* libselinux issue @ 2021-08-31 11:45 Dominick Grift 2021-08-31 11:51 ` Dominick Grift 0 siblings, 1 reply; 4+ messages in thread From: Dominick Grift @ 2021-08-31 11:45 UTC (permalink / raw) To: selinux We can get into a state where selinux is enabled without a policy. Reproducer: cat > /etc/selinux/config <<EOF ELINUX=disabled SELINUXTYPE=blah EOF Further info: Reproduced on Debian Bullseye 5.10.0-8-amd64 SELinux 3.1 Note that *both conditions* above have to be met to trigger this. If you only have a typo "ELINUX=disabled" then SELinux will boot in permissive mode If you only have a type "SELINUXTYPE=blah" then SELinux will not be enabled because the policy cannot be found root@bullseye:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: dssp5 Current mode: permissive Mode from config file: error (Success) Policy MLS status: disabled Policy deny_unknown status: denied Memory protection checking: actual (secure) Max kernel policy version: 33 root@bullseye:~# ls /sys/fs/selinux access create mls ss avc deny_unknown null status booleans disable policy user checkreqprot enforce policy_capabilities validatetrans class initial_contexts policyvers commit_pending_bools load reject_unknown context member relabel root@bullseye:~# ls /etc/selinux config dssp5-debian semanage.conf -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: libselinux issue 2021-08-31 11:45 libselinux issue Dominick Grift @ 2021-08-31 11:51 ` Dominick Grift 2021-08-31 18:24 ` Christian Göttsche 0 siblings, 1 reply; 4+ messages in thread From: Dominick Grift @ 2021-08-31 11:51 UTC (permalink / raw) To: selinux Dominick Grift <dominick.grift@defensec.nl> writes: > We can get into a state where selinux is enabled without a policy. Someone was sharp enough to notice an inconsistency in the info below. I used "SELINUXTYPE=blah" where when I actually tested it I used "SELINUXTYPE=dssp5". Both are invalid and lead to the same results. So just read s/dssp5/blah/ > > Reproducer: > > cat > /etc/selinux/config <<EOF > ELINUX=disabled > SELINUXTYPE=blah > EOF > > Further info: > > Reproduced on Debian Bullseye > 5.10.0-8-amd64 > SELinux 3.1 > > Note that *both conditions* above have to be met to trigger this. > > If you only have a typo "ELINUX=disabled" then SELinux will boot in > permissive mode > > If you only have a type "SELINUXTYPE=blah" then SELinux will not be > enabled because the policy cannot be found > > root@bullseye:~# sestatus > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: dssp5 > Current mode: permissive > Mode from config file: error (Success) > Policy MLS status: disabled > Policy deny_unknown status: denied > Memory protection checking: actual (secure) > Max kernel policy version: 33 > > root@bullseye:~# ls /sys/fs/selinux > access create mls ss > avc deny_unknown null status > booleans disable policy user > checkreqprot enforce policy_capabilities validatetrans > class initial_contexts policyvers > commit_pending_bools load reject_unknown > context member relabel > > root@bullseye:~# ls /etc/selinux > config dssp5-debian semanage.conf -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: libselinux issue 2021-08-31 11:51 ` Dominick Grift @ 2021-08-31 18:24 ` Christian Göttsche 2021-09-02 9:28 ` Petr Lautrbach 0 siblings, 1 reply; 4+ messages in thread From: Christian Göttsche @ 2021-08-31 18:24 UTC (permalink / raw) To: SElinux list On Tue, 31 Aug 2021 at 13:51, Dominick Grift <dominick.grift@defensec.nl> wrote: > > Dominick Grift <dominick.grift@defensec.nl> writes: > > > We can get into a state where selinux is enabled without a policy. > While testing a potential fix several questions came up: I. What are the expected/desired outcomes after the following configuration setups: * invalid SELINUX=, valid SELINUXTYPE= (currently permissive, except cmdline contains `enforcing=1` then system halt) * valid SELINUX=, invalid SELINUXTYPE= (currently disabled if SELINUX=disabled, system halt if SELINUX=enforcing or `enforcing=1`, else zombie state) II. When does the kernel considers SELinux to be *enabled*? After the mount of a selinuxfs or after the first policy load? With SELinux being unable to disable at runtime in the near future and SELinux being initialized after a selinuxfs mounting, that probably needs selinux_init_load_policy(3) to check for a valid SELINUXTYPE= before mounting a selinuxfs. Also selinux_init_load_policy(3) libselinux should probably reset its state via `umount(selinux_mnt); fini_selinuxmnt();` after a selinux_mkload_policy(3) failure. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: libselinux issue 2021-08-31 18:24 ` Christian Göttsche @ 2021-09-02 9:28 ` Petr Lautrbach 0 siblings, 0 replies; 4+ messages in thread From: Petr Lautrbach @ 2021-09-02 9:28 UTC (permalink / raw) To: Christian Göttsche, SElinux list Christian Göttsche <cgzones@googlemail.com> writes: > On Tue, 31 Aug 2021 at 13:51, Dominick Grift <dominick.grift@defensec.nl> wrote: >> >> Dominick Grift <dominick.grift@defensec.nl> writes: >> >> > We can get into a state where selinux is enabled without a policy. >> > > While testing a potential fix several questions came up: > > I. What are the expected/desired outcomes after the following > configuration setups: > > * invalid SELINUX=, valid SELINUXTYPE= (currently permissive, > except cmdline contains `enforcing=1` then system halt) Unspecified or invalid SELINUX defaults to enforce = 0. I guess it could help administrators during initial selinux setup - the system would boot even with a typo. `enforcing=1` on the kernel command line overrides value set in config file (in this case it is not set). If SELINUXTYPE is valid, the policy is loaded and systemd boots. If it's invalid, the systemd freeze, see bellow. > * valid SELINUX=, invalid SELINUXTYPE= (currently disabled if > SELINUX=disabled, system halt if SELINUX=enforcing or `enforcing=1`, > else zombie state) If systemd can't load policy it logs the problem and freeze in enforcing. The result of selinux_init_load_policy is ignored in permissive and systemd continue with boot, see bellow. if (enforce > 0) { if (!initialized) return log_emergency_errno(SYNTHETIC_ERRNO(EIO), "Failed to load SELinux policy."); log_warning("Failed to load new SELinux policy. Continuing with old policy."); } else log_debug("Unable to load SELinux policy. Ignoring."); } > > II. When does the kernel considers SELinux to be *enabled*? After the > mount of a selinuxfs or after the first policy load? My understanding is that internally in kernel is SELinux enabled during build process and it considers SELinux to be enabled unless selinux=0 is used on kernel command line. For userspace it's propagated as availability of /sys/fs/selinux. > With SELinux being unable to disable at runtime in the near future > and SELinux being initialized after a selinuxfs mounting, that > probably needs selinux_init_load_policy(3) to check for a valid > SELINUXTYPE= before mounting a selinuxfs. AFAIK whether /sys/fs/selinux is mounted or not doesn't say anything about status of SELinux inside kernel. It's just used as simple indicator for userspace whether it can use SELinux API or not. > Also selinux_init_load_policy(3) libselinux should probably reset its > state via `umount(selinux_mnt); fini_selinuxmnt();` after a > selinux_mkload_policy(3) failure. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-02 9:28 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-08-31 11:45 libselinux issue Dominick Grift 2021-08-31 11:51 ` Dominick Grift 2021-08-31 18:24 ` Christian Göttsche 2021-09-02 9:28 ` Petr Lautrbach
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.