[DSE-Dev] Bug#1012755: Package: selinux-policy-default: Missing policies for e.g. systemd-resolved and bash

gyptazy gyptazy at gyptazy.ch
Mon Jun 13 12:36:39 BST 2022 

Package: selinux-policy-default
Version: 2:2.20220520-1

Info:
When running SELinux on a freshly installed ‚Debian‘ (‚Stable‘, ‚Testing‘) in ‚enforcing‘ mode, additional policies (e.g. for ‚bash‘ or ‚systemd-resolved‘) are missing.

Issue(s):

• systemd-resolved
‚system-resolved‘ can not be started via systemd unit file. You will see errors like ‚Failed to initialize SELinux labeling handle: No such file or directory‘. Unfortunately, this is misleading in this case and is ‚libselinux-1‘ related (reported within an additional bug report). However, there’s still an issue which isn’t reported or logged in any case. Within the code you can see the following block:

(optional base_optional_1526
    (typeattributeset cil_gen_require selinux_config_t)
    (dontaudit systemd_resolved_t selinux_config_t (dir (getattr open search)))
    (dontaudit systemd_resolved_t selinux_config_t (file (ioctl read getattr lock open)))
)

Which means that it is declared as ‚dontaudit‘. Removing the ‚dontaudit‘ attribute allows us fetch the missing rule and to create a policy for this:

AVC avc:  denied  { read } for  pid=4016 comm="systemd-resolve" name="config" dev="sda1" ino=531948 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0


• /bin/bash: Permission denied
Trying to initialize a SSH session results directly in:

Linux testing 5.16.0-6-amd64 #1 SMP PREEMPT Debian 5.16.18-1 (2022-03-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jun 13 08:22:29 2022 from 10.0.2.2
	/bin/bash: Permission denied
Connection to 127.0.0.1 closed.

Luckily you can still use the regular console for logging in. However, this is just to mention here and hasn’t been further analyzed.

How to reproduce:
	• Use a Debian Stable or Testing minimal installation
	• Remove AppArmor (apt remove apparmor)
	• Install SELinux (apt-get install selinux-basics selinux-policy-default auditd)
	• Run ‚selinux-activate‘ (Keep in mind, this will only set SELinux to ‚permissive‘ mode, not ‚enforcing’)
	• Reboot (it will ‚relabel‘ during the boot)
	• Edit ‚/etc/selinux/config‘ an switch ‚SELINUX‘ from ‚permissive‘ to ‚enforcing‘
	• Reboot
	• Now, you can reproduce the mentioned issues (ssh login bash permission, systemd-resolved) 

If you need further information or help for debugging, feel free to ask.

Thanks,
gyptazy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/selinux-devel/attachments/20220613/ab64c3e2/attachment.htm>

More information about the SELinux-devel mailing list