[PATCH] selinux-policy: update to version v2.0
Stefan Hellermann
stefan at the2masters.de
Sun Jan 12 10:21:04 PST 2025
Hi,
I tried it on a armsr virtual machine today and got a few errors. I set
the selinux mode to permissive to just watch the audit log, this was the
first bootup after sysupgrade, the error on moving sysupgrade.tgz is
gone on further startups:
Sun Jan 12 17:58:25 2025 user.info kernel: init: - preinit -
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704697.530:3): avc: denied { search } for pid=910
comm="board_detect" name="class" dev="sysfs" ino=10
scontext=sys.id:sys.role:boarddetect.subj
tcontext=sys.id:sys.role:class.sysfile tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.info kernel: 8021q: adding VLAN 0 to HW
filter on device eth0
Sun Jan 12 17:58:25 2025 kern.info kernel: loop0: detected capacity
change from 0 to 110592
Sun Jan 12 17:58:25 2025 kern.info kernel: loop0: detected capacity
change from 110592 to 94336
Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: overlay
filesystem in /dev/loop0 has not been formatted yet
Sun Jan 12 17:58:25 2025 kern.info kernel: EXT4-fs (loop0): mounted
filesystem c2e4255e-3024-4256-995d-5c341856b279 r/w with ordered data
mode. Quota mode: disabled.
Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: overlay
filesystem has not been fully initialized yet
Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: switching to ext4
overlay
Sun Jan 12 17:58:25 2025 kern.warn kernel: overlayfs: null uuid detected
in lower fs '/', falling back to xino=off,index=off,nfs_export=off.
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.290:4): avc: denied { associate } for pid=1010
comm="mv" name="sysupgrade.tgz" scontext=sys.id:sys.role:dos.fs
tcontext=sys.id:sys.role:xattr.fs tclass=filesystem permissive=1
Sun Jan 12 17:58:25 2025 user.warn kernel: urandom-seed: Seed file not
found (/etc/urandom.seed)
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - early -
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:5): avc: denied { write } for pid=1166
comm="mkdir" name="/" dev="tmpfs" ino=1
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:6): avc: denied { add_name } for pid=1166
comm="mkdir" name="virtio-ports"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:7): avc: denied { create } for pid=1166
comm="mkdir" name="virtio-ports"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
audit(1736704702.590:8): avc: denied { create } for pid=1167
comm="ln" name="org.qemu.guest_agent.0"
scontext=sys.id:sys.role:hotplug.call.subj
tcontext=sys.id:sys.role:tmp.fs tclass=lnk_file permissive=1
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - ubus -
Sun Jan 12 17:58:25 2025 user.info kernel: procd: - init -
[....]
I think the last errors are from qemu-guest-agent, this is expected.
But on login:
Sun Jan 12 18:01:29 2025 kern.notice kernel: audit: type=1400
audit(1736704889.290:69): avc: denied { read write } for pid=3384
comm="uci" path="/dev/ttyAMA0" dev="tmpfs" ino=81
scontext=sys.id:sys.role:uci.subj tcontext=sys.id:sys.role:tmp.fs
tclass=chr_file permissive=1
Maybe you can have a look and fix a few rules.
Regards,
Stefan Hellermann
Am 12.01.25 um 15:23 schrieb Dominick Grift:
> Rebased onto dssp5-base. Baseline is:
> ss, tc, stubby, irqbalance, usbutils, ethtool, tcpdump, mtr,
> bmon, zram-swap, parted, e2fsprogs, gdisk, block-mount,
> kmod-fs-ext4, kmod-fs-f2fs, kmod-usb-storage, f2fs-tools-selinux,
> kmod-usb-storage-uas, kmod-usb3, wireguard-tools,
> openssh-sftp-server, luci-light, resolveip, blockd
>
> Run-tested: ilogic-openwrt_one, ipq40xx-generic-linksys_mr8300
>
> Signed-off-by: Dominick Grift <dominick.grift at defensec.nl>
> ---
> package/system/selinux-policy/Makefile | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/package/system/selinux-policy/Makefile b/package/system/selinux-policy/Makefile
> index 2834e94cc5..7d5176e043 100644
> --- a/package/system/selinux-policy/Makefile
> +++ b/package/system/selinux-policy/Makefile
> @@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk
> PKG_NAME:=selinux-policy
> PKG_SOURCE_PROTO:=git
> PKG_SOURCE_URL:=https://git.defensec.nl/selinux-policy.git
> -PKG_VERSION:=1.2.5
> -PKG_MIRROR_HASH:=0b485aefed7ecc1ba3c5f5843cb3b10e9d7c55c09b361cd56933081c0dbdc223
> +PKG_VERSION:=2.0
> +PKG_MIRROR_HASH:=f0da2933bac4df6e147d419fe98528faf6f6d141502924a3551155ef0c896eb5
> PKG_SOURCE_VERSION:=v$(PKG_VERSION)
> PKG_BUILD_DEPENDS:=secilc/host policycoreutils/host
>
> @@ -44,10 +44,14 @@ endef
> define Package/selinux-policy/install
> $(INSTALL_DIR) $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
> $(INSTALL_DIR) $(1)/etc/selinux/$(PKG_NAME)/policy/
> + $(INSTALL_CONF) $(PKG_BUILD_DIR)/policy.* $(1)/etc/selinux/$(PKG_NAME)/policy/
> $(INSTALL_DATA) $(PKG_BUILD_DIR)/customizable_types $(1)/etc/selinux/$(PKG_NAME)/contexts/
> - $(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts.subs_dist $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
> + $(INSTALL_DATA) $(PKG_BUILD_DIR)/default_contexts $(1)/etc/selinux/$(PKG_NAME)/contexts/
> + $(INSTALL_DATA) $(PKG_BUILD_DIR)/default_type $(1)/etc/selinux/$(PKG_NAME)/contexts/
> + $(INSTALL_DATA) $(PKG_BUILD_DIR)/failsafe_context $(1)/etc/selinux/$(PKG_NAME)/contexts/
> $(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
> - $(INSTALL_CONF) $(PKG_BUILD_DIR)/policy.* $(1)/etc/selinux/$(PKG_NAME)/policy/
> + $(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts.subs_dist $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
> + $(INSTALL_DATA) $(PKG_BUILD_DIR)/seusers $(1)/etc/selinux/$(PKG_NAME)/
> $(INSTALL_DATA) ./files/selinux-config $(1)/etc/selinux/config
> endef
>
More information about the openwrt-devel
mailing list