Experiences with selinux enabled targetted on Fedora Core 3

Russell Coker russell at coker.com.au
Mon Apr 25 04:09:04 UTC 2005 

On Sunday 24 April 2005 18:40, Valdis.Kletnieks at vt.edu wrote:
> > The alternatives are as follows:
> >
> > 1)  Have the users manually relabel.  But this requires that they have
> > the skill needed to use mount --bind or single user mode.
>
> Relabelling the /dev mountpoint is  quite non-trivial, because booting to
> single-user in Fedora still gets udev started and a tmpfs mounted over
> /dev. I ended up having to boot from the rescue disk and having to do
> something like:

Here you are just proving my point about the operation being overly difficult.
mount --bind / /mnt ; chcon /mnt ...

But there's lots of potential for things to go spectacularly wrong when you do 
a bind mount (think about what would happen if you ran "fixfiles relabel").

> chroot /mnt/sysimage
> mount -t selinux /selinux
> restorecon /dev

We could of course have the rescue disk contain scripts to manage such things, 
but again it's really painful, it would require changing code in several 
packages.

> > 2)  Have more error messages in the logs.  This leads to users ignoring
> > the more important AVC messages which is a security issue.
>
> Quite right - my concern was that we're trying to silence a few msgs at
> boot and thus *forcing* the user to ignore the same message during normal
> operations, when it *would* be a "more important" message...

dontaudit pam_console_t file_t:dir search;
dontaudit dmesg_t file_t:dir search;
dontaudit hostname_t file_t:dir search;
dontaudit hotplug_t file_t:dir { search getattr };
dontaudit hwclock_t file_t:dir search;
dontaudit kudzu_t file_t:dir search;
dontaudit lvm_t file_t:dir search;
dontaudit insmod_t file_t:dir search;
dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
dontaudit sulogin_t file_t:dir search;
dontaudit syslogd_t file_t:dir search;
dontaudit udev_t file_t:dir search;

According to a quick grep the above are the domains that have such dontaudit 
rules.  Note that for some it doesn't matter at all, the system is in 
permissive mode for sulogin_t, mrtg does an operation equivalent to
"ls -l /" without any good cause, etc.

> > 3)  Have more complex code in rc.sysinit for relabeling file systems
> > (which is therefore more error prone) and also remove the possibility of
> > running "fixfiles relabel" as administrator and forcing a reboot with
> > /.autorelabel .
>
> Unfortunately, the /.autorelabel trick happens too late - it's done right
> *after* we've mounted all the filesystems and enabled disk quotas.  The
> checking would need to be *really* early in rc.sysinit - like before
> start_udev gets called.  Remember - what got me started on this was the
> 'mount -t tmpfs /dev' issuing a message because it was trying to mount onto
> a mislabeled /dev...

We could change the .autorelabel code to be more complex, use bind mounts, 
etc.  But that also means more failure conditions.

Note that there is an opportunity cost to everything we do.  There are lots of 
features that I would like to get in that require more work from the 
maintainers of such packages.  Is it worth delaying work on SE-X, 
crypto-root, and other security features to remove a few dontaudit rules?

> 4) Add code to 'anaconda' (or whatever your distro uses) to do the
> appropriate 'restorecon' for the mount points for file systems created
> during system install.  It knows (or can be taught) what directories in /
> (/dev, /proc, /sys, and /selinux) will have pseudo file systems mounted on
> them, and what directories will have file systems mounted over them (/var,
> /tmp, /usr/local, / usr/share, /home, /opt, and so on).
>
> After the install, if /usr was a single filesystem, and the admin decides
> that they want /usr/local and /usr/share to be 2 new file systems, that's
> OK, because the first 'fixfiles relabel' will have set the right settings
> on the 'local' and 'share' directories that will now be mount points...
>
> That still has issues with an admin creating a /foo filesystem, mounting
> it, and later on we decide to add a special context for /foo - but as long
> as /foo doesn't become required to get to multiuser mode, the admin can
> just 'umount /foo; restorecon /foo; mount /foo; restorecon -R foo' and be
> done.

That also has issues related to fsck removing xattrs on corrupted filesystems, 
administrators converting non-SE systems to SE Linux, administrators booting 
machines with selinux=0 while they repartition disks, and all manner of other 
potential problems.

The /.autorelabel file MUST do everything that we require in terms of fixing 
file labels.  We can't rely on anaconda or anything else to fix things up.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-selinux-list mailing list