Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

[Elko Kuric]

Hi all,

I decided to move my debian installation to use Selinux, and I
installed it using

http://wiki.debian.org/SELinux  howto ( Debian 5 )


When Selinux is in "permissive" mode, network connection is up and it works
but when I switch Selinux to "enforcing" mode network interface is
down after reboot.

seaudit-report report the following output:

Feb 07 08:36:58 firewall kernel: avc: denied pid=1290 comm=ifup
name=ifstate ino=4103 dev=hda1 \
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:etc_runtime_t tclass=file

Feb 07 08:36:58 firewall kernel: avc: denied pid=1297 comm=ifup
name=ifstate ino=4103 dev=hda1 \
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:etc_runtime_t tclass=file

I can understand that selinux is preventing ifup to be executed, but I
still do not have counterpart in debian
for RedHat's

sealert -a audit.log

, where it suggest what is necessary to do in order to allow access.

I can bring interface up when logged as rood and using "ifconfig "

Any comment is welcome and thank you in advance,

Regards,

Elko

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

[Justin P. Mattock]

On 02/07/10 00:12, Elko Kuric wrote:
> Hi all,
>
> I decided to move my debian installation to use Selinux, and I
> installed it using
>
> http://wiki.debian.org/SELinux  howto ( Debian 5 )
>
>
> When Selinux is in "permissive" mode, network connection is up and it works
> but when I switch Selinux to "enforcing" mode network interface is
> down after reboot.
>
> seaudit-report report the following output:
>
> Feb 07 08:36:58 firewall kernel: avc: denied pid=1290 comm=ifup
> name=ifstate ino=4103 dev=hda1 \
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:etc_runtime_t tclass=file
>
> Feb 07 08:36:58 firewall kernel: avc: denied pid=1297 comm=ifup
> name=ifstate ino=4103 dev=hda1 \
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:etc_runtime_t tclass=file
>
> I can understand that selinux is preventing ifup to be executed, but I
> still do not have counterpart in debian
> for RedHat's
>
> sealert -a audit.log
>
> , where it suggest what is necessary to do in order to allow access.
>
> I can bring interface up when logged as rood and using "ifconfig "
>
> Any comment is welcome and thank you in advance,
>
> Regards,
>
> Elko
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

not sure what policy debian is using.
if it's regular targeted(binary), you should be able
to just do a audit2allow -dM modulename(to build the module)
then sudo semodule -i modulename(to install the module)
(if an error happens then you need to manually
edit the *.te file then use sepackage(I think),and/or
semodule to build the *.pp).
(there is a kernelparameter for network for SELinux
but last I remember that was for policy-default(many moon ago));


Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

[Elko Kuric]

On Sun, Feb 7, 2010 at 9:42 AM, Justin P. Mattock
<justinmattock@gmail.com> wrote:
> On 02/07/10 00:12, Elko Kuric wrote:
>>
>> Hi all,
>>
>> I decided to move my debian installation to use Selinux, and I
>> installed it using
>>
>> http://wiki.debian.org/SELinux  howto ( Debian 5 )
>>
>>
>> When Selinux is in "permissive" mode, network connection is up and it
>> works
>> but when I switch Selinux to "enforcing" mode network interface is
>> down after reboot.
>>
>> seaudit-report report the following output:
>>
>> Feb 07 08:36:58 firewall kernel: avc: denied pid=1290 comm=ifup
>> name=ifstate ino=4103 dev=hda1 \
>> scontext=system_u:system_r:udev_t
>> tcontext=system_u:object_r:etc_runtime_t tclass=file
>>
>> Feb 07 08:36:58 firewall kernel: avc: denied pid=1297 comm=ifup
>> name=ifstate ino=4103 dev=hda1 \
>> scontext=system_u:system_r:udev_t
>> tcontext=system_u:object_r:etc_runtime_t tclass=file
>>
>> I can understand that selinux is preventing ifup to be executed, but I
>> still do not have counterpart in debian
>> for RedHat's
>>
>> sealert -a audit.log
>>
>> , where it suggest what is necessary to do in order to allow access.
>>
>> I can bring interface up when logged as rood and using "ifconfig "
>>
>> Any comment is welcome and thank you in advance,
>>
>> Regards,
>>
>> Elko
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
> not sure what policy debian is using.
> if it's regular targeted(binary), you should be able
> to just do a audit2allow -dM modulename(to build the module)
> then sudo semodule -i modulename(to install the module)
> (if an error happens then you need to manually
> edit the *.te file then use sepackage(I think),and/or
> semodule to build the *.pp).
> (there is a kernelparameter for network for SELinux
> but last I remember that was for policy-default(many moon ago));
>
>
> Justin P. Mattock
>

Thanks for mail. I have installed following packages

dpkg -l | grep ii | grep selinux

ii  libselinux1                       2.0.65-5                 SELinux
shared libraries
ii  python-selinux                    2.0.65-5                 Python
bindings to SELinux shared libraries
ii  selinux-basics                    0.3.5                    SELinux
basic support
ii  selinux-policy-default            2:0.0.20080702-6         Strict
and Targeted variants of the SELinux policy
ii  selinux-utils                     2.0.65-5                 SELinux
utility programs


I expected some issues with setting up some specific services (
dns/mail ... ), but here I just want to get network
functional once I set selinux to "enforcing " policy.

Elko


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

[Justin P. Mattock]

> Thanks for mail. I have installed following packages
>
> dpkg -l | grep ii | grep selinux
>
> ii  libselinux1                       2.0.65-5                 SELinux
> shared libraries
> ii  python-selinux                    2.0.65-5                 Python
> bindings to SELinux shared libraries
> ii  selinux-basics                    0.3.5                    SELinux
> basic support
> ii  selinux-policy-default            2:0.0.20080702-6         Strict
> and Targeted variants of the SELinux policy
> ii  selinux-utils                     2.0.65-5                 SELinux
> utility programs
>
>
> I expected some issues with setting up some specific services (
> dns/mail ... ), but here I just want to get network
> functional once I set selinux to "enforcing " policy.
>
> Elko
>

what does audit2allow -d say?

if nothing the do a
sudo /usr/sbin/semodule -DB
(reboot)
then what does audit2allow say?
should give you some allow rules
if so add them to your policy.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

[Michal Svoboda]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

Justin P. Mattock wrote:
> if nothing the do a
> sudo /usr/sbin/semodule -DB
> (reboot)
> then what does audit2allow say?
> should give you some allow rules
> if so add them to your policy.

This will most likely output a very large number of rules that don't
make sense, ie. they would do more bad than good.

The basic problem is that the network scripts don't have their own
restricted domain in which they could run. Running them from udev on
'network hotplug event' will copy the udev context, which doesn't have
enough privileges to configure network. Giving these privileges to udev
directly would be sub-optimal.

Michal Svoboda

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

[Justin P. Mattock]

On 02/07/10 08:23, Michal Svoboda wrote:
> Justin P. Mattock wrote:
>> if nothing the do a
>> sudo /usr/sbin/semodule -DB
>> (reboot)
>> then what does audit2allow say?
>> should give you some allow rules
>> if so add them to your policy.
>
> This will most likely output a very large number of rules that don't
> make sense, ie. they would do more bad than good.
>

  true.. well if there's a better idea to help this person out,
then please add..(I figured the most simplest way to do so
without having to do brain surgery).

> The basic problem is that the network scripts don't have their own
> restricted domain in which they could run. Running them from udev on
> 'network hotplug event' will copy the udev context, which doesn't have
> enough privileges to configure network. Giving these privileges to udev
> directly would be sub-optimal.
>
> Michal Svoboda

in this case if this is ifup, then it should be a no brainer(but could 
be wrong).

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

[Michal Svoboda]

[-- Attachment #1: Type: text/plain, Size: 1233 bytes --]

Elko Kuric wrote:
> I decided to move my debian installation to use Selinux, and I
> installed it using
> http://wiki.debian.org/SELinux  howto ( Debian 5 )
> When Selinux is in "permissive" mode, network connection is up and it
> works but when I switch Selinux to "enforcing" mode network interface
> is down after reboot.

From what I can remember this is an issue with the network hotplug.
A short way to solve this is to simply disable hotplug for all your
interfaces in /etc/network/interfaces (see man interfaces). You have
a server anyway so you shouldn't need to plug network cards in and out
while it's running.

For a permanent fix, kindly report this to the debian folk.

You will probably also experience AVC denials for all the scripts in
/etc/network/*.d directories as they are not run in proper context.
Again a quick solution is to disable them.

I also recommend looking at Russell Coker's page [1] as he has created
some packages that fix the most outcrying problems (eg. postfix).

I am successfully running SELinux on debian lenny (5.0), so it can be
done, only it needs some patience.

Regards,
Michal Svoboda

[1] http://doc.coker.com.au/computers/installing-se-linux-on-lenny


[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: Selinux in enforcing mode prevent network interface to be configured at boot for Debian stable ( 5.0)

[Elko Kuric]

Hi Michal,

your suggestion solved issue

change in /etc/network/interfaces

#allow-hotplug eth0
auto eth0

did a trick.


Thank+regards,

Elko

On Sun, Feb 7, 2010 at 5:16 PM, Michal Svoboda
<michal.svoboda@agents.felk.cvut.cz> wrote:
> Elko Kuric wrote:
>> I decided to move my debian installation to use Selinux, and I
>> installed it using
>> http://wiki.debian.org/SELinux  howto ( Debian 5 )
>> When Selinux is in "permissive" mode, network connection is up and it
>> works but when I switch Selinux to "enforcing" mode network interface
>> is down after reboot.
>
> From what I can remember this is an issue with the network hotplug.
> A short way to solve this is to simply disable hotplug for all your
> interfaces in /etc/network/interfaces (see man interfaces). You have
> a server anyway so you shouldn't need to plug network cards in and out
> while it's running.
>
> For a permanent fix, kindly report this to the debian folk.
>
> You will probably also experience AVC denials for all the scripts in
> /etc/network/*.d directories as they are not run in proper context.
> Again a quick solution is to disable them.
>
> I also recommend looking at Russell Coker's page [1] as he has created
> some packages that fix the most outcrying problems (eg. postfix).
>
> I am successfully running SELinux on debian lenny (5.0), so it can be
> done, only it needs some patience.
>
> Regards,
> Michal Svoboda
>
> [1] http://doc.coker.com.au/computers/installing-se-linux-on-lenny
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.