[PATCH] selinux-policy: update to version v2.0

Dominick Grift dominick.grift at defensec.nl
Sun Jan 12 10:41:31 PST 2025 

Hi, Thank you for feedback. Comments inline below:

Stefan Hellermann <stefan at the2masters.de> writes:

> Hi,
>
> I tried it on a armsr virtual machine today and got a few errors. I
> set the selinux mode to permissive to just watch the audit log, this
> was the first bootup after sysupgrade, the error on moving
> sysupgrade.tgz is gone on further startups:

>
> Sun Jan 12 17:58:25 2025 user.info kernel: init: - preinit -
> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
> audit(1736704697.530:3): avc:  denied  { search } for  pid=910
> comm="board_detect" name="class" dev="sysfs" ino=10
> scontext=sys.id:sys.role:boarddetect.subj
> tcontext=sys.id:sys.role:class.sysfile tclass=dir permissive=1

I will allow this event but it looks incomplete.

> Sun Jan 12 17:58:25 2025 kern.info kernel: 8021q: adding VLAN 0 to HW
> filter on device eth0
> Sun Jan 12 17:58:25 2025 kern.info kernel: loop0: detected capacity
> change from 0 to 110592
> Sun Jan 12 17:58:25 2025 kern.info kernel: loop0: detected capacity
> change from 110592 to 94336
> Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: overlay
> filesystem in /dev/loop0 has not been formatted yet
> Sun Jan 12 17:58:25 2025 kern.info kernel: EXT4-fs (loop0): mounted
> filesystem c2e4255e-3024-4256-995d-5c341856b279 r/w with ordered data
> mode. Quota mode: disabled.
> Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: overlay
> filesystem has not been fully initialized yet
> Sun Jan 12 17:58:25 2025 user.info kernel: mount_root: switching to
> ext4 overlay
> Sun Jan 12 17:58:25 2025 kern.warn kernel: overlayfs: null uuid
> detected in lower fs '/', falling back to
> xino=off,index=off,nfs_export=off.
> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
> audit(1736704702.290:4): avc:  denied  { associate } for  pid=1010
> comm="mv" name="sysupgrade.tgz" scontext=sys.id:sys.role:dos.fs
> tcontext=sys.id:sys.role:xattr.fs tclass=filesystem permissive=1

This is caused by mv'ing the file from a fat filesystem (fat does not
support extended attributes) to an extended attribute file system. When
you mv a file you also mv its associated context with it.

This should not be allowed. Instead you should use cp. mv does not make
much sense anyway cross filesystem.

> Sun Jan 12 17:58:25 2025 user.warn kernel: urandom-seed: Seed file not
> found (/etc/urandom.seed)
> Sun Jan 12 17:58:25 2025 user.info kernel: procd: - early -
> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
> audit(1736704702.590:5): avc:  denied  { write } for  pid=1166
> comm="mkdir" name="/" dev="tmpfs" ino=1
> scontext=sys.id:sys.role:hotplug.call.subj
> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
> audit(1736704702.590:6): avc:  denied  { add_name } for  pid=1166
> comm="mkdir" name="virtio-ports"
> scontext=sys.id:sys.role:hotplug.call.subj
> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
> audit(1736704702.590:7): avc:  denied  { create } for  pid=1166
> comm="mkdir" name="virtio-ports"
> scontext=sys.id:sys.role:hotplug.call.subj
> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
> audit(1736704702.590:8): avc:  denied  { create } for  pid=1167
> comm="ln" name="org.qemu.guest_agent.0"
> scontext=sys.id:sys.role:hotplug.call.subj
> tcontext=sys.id:sys.role:tmp.fs tclass=lnk_file permissive=1
> Sun Jan 12 17:58:25 2025 user.info kernel: procd: - ubus -
> Sun Jan 12 17:58:25 2025 user.info kernel: procd: - init -

This seems like an 'exotic hotplug script'. I have an accomodation for
this. see if this comment helps: https://git.defensec.nl/?p=selinux-policy.git;a=blob;f=src/agent/sysagent/hotplugsysagent.cil;h=3987b8540ae537d174a74cceb2c89ce26ef3c813;hb=HEAD#l115

>
> [....]
>
> I think the last errors are from qemu-guest-agent, this is expected.
>
> But on login:
>
> Sun Jan 12 18:01:29 2025 kern.notice kernel: audit: type=1400
> audit(1736704889.290:69): avc:  denied  { read write } for pid=3384
> comm="uci" path="/dev/ttyAMA0" dev="tmpfs" ino=81
> scontext=sys.id:sys.role:uci.subj tcontext=sys.id:sys.role:tmp.fs
> tclass=chr_file permissive=1

I will add support for /dev/ttyAMA0

>
> Maybe you can have a look and fix a few rules.

Absolutely. See:
https://git.defensec.nl/?p=selinux-policy.git;a=commitdiff;h=2821746844669ab2f5cce94fd42eb3d158f16e5c

See if you can make that hotplug script work with the info provided
above. if any questions let me know. As for moving files from one
filesystem to another. Probably best to just cp instead of mv. I am not
going to allow files associated with a fat fs to associate with an
extended attribute filesystem because that does not make sense.

Hth,

>
> Regards,
> Stefan Hellermann
>
> Am 12.01.25 um 15:23 schrieb Dominick Grift:
>> Rebased onto dssp5-base. Baseline is:
>> ss, tc, stubby, irqbalance, usbutils, ethtool, tcpdump, mtr,
>> bmon, zram-swap, parted, e2fsprogs, gdisk, block-mount,
>> kmod-fs-ext4, kmod-fs-f2fs, kmod-usb-storage, f2fs-tools-selinux,
>> kmod-usb-storage-uas, kmod-usb3, wireguard-tools,
>> openssh-sftp-server, luci-light, resolveip, blockd
>>
>> Run-tested: ilogic-openwrt_one, ipq40xx-generic-linksys_mr8300
>>
>> Signed-off-by: Dominick Grift <dominick.grift at defensec.nl>
>> ---
>>   package/system/selinux-policy/Makefile | 12 ++++++++----
>>   1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/package/system/selinux-policy/Makefile b/package/system/selinux-policy/Makefile
>> index 2834e94cc5..7d5176e043 100644
>> --- a/package/system/selinux-policy/Makefile
>> +++ b/package/system/selinux-policy/Makefile
>> @@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk
>>   PKG_NAME:=selinux-policy
>>   PKG_SOURCE_PROTO:=git
>>   PKG_SOURCE_URL:=https://git.defensec.nl/selinux-policy.git
>> -PKG_VERSION:=1.2.5
>> -PKG_MIRROR_HASH:=0b485aefed7ecc1ba3c5f5843cb3b10e9d7c55c09b361cd56933081c0dbdc223
>> +PKG_VERSION:=2.0
>> +PKG_MIRROR_HASH:=f0da2933bac4df6e147d419fe98528faf6f6d141502924a3551155ef0c896eb5
>>   PKG_SOURCE_VERSION:=v$(PKG_VERSION)
>>   PKG_BUILD_DEPENDS:=secilc/host policycoreutils/host
>>   @@ -44,10 +44,14 @@ endef
>>   define Package/selinux-policy/install
>>   	$(INSTALL_DIR) $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
>>   	$(INSTALL_DIR) $(1)/etc/selinux/$(PKG_NAME)/policy/
>> +	$(INSTALL_CONF) $(PKG_BUILD_DIR)/policy.* $(1)/etc/selinux/$(PKG_NAME)/policy/
>>   	$(INSTALL_DATA) $(PKG_BUILD_DIR)/customizable_types $(1)/etc/selinux/$(PKG_NAME)/contexts/
>> -	$(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts.subs_dist $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
>> +	$(INSTALL_DATA) $(PKG_BUILD_DIR)/default_contexts $(1)/etc/selinux/$(PKG_NAME)/contexts/
>> +	$(INSTALL_DATA) $(PKG_BUILD_DIR)/default_type $(1)/etc/selinux/$(PKG_NAME)/contexts/
>> +	$(INSTALL_DATA) $(PKG_BUILD_DIR)/failsafe_context $(1)/etc/selinux/$(PKG_NAME)/contexts/
>>   	$(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
>> -	$(INSTALL_CONF) $(PKG_BUILD_DIR)/policy.* $(1)/etc/selinux/$(PKG_NAME)/policy/
>> +	$(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts.subs_dist $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
>> +	$(INSTALL_DATA) $(PKG_BUILD_DIR)/seusers $(1)/etc/selinux/$(PKG_NAME)/
>>   	$(INSTALL_DATA) ./files/selinux-config $(1)/etc/selinux/config
>>   endef
>>   
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>

-- 
gpg --locate-keys dominick.grift at defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod at defensec.nl

More information about the openwrt-devel mailing list