[yocto] SELinux with Busybox on morty
Shrikant Bobade
bobadeshrikant at gmail.com
Tue Jul 25 00:55:01 PDT 2017
Hi Marco,
On similar lines, as Joe suggested please try with refpolicy 2.20151208
from morty,
also I would like to recommend start with refpolicy-minimum policy variant,
then you can explore other variants like refpolicy-targeted.
On Mon, Jul 24, 2017 at 1:15 PM, Marco Ostini <marco at ostini.org> wrote:
>
> Hi Joe & Shrikant,
>
> Many thanks for your response. It was good to know that busybox can
function with SELinux enforcing enabled.
>
I also confirm busybox works fine with enforcing mode on minimum variant,
used it in multiple ways.
> Sorry not to mention the policy we're currently using. It's:
> refpolicy-targeted
>
> ||/ Name Version Architecture
Description
>
+++-===============================-====================-====================-====================================================================
> ii refpolicy-targeted git-r0 amd64
SELinux targeted policy
>
> We'll build policy based on 2.20151208 and give it a try to see how it
behaves.
>
> It appears to me that policy itself is responsible for semanage not
functioning. When I try:
>
> semanage -v port -l
>
> I see errors like this:
>
> 1088. 07/24/17 07:29:46 semanage
unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write
system_u:object_r:lib_t:s0 denied 1095
> 1089. 07/24/17 07:29:46 semanage
unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write
system_u:object_r:lib_t:s0 denied 1096
>
> or
>
> time->Mon Jul 24 07:29:46 2017
> type=PROCTITLE msg=audit(1500881386.907:1101):
proctitle=2F7573722F62696E2F707974686F6E002D4573002F7573722F7362696E2F73656D616E616765002D7600706F7274002D6C
> type=SYSCALL msg=audit(1500881386.907:1101): arch=c000003e syscall=2
success=no exit=-13 a0=7ddf20 a1=2c1 a2=81a4 a3=5640003640100 items=0
ppid=496 pid=1201 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=1 comm="semanage" exe="/usr/bin/python2.7"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1500881386.907:1101): avc: denied { write } for
pid=1201 comm="semanage" name="sepolgen" dev="vda" ino=6091
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
>
> The majority of the errors however are related to start_getty:
>
> 142. 07/24/17 06:14:04 start_getty system_u:system_r:getty_t:s0 4 dir
search system_u:object_r:default_t:s0 denied 149
>
> time->Mon Jul 24 07:34:21 2017
> type=PROCTITLE msg=audit(1500881661.906:1160):
proctitle=2F62696E2F7368002F62696E2F73746172745F676574747900313135323030007474795330
> type=SYSCALL msg=audit(1500881661.906:1160): arch=c000003e syscall=59
success=no exit=-13 a0=6fca60 a1=6fcc40 a2=6faf90 a3=59a items=0 ppid=1244
pid=1246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="start_getty" exe="/bin/bash"
subj=system_u:system_r:getty_t:s0 key=(null)
> type=AVC msg=audit(1500881661.906:1160): avc: denied { search } for
pid=1246 comm="start_getty" name="sbin" dev="vda" ino=7236
scontext=system_u:system_r:getty_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0
>
> I've applied an appropriate context to start_getty, but that didn't
prevent the errors:
>
> ls -alZ /bin/start_getty
> -rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 99 Jul 21 02:55
/bin/start_getty
>
> start_getty is a shell script that points back to /sbin/getty which is a
symlink to /usr/lib/busybox/sbin/getty
>
> So I applied a context to /usr/lib/busybox/sbin/getty without it
preventing the above mentioned errors:
>
> ls -alZ /usr/lib/busybox/sbin/getty
> -rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 21 Jun 9 03:39
/usr/lib/busybox/sbin/getty
>
I think you are trying to patch the policy Or fixing the avc denials w.r.to
context,
To do it, we have audit tools available from meta-selinux which will help
to understand the avc denials in detail,
please try using audit2why on avc denials to get why we hit with denials.
& further using audit2allow to generate the allow rules based on current
policy & then try with generated allow rules.
Hope it helps :)
> I'm keen to see how policy based on 2.20151208 will look.
>
> Additional to trying 2.20151208 if you have any suggestions or advice I'd
be grateful to hear it.
Please start exploring with refpolicy-minimum..
>
> Cheers,
> Marco
>
>
Thanks
Shrikant
>
> On 22 July 2017 at 05:46, Joe MacDonald <Joe_MacDonald at mentor.com> wrote:
>>
>> Hi Justin / Marco,
>>
>> [Re: SELinux with Busybox on morty] On 17.07.19 (Wed 16:05) Justin
Clacherty wrote:
>>
>> > Hi Joe,
>> >
>> > Is this something you or one of the other meta-selinux devs are able
>> > to help out with or is it more of an upstream question?
>>
>> I'll see if I can give this a shot. :-)
>>
>> >
>> > Cheers,
>> > Justin.
>> >
>> >
>> > > On 17 Jul 2017, at 4:57 pm, Marco Ostini <marco at ostini.org> wrote:
>> > >
>> > >
>> > > Hi All,
>> > >
>> > > At the moment I'm attempting to prepare a VM of morty with SELinux
>> > > running well in enforcing mode. Once bedded down this will be
>> > > running on an embedded system.
>> > >
>> > > We use Busybox to keep the environment slim.
>> > >
>> > > As you may be aware the file contexts of
>> > > /etc/selinux/targeted/contexts/files/file_contexts don't include
>> > > appropriate paths (/sbin + /usr/lib/busybox/sbin/) and relative file
>> > > contexts for commands provided by Busybox. The /sbin files provided
>> > > by Busybox are symlinks to their counterparts in
>> > > /usr/lib/busybox/sbin/.
>> > >
>> > > I've attempted to use semanage to apply file contexts and look up
>> > > login contexts. Any time I use semanage I receive this message:
>> > >
>> > > Error: Failed to read //etc/selinux/targeted/policy/policy.30
policy file
>> > >
>> > > In an attempt to mitigate this error I ran semodule --build and
>> > > while it did rebuild the policy file, it didn't mitigate the error
>> > > message generated by semanage. At the moment I'm applying temporary
>> > > file contexts with chcon.
>> > >
>> > > My questions are:
>> > >
>> > > 1. Is it possible to run Busybox (providing init, getty, syslog ...)
>> > > in SELinux enforcing. If so, where's the policy files?
>>
>> You haven't mentioned which policy you're currently using so I'm
>> guessing it is the default you get from meta-selinux, that is
>> refpolicy-git. I've been debugging some (I think) unrelated issues with
>> refpolicy-git this week, so my advice would first to be try out
>> 2.20151208, the current release version we have in tree. That's
>> obviously also out of date, but it is currently better tested than the
>> git recipe.
>>
>> All that said, yes, we have been, in the past, able to use busybox with
>> SELinux enforcing enabled, though as you can see from the layer, we've
>> had to tweak refpolicy to make it work well. I'm adding a colleague of
>> mine here, Shrikant, who has done a fair bit of recent work with
>> meta-selinux as well, he might have some additional insight into the
>> current status of busybox-based systems.
>>
>> > > 2. Is there some documentation somewhere on reference builds of
>> > > Morty with SELinux enforcing ?
>>
>> There is not at the moment, as far as I know. It's possible that
>> someone else currently using that combination can help out with some
>> guidance, but we haven't done any Morty+SELinux specific documentation.
>> Since I'm investigating some other issues right now in a slightly
>> different area, though, I may get some time next week to write up
>> something quick for this for you, though. If I do, I'll be sure to share
>> it here.
>>
>> --
>> -Joe MacDonald.
>> :wq
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170725/bd451f80/attachment.html>
More information about the yocto
mailing list