none>>
> HOME_ROOT/lost\+found	-d	system_u:object_r:lost_found_t
Ok, first and foremost, I haven't tested targeted policy (I'm still 
sorting strict policy).
Second, the handbook states that you should use v2refpolicy.  You are 
running the 20070928 policy, which is v1 policy and is very very old.  
I'm guessing you are working with an old system that hasn't been 
converted to v2refpolicy.
Third, even with v2refpolicy, the current version in the tree is now 
almost a year old and has issues (which is part of what I'm working to 
sort out).  TBH, I'm not entirely certain it will boot in enforcing 
mode, although targeted policy will stand a better chance of working 
than strict policy.

I'm working as fast as I can.  Unfortunately, my spare time is pretty, 
well, 'spare' and has been for some time.  If you want to make your own 
ebuild, you can find where to pull the latest release policy from 
http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get 
the current development policy from the git repository at 
http://oss.tresys.com/git/refpolicy.git.

Later,
Gizmo

Re: [gentoo-hardened] SELinux (targeted policy) and invalid context

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 2239 bytes --]

On Sun, Nov 14, 2010 at 07:14:49PM -0600, Chris Richards wrote:
> Ok, first and foremost, I haven't tested targeted policy (I'm still 
> sorting strict policy).
> Second, the handbook states that you should use v2refpolicy.  You are 
> running the 20070928 policy, which is v1 policy and is very very old.  
> I'm guessing you are working with an old system that hasn't been 
> converted to v2refpolicy.
> Third, even with v2refpolicy, the current version in the tree is now 
> almost a year old and has issues (which is part of what I'm working to 
> sort out).  TBH, I'm not entirely certain it will boot in enforcing 
> mode, although targeted policy will stand a better chance of working 
> than strict policy.
> 
> I'm working as fast as I can.  Unfortunately, my spare time is pretty, 
> well, 'spare' and has been for some time.  If you want to make your own 
> ebuild, you can find where to pull the latest release policy from 
> http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get 
> the current development policy from the git repository at 
> http://oss.tresys.com/git/refpolicy.git.

If you're really adventurous, you can try using the ebuilds available on
https://github.com/sjvermeu/gentoo.overlay/. With those, together with the
changes as mentioned in
http://blog.siphos.be/2010/10/selinux-enforcing-for-console-activity/ I am
able to boot in enforcing mode, strict policy. 

To use the ebuilds (apart from setting
http://github.com/sjvermeu/gentoo.overlay/raw/master/overlay.xml in your
/etc/layman/layman.cfg file to be able to select sjvermeu), install
sec-policy/selinux-policy (you'll need to unmask sec-policy/*) and you're
almost ready to use ;-)

I'm currently also having a few fixes not in the overlay yet (one for
dhcpcd, one for gcc-config and one for portage) but am planning on
integrating those as well.

True, the current state in hardened is not easy to work with, and because
not even the unstable packages are working, it's also hardly possible to
create any documentation on it. However, I am planning on starting with
documentation (even if based upon overlay ebuilds) soon - right after I get
X working properly :p )

Wkr,
	Sven Vermeulen

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] SELinux (targeted policy) and invalid context

[luc nac]

Now I am trying to use SELinux (targeted policy) in a brand new Gentoo
stage3 (Kernel 2.6.32-hardened-r9), I tried all versions of
selinux-base-policy available, but relabeling the file system always
fails with the same error: "filespec_add: Conflicting specifications
for ...".
Am I still doing something wrong? The only thing that I can do to run
SELinux in Gentoo is try to make my own ebuild?

# rlpkg -a -r
Relabeling filesystem types: ext2 ext3 jfs xfs
filespec_add:  conflicting specifications for /usr/bin/getconf and
/usr/lib/misc/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using
system_u:object_r:lib_t.
filespec_eval:  hash table stats: 251923 elements, 63077/65536 buckets
used, longest chain length 8
Scanning for shared libraries with text relocations...
0 libraries with text relocations, 0 not relabeled.
Scanning for PIE binaries with text relocations...
0 binaries with text relocations detected.

# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t
Init context:                   system_u:system_r:init_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd                  system_u:system_r:sshd_t

File contexts:
Controlling term:               unconfined_u:object_r:user_devpts_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/bin/login                      system_u:object_r:login_exec_t
/sbin/rc                        system_u:object_r:initrc_exec_t
/sbin/runscript.sh              system_u:object_r:initrc_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/sh                         system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/bin/bash                       system_u:object_r:shell_exec_t
/usr/bin/newrole                system_u:object_r:newrole_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t ->
system_u:object_r:ld_so_t

# eselect profile list
Available profile symlink targets:
  [1]   default/linux/x86/10.0
  [2]   default/linux/x86/10.0/desktop
  [3]   default/linux/x86/10.0/desktop/gnome
  [4]   default/linux/x86/10.0/desktop/kde
  [5]   default/linux/x86/10.0/developer
  [6]   default/linux/x86/10.0/server
  [7]   hardened/linux/x86/10.0
  [8]   selinux/2007.0/x86
  [9]   selinux/2007.0/x86/hardened
  [10]  selinux/v2refpolicy/x86
  [11]  selinux/v2refpolicy/x86/desktop
  [12]  selinux/v2refpolicy/x86/developer
  [13]  selinux/v2refpolicy/x86/hardened *
  [14]  selinux/v2refpolicy/x86/server

# equery list -p selinux-base-policy
[ Searching for package 'selinux-base-policy' in all categories among: ]
 * installed packages
[I--] [ ~] sec-policy/selinux-base-policy-2.20091215 (0)
 * Portage tree (/usr/portage)
[-P-] [ ~] sec-policy/selinux-base-policy-2.20090730 (0)
[-P-] [ ~] sec-policy/selinux-base-policy-2.20090814 (0)
[-P-] [M ] sec-policy/selinux-base-policy-20080525 (0)
[-P-] [ ~] sec-policy/selinux-base-policy-20080525-r1 (0)

# semodule -l
apache	2.1.0
bind	1.10.0
gpg	2.2.1
java	2.2.0
local	1.0
mono	1.6.0
mozilla	2.1.1
mplayer	2.1.0
wine	1.6.0
xfs	1.6.0
xserver	3.3.1


On Mon, Nov 15, 2010 at 02:14, Chris Richards <gizmo@giz-works.com> wrote:
> Ok, first and foremost, I haven't tested targeted policy (I'm still sorting
> strict policy).
> Second, the handbook states that you should use v2refpolicy.  You are
> running the 20070928 policy, which is v1 policy and is very very old.  I'm
> guessing you are working with an old system that hasn't been converted to
> v2refpolicy.
> Third, even with v2refpolicy, the current version in the tree is now almost
> a year old and has issues (which is part of what I'm working to sort out).
>  TBH, I'm not entirely certain it will boot in enforcing mode, although
> targeted policy will stand a better chance of working than strict policy.
>
> I'm working as fast as I can.  Unfortunately, my spare time is pretty, well,
> 'spare' and has been for some time.  If you want to make your own ebuild,
> you can find where to pull the latest release policy from
> http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get the
> current development policy from the git repository at
> http://oss.tresys.com/git/refpolicy.git.
>
> Later,
> Gizmo
>
>

Re: [gentoo-hardened] SELinux (targeted policy) and invalid context

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]

On Wed, Nov 17, 2010 at 09:41:49PM +0100, luc nac wrote:
> Now I am trying to use SELinux (targeted policy) in a brand new Gentoo
> stage3 (Kernel 2.6.32-hardened-r9), I tried all versions of
> selinux-base-policy available, but relabeling the file system always
> fails with the same error: "filespec_add: Conflicting specifications
> for ...".
> Am I still doing something wrong? The only thing that I can do to run
> SELinux in Gentoo is try to make my own ebuild?

This is a cosmetic error and shouldn't really be an issue (though I don't
have it myself with a more recent policy snapshot). It means that there are
multiple rules that match the given file, and that the rules might apply a
different label to the inode.

You can see the matching rule(s) using matchpathcon I think:

~# matchpathcon /usr/lib/misc/glibc/getconf
/usr/lib/misc/glibc/getconf     system_u:object_r:lib_t

> # rlpkg -a -r
> Relabeling filesystem types: ext2 ext3 jfs xfs
> filespec_add:  conflicting specifications for /usr/bin/getconf and
> /usr/lib/misc/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using
> system_u:object_r:lib_t.

Looks like it got the right one (unless I'm also running the wrong one ;-)

Wkr,
	Sven Vermeulen

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]