[PATCH] selinux-policy: update to version v2.0
Dominick Grift
dominick.grift at defensec.nl
Tue Jan 14 02:53:38 PST 2025
Stefan Hellermann <stefan at the2masters.de> writes:
> Hi! Thank you for your really fast changes!
>
> With your last commit f86def7e there are 3 new errors for /dev/urandom:
>
> [...]
> [ 1.749370] init: - preinit -
> [ 2.437887] audit: type=1400 audit(1736810585.360:3): avc: denied
> { getattr } for pid=886 comm="jshn" path="/dev/urandom" dev="tmpfs"
> ino=31 scontext=sys.id:sys.role:jshn.subj
> tcontext=sys.id:sys.role:random.nodedev tclass=chr_file permissive=1
> [ 2.438371] audit: type=1400 audit(1736810585.360:4): avc: denied
> { read } for pid=886 comm="jshn" name="urandom" dev="tmpfs" ino=31
> scontext=sys.id:sys.role:jshn.subj
> tcontext=sys.id:sys.role:random.nodedev tclass=chr_file permissive=1
> [ 2.439138] audit: type=1400 audit(1736810585.360:5): avc: denied
> { open } for pid=886 comm="jshn" path="/dev/urandom" dev="tmpfs"
> ino=31 scontext=sys.id:sys.role:jshn.subj
> tcontext=sys.id:sys.role:random.nodedev tclass=chr_file permissive=1
> [ 4.994969] random: crng init done
> [...]
>
> And I cannot login on ttyAMA0:
>
> Please press Enter to activate this console.
>
> login: can't get SID for root
>
>
> Login with ssh is ok. There is already a bug report for this, it's
> working fine without selinux:
> https://github.com/openwrt/openwrt/issues/17038
>
>
> After sysupgrade the "sysupgrade.tgz" error remains the same:
>
> [ 12.155085] audit: type=1400 audit(1736811933.100:6): avc: denied
> { associate } for pid=1006 comm="mv" name="sysupgrade.tgz"
> scontext=sys.id:sys.role:dos.fs tcontext=sys.id:sys.role:xattr.fs
> tclass=filesystem permissive=1
>
>
> And while doing sysupgrade from a local file in /tmp I get a bunch
> more (no luci here, just scp file to /tmp and start sysupgrade from
> ssh):
>
> [ 74.345700] audit: type=1400 audit(1736811834.460:6): avc: denied
> { read write } for pid=2854 comm="fwtool"
> name="openwrt-armsr-armv8-generic-squashfs-combined.img.gz"
> dev="tmpfs" ino=93 scontext=sys.id:sys.role:fwtool.subj
> tcontext=sys.id:sys.role:ssh.server.hostkey.file tclass=file
> permissive=1
> [ 74.347589] audit: type=1400 audit(1736811834.460:7): avc: denied
> { open } for pid=2854 comm="fwtool"
> path="/tmp/openwrt-armsr-armv8-generic-squashfs-combined.img.gz"
> dev="tmpfs" ino=93 scontext=sys.id:sys.role:fwtool.subj
> tcontext=sys.id:sys.role:ssh.server.hostkey.file tclass=file
> permissive=1
> [ 74.349106] audit: type=1400 audit(1736811834.460:8): avc: denied
> { ioctl } for pid=2854 comm="fwtool"
> path="/tmp/openwrt-armsr-armv8-generic-squashfs-combined.img.gz"
> dev="tmpfs" ino=93 ioctlcmd=0x5413
> scontext=sys.id:sys.role:fwtool.subj
> tcontext=sys.id:sys.role:ssh.server.hostkey.file tclass=file
> permissive=1
> [ 74.770422] audit: type=1400 audit(1736811834.890:9): avc: denied
> { read } for pid=2864 comm="cat" name="cmdline" dev="proc"
> ino=4026531972 scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:cmdline.procfile tclass=file permissive=1
> [ 74.771728] audit: type=1400 audit(1736811834.890:10): avc: denied
> { open } for pid=2864 comm="cat" path="/proc/cmdline" dev="proc"
> ino=4026531972 scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:cmdline.procfile tclass=file permissive=1
> [ 74.800695] audit: type=1400 audit(1736811834.920:11): avc: denied
> { read } for pid=2865 comm="find" name="/" dev="tmpfs" ino=1
> scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
> [ 74.801449] audit: type=1400 audit(1736811834.920:12): avc: denied
> { open } for pid=2865 comm="find" path="/dev" dev="tmpfs" ino=1
> scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
> [ 74.807108] audit: type=1400 audit(1736811834.930:13): avc: denied
> { getattr } for pid=2865 comm="find" path="/dev/pts" dev="devpts"
> ino=1 scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:devpts.fs tclass=dir permissive=1
> [ 74.807988] audit: type=1400 audit(1736811834.930:14): avc: denied
> { read } for pid=2865 comm="find" name="/" dev="devpts" ino=1
> scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:devpts.fs tclass=dir permissive=1
> [ 74.808726] audit: type=1400 audit(1736811834.930:15): avc: denied
> { open } for pid=2865 comm="find" path="/dev/pts" dev="devpts" ino=1
> scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:devpts.fs tclass=dir permissive=1
> [ 80.140951] kauditd_printk_skb: 35 callbacks suppressed
> [ 80.140985] audit: type=1400 audit(1736811840.260:51): avc: denied
> { remove_name } for pid=3459 comm="rm" name="image.bs" dev="tmpfs"
> ino=96 scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
> [ 80.141666] audit: type=1400 audit(1736811840.260:52): avc: denied
> { unlink } for pid=3459 comm="rm" name="image.bs" dev="tmpfs" ino=96
> scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:tmp.fs tclass=file permissive=1
> [ 87.255570] audit: type=1400 audit(1736811847.370:53): avc: denied
> { getattr } for pid=3955 comm="find" path="/dev/hwrng" dev="tmpfs"
> ino=14 scontext=sys.id:sys.role:validatefirmwareimage.subj
> tcontext=sys.id:sys.role:hwrng.nodedev tclass=chr_file permissive=1
Will need to look into this (open up another can of worms):
https://github.com/openwrt/openwrt/blob/main/target/linux/armsr/base-files/lib/upgrade/platform.sh
>
> This is all done on a fresh openwrt checkout, I added your selinux
> updates and build the image with this config:
>
> CONFIG_TARGET_armsr=y
> CONFIG_TARGET_armsr_armv8=y
> CONFIG_TARGET_armsr_armv8_DEVICE_generic=y
> CONFIG_PACKAGE_qemu-ga=y
> CONFIG_SELINUX=y
>
> I can send you the compressed image file, if you want to try it
> yourself with qemu/virt-manager.
>
> Regards,
> Stefan Hellermann
>
>
> Am 13.01.25 um 18:52 schrieb Dominick Grift:
>> Dominick Grift <dominick.grift at defensec.nl> writes:
>>
>>> Dominick Grift <dominick.grift at defensec.nl> writes:
>>>
>>>> Hi, Thank you for feedback. Comments inline below:
>>>>
>>>> Stefan Hellermann <stefan at the2masters.de> writes:
>>>>
>>> <snip>
>>>
>>>>> audit(1736704702.290:4): avc: denied { associate } for pid=1010
>>>>> comm="mv" name="sysupgrade.tgz" scontext=sys.id:sys.role:dos.fs
>>>>> tcontext=sys.id:sys.role:xattr.fs tclass=filesystem permissive=1
>>>> This is caused by mv'ing the file from a fat filesystem (fat does not
>>>> support extended attributes) to an extended attribute file system. When
>>>> you mv a file you also mv its associated context with it.
>>>>
>>>> This should not be allowed. Instead you should use cp. mv does not make
>>>> much sense anyway cross filesystem.
>>>>
>>> This bothered me so I would like to explain why I object to this.
>>>
>>> mv and cp are more complicated than some think. I see this all the time
>>> where people for example use `cp -a` without realizing the consequences.
>>>
>>> But regardless of this, coreutils has extensive support for SELinux and
>>> `mv -Z` would have addressed the above challenge. The issue is that
>>> busybox' `mv` does not support -Z and so eventually I will have to draw
>>> the line somewhere anyway. This seems like a good place to start.
>>>
>>>>> Sun Jan 12 17:58:25 2025 user.warn kernel: urandom-seed: Seed file not
>>>>> found (/etc/urandom.seed)
>>>>> Sun Jan 12 17:58:25 2025 user.info kernel: procd: - early -
>>>>> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
>>>>> audit(1736704702.590:5): avc: denied { write } for pid=1166
>>>>> comm="mkdir" name="/" dev="tmpfs" ino=1
>>>>> scontext=sys.id:sys.role:hotplug.call.subj
>>>>> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
>>>>> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
>>>>> audit(1736704702.590:6): avc: denied { add_name } for pid=1166
>>>>> comm="mkdir" name="virtio-ports"
>>>>> scontext=sys.id:sys.role:hotplug.call.subj
>>>>> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
>>>>> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
>>>>> audit(1736704702.590:7): avc: denied { create } for pid=1166
>>>>> comm="mkdir" name="virtio-ports"
>>>>> scontext=sys.id:sys.role:hotplug.call.subj
>>>>> tcontext=sys.id:sys.role:tmp.fs tclass=dir permissive=1
>>>>> Sun Jan 12 17:58:25 2025 kern.notice kernel: audit: type=1400
>>>>> audit(1736704702.590:8): avc: denied { create } for pid=1167
>>>>> comm="ln" name="org.qemu.guest_agent.0"
>>>>> scontext=sys.id:sys.role:hotplug.call.subj
>>>>> tcontext=sys.id:sys.role:tmp.fs tclass=lnk_file permissive=1
>>>>> Sun Jan 12 17:58:25 2025 user.info kernel: procd: - ubus -
>>>>> Sun Jan 12 17:58:25 2025 user.info kernel: procd: - init -
>> I added support for this. We'll see where this leads. I might end up
>> reverting it later.
>>
>> https://git.defensec.nl/?p=selinux-policy.git;a=commitdiff;h=32c0cc897f679b6d2b204bc2935d9de3b7006944
>>
>>>> This seems like an 'exotic hotplug script'. I have an accomodation for
>>>> this. see if this comment helps:
>>>> https://git.defensec.nl/?p=selinux-policy.git;a=blob;f=src/agent/sysagent/hotplugsysagent.cil;h=3987b8540ae537d174a74cceb2c89ce26ef3c813;hb=HEAD#l115
>>> We'll have to see how this will work out practically. I am open to
>>> suggestions for alternative approaches but this seems like a fair
>>> approach.
>>>
>>> There are also challenges here. For example in the above event, the
>>> script is trying to create a dir and symlink in /dev. In OpenWrt there
>>> is no (easy) way to make a distinction between devtmpfs and and a common
>>> tmpfs. If I we're to allow this then that would later potentially
>>> present challenges when another script wants to create a dir or symlink in /tmp.
>>>
>>> Again, eventually I would have to draw the line somewhere as to what
>>> should be allowed by default and what is to be considered exotic. This
>>> looks like a good place.
>>>
>>> Just trying to explain some of the rationale because I am open to better
>>> alternatives. I just don't see any.
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
--
gpg --locate-keys dominick.grift at defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod at defensec.nl
More information about the openwrt-devel
mailing list