SELinux with initramfs

SELinux with initramfs

[Sven Vermeulen]

Hi guys,

I'm trying to get a system to boot up with initramfs (without the initramfs
all things work just fine, but we need to get initramfs supported) with
SELinux running in enforcing mode, and without relying on unconfined
domains.

However, it looks to be quite challenging. 

An initramfs' /init will run in the kernel_t domain (and unconfined until
load_policy is called ?) but does quite a lot of activities before it can
even call load_policy (get /dev in shape, including starting udev, mounting
root file system, etc.) because load_policy needs access to the policy.26
file on the root file system.

But because all of this, udev doesn't run in the proper domain (also in
kernel_t), device entries are wrongly labeled (and relabeling fails because
kernel_t does not have relabel privileges) and the system just doesn't want
to boot.

Is it correct to say that load_policy should occur as soon as possible (even
before udev starts)? If so, does that mean than a SELinux-supporting
initramfs should actually include the policy.26 file in the initramfs?

Wkr,
	Sven Vermeulen

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with initramfs

[Sven Vermeulen]

On Sat, Jan 14, 2012 at 03:20:02PM +0100, Sven Vermeulen wrote:
> An initramfs' /init will run in the kernel_t domain (and unconfined until
> load_policy is called ?) 

Not unconfined, permissive.

Wkr,
	Sven Vermeulen


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with initramfs

[Chris PeBenito]

On 1/14/2012 9:34 AM, Sven Vermeulen wrote:
> On Sat, Jan 14, 2012 at 03:20:02PM +0100, Sven Vermeulen wrote:
>> An initramfs' /init will run in the kernel_t domain (and unconfined until
>> load_policy is called ?)
>
> Not unconfined, permissive.

It will run in the kernel initial SID ("kernel") until a policy is loaded.  Before the policy is loaded, it isn't permissive per se, as there is nothing to enforce.  SELinux is disabled in the "no policy loaded" sense (as opposed to the kernel command line selinux=0, unregistered SELinux LSM sense).  Once the policy is loaded, all of the labels will be set based on their initial SID; thus, the "kernel"-labeled processes get the kernel initial SID in the policy, kernel_t, and the initial enforcing/permissive state will be set based on the kernel command line enforcing= option, /etc/selinux/config, or kernel compiled-in default.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with initramfs

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/14/2012 10:46 AM, Chris PeBenito wrote:
> On 1/14/2012 9:34 AM, Sven Vermeulen wrote:
>> On Sat, Jan 14, 2012 at 03:20:02PM +0100, Sven Vermeulen wrote:
>>> An initramfs' /init will run in the kernel_t domain (and
>>> unconfined until load_policy is called ?)
>> 
>> Not unconfined, permissive.
> 
> It will run in the kernel initial SID ("kernel") until a policy is 
> loaded.  Before the policy is loaded, it isn't permissive per se,
> as there is nothing to enforce.  SELinux is disabled in the "no
> policy loaded" sense (as opposed to the kernel command line
> selinux=0, unregistered SELinux LSM sense).  Once the policy is
> loaded, all of the labels will be set based on their initial SID;
> thus, the "kernel"-labeled processes get the kernel initial SID in
> the policy, kernel_t, and the initial enforcing/permissive state
> will be set based on the kernel command line enforcing= option,
> /etc/selinux/config, or kernel compiled-in default.
> 
In RHEL and Fedora, we relabel the parts of /dev that are created in
the initramfs and restart udev so it is a child of init/systemd.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8UOGIACgkQrlYvE4MpobMdlACgvXdEx/wUtQjYu57ZePozHjuB
UUoAn2a55fOXacNqJfn5bwxN2ADs41eD
=Obn1
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with initramfs

[Sven Vermeulen]

On Mon, Jan 16, 2012 at 09:46:58AM -0500, Daniel J Walsh wrote:
> In RHEL and Fedora, we relabel the parts of /dev that are created in
> the initramfs and restart udev so it is a child of init/systemd.

When do you relabel them? When I call setfiles before the load_policy, I get
an 'Operation not supported' on /dev as if it was a kernel that doesn't
support extended attributes on tmpfs (which isn't the case). Trying to call
it afterwards doesn't work, since the kernel_t domain doesn't allow
relabeling (I think, output is also missing since /dev/console is wrongly
labeled).

I'm quite close to have support for both putting the policy in the initramfs
itself (and call load_policy as one of the first things done on the
initramfs environment) and supporting booting in permissive mode and have a
switch to enforcing which can't be undone afterwards (goal is to boot in
enforcing).

The first support option probably allows for such a sane boot but requires
the policy to be in the initramfs. The other one allows us to boot properly
and I just toggle "setenforce 1" with the secure_mode_policyload boolean
enabled afterwards.

But both sound hackish - If I could only understand why I can't use setfiles
on /dev before calling load_policy...

Wkr,
	Sven Vermeulen

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with initramfs

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2012 02:24 PM, Sven Vermeulen wrote:
> On Mon, Jan 16, 2012 at 09:46:58AM -0500, Daniel J Walsh wrote:
>> In RHEL and Fedora, we relabel the parts of /dev that are created
>> in the initramfs and restart udev so it is a child of
>> init/systemd.
> 
> When do you relabel them? When I call setfiles before the
> load_policy, I get an 'Operation not supported' on /dev as if it
> was a kernel that doesn't support extended attributes on tmpfs
> (which isn't the case). Trying to call it afterwards doesn't work,
> since the kernel_t domain doesn't allow relabeling (I think, output
> is also missing since /dev/console is wrongly labeled).
I think /sbin/init on Fedora is doing the relabeling, so init_t.  On
older RHEl versions, udev is doing the relabeling udev_t.
> 
> I'm quite close to have support for both putting the policy in the
> initramfs itself (and call load_policy as one of the first things
> done on the initramfs environment) and supporting booting in
> permissive mode and have a switch to enforcing which can't be
> undone afterwards (goal is to boot in enforcing).
> 
> The first support option probably allows for such a sane boot but
> requires the policy to be in the initramfs. The other one allows us
> to boot properly and I just toggle "setenforce 1" with the
> secure_mode_policyload boolean enabled afterwards.
> 
> But both sound hackish - If I could only understand why I can't use
> setfiles on /dev before calling load_policy...
> 
> Wkr, Sven Vermeulen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8do+MACgkQrlYvE4MpobOWTACeMBaS6jKz9PH4ktXiNnxSmJ9o
OlYAoIq3NxnzXFjewmxbKML94z+DkQPx
=7XVq
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.