[yocto] SELinux with Busybox on morty

Marco Ostini marco at ostini.org
Mon Jul 24 00:45:04 PDT 2017 

Hi Joe & Shrikant,

Many thanks for your response. It was good to know that busybox can
function with SELinux enforcing enabled.

Sorry not to mention the policy we're currently using. It's:
   refpolicy-targeted

||/ Name                            Version              Architecture
  Description
+++-===============================-====================-====================-====================================================================
ii  refpolicy-targeted              git-r0               amd64
   SELinux targeted policy

We'll build policy based on 2.20151208 and give it a try to see how it
behaves.

It appears to me that policy itself is responsible for semanage not
functioning. When I try:

   semanage -v port -l

I see errors like this:

1088. 07/24/17 07:29:46 semanage
unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write
system_u:object_r:lib_t:s0 denied 1095
1089. 07/24/17 07:29:46 semanage
unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write
system_u:object_r:lib_t:s0 denied 1096

or

time->Mon Jul 24 07:29:46 2017
type=PROCTITLE msg=audit(1500881386.907:1101):
proctitle=2F7573722F62696E2F707974686F6E002D4573002F7573722F7362696E2F73656D616E616765002D7600706F7274002D6C
type=SYSCALL msg=audit(1500881386.907:1101): arch=c000003e syscall=2
success=no exit=-13 a0=7ddf20 a1=2c1 a2=81a4 a3=5640003640100 items=0
ppid=496 pid=1201 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=1 comm="semanage" exe="/usr/bin/python2.7"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1500881386.907:1101): avc:  denied  { write } for
 pid=1201 comm="semanage" name="sepolgen" dev="vda" ino=6091
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

The majority of the errors however are related to start_getty:

142. 07/24/17 06:14:04 start_getty system_u:system_r:getty_t:s0 4 dir
search system_u:object_r:default_t:s0 denied 149

time->Mon Jul 24 07:34:21 2017
type=PROCTITLE msg=audit(1500881661.906:1160):
proctitle=2F62696E2F7368002F62696E2F73746172745F676574747900313135323030007474795330
type=SYSCALL msg=audit(1500881661.906:1160): arch=c000003e syscall=59
success=no exit=-13 a0=6fca60 a1=6fcc40 a2=6faf90 a3=59a items=0 ppid=1244
pid=1246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="start_getty" exe="/bin/bash"
subj=system_u:system_r:getty_t:s0 key=(null)
type=AVC msg=audit(1500881661.906:1160): avc:  denied  { search } for
 pid=1246 comm="start_getty" name="sbin" dev="vda" ino=7236
scontext=system_u:system_r:getty_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0

I've applied an appropriate context to start_getty, but that didn't prevent
the errors:

ls -alZ /bin/start_getty
-rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 99 Jul 21 02:55
/bin/start_getty

start_getty is a shell script that points back to /sbin/getty which is a
symlink to /usr/lib/busybox/sbin/getty

So I applied a context to  /usr/lib/busybox/sbin/getty without it
preventing the above mentioned errors:

ls -alZ /usr/lib/busybox/sbin/getty
-rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 21 Jun  9 03:39
/usr/lib/busybox/sbin/getty

I'm keen to see how policy based on 2.20151208 will look.

Additional to trying 2.20151208 if you have any suggestions or advice I'd
be grateful to hear it.

Cheers,
Marco



On 22 July 2017 at 05:46, Joe MacDonald <Joe_MacDonald at mentor.com> wrote:

> Hi Justin / Marco,
>
> [Re: SELinux with Busybox on morty] On 17.07.19 (Wed 16:05) Justin
> Clacherty wrote:
>
> > Hi Joe,
> >
> > Is this something you or one of the other meta-selinux devs are able
> > to help out with or is it more of an upstream question?
>
> I'll see if I can give this a shot.  :-)
>
> >
> > Cheers,
> > Justin.
> >
> >
> > > On 17 Jul 2017, at 4:57 pm, Marco Ostini <marco at ostini.org> wrote:
> > >
> > >
> > > Hi All,
> > >
> > > At the moment I'm attempting to prepare a VM of morty with SELinux
> > > running well in enforcing mode. Once bedded down this will be
> > > running on an embedded system.
> > >
> > > We use Busybox to keep the environment slim.
> > >
> > > As you may be aware the file contexts of
> > > /etc/selinux/targeted/contexts/files/file_contexts don't include
> > > appropriate paths (/sbin + /usr/lib/busybox/sbin/) and relative file
> > > contexts for commands provided by Busybox. The /sbin files provided
> > > by Busybox are symlinks to their counterparts in
> > > /usr/lib/busybox/sbin/.
> > >
> > > I've attempted to use semanage to apply file contexts and look up
> > > login contexts. Any time I use semanage I receive this message:
> > >
> > >    Error: Failed to read //etc/selinux/targeted/policy/policy.30
> policy file
> > >
> > > In an attempt to mitigate this error I ran semodule --build and
> > > while it did rebuild the policy file, it didn't mitigate the error
> > > message generated by semanage. At the moment I'm applying temporary
> > > file contexts with chcon.
> > >
> > > My questions are:
> > >
> > > 1. Is it possible to run Busybox (providing init, getty, syslog ...)
> > > in SELinux enforcing. If so, where's the policy files?
>
> You haven't mentioned which policy you're currently using so I'm
> guessing it is the default you get from meta-selinux, that is
> refpolicy-git.  I've been debugging some (I think) unrelated issues with
> refpolicy-git this week, so my advice would first to be try out
> 2.20151208, the current release version we have in tree.  That's
> obviously also out of date, but it is currently better tested than the
> git recipe.
>
> All that said, yes, we have been, in the past, able to use busybox with
> SELinux enforcing enabled, though as you can see from the layer, we've
> had to tweak refpolicy to make it work well.  I'm adding a colleague of
> mine here, Shrikant, who has done a fair bit of recent work with
> meta-selinux as well, he might have some additional insight into the
> current status of busybox-based systems.
>
> > > 2. Is there some documentation somewhere on reference builds of
> > > Morty with SELinux enforcing ?
>
> There is not at the moment, as far as I know.  It's possible that
> someone else currently using that combination can help out with some
> guidance, but we haven't done any Morty+SELinux specific documentation.
> Since I'm investigating some other issues right now in a slightly
> different area, though, I may get some time next week to write up
> something quick for this for you, though. If I do, I'll be sure to share
> it here.
>
> --
> -Joe MacDonald.
> :wq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170724/bcf9c192/attachment.html>

More information about the yocto mailing list