[DSE-Dev] About enforced SELinux on live-build

Sun Jul 28 10:14:09 BST 2024

Some days ago I sent you my initial work for supporting SELinux on 
live-build ( 
https://alioth-lists.debian.net/pipermail/selinux-devel/2024-July/003815.html 
).

I have had some feedback from cgzones on my live-build merge-resquest ( 
https://salsa.debian.org/live-team/live-build/-/merge_requests/354 ), 
so, thank you about that.
I'm personally only interested on permissive mode but if I can help with 
anything live-build related regarding enforced mode I will give it a go.

1) Regarding not being able to boot in SELinux enforced mode he 
suggested me to run: `journalctl -b | audit2allow` in permissive mode in 
order to know what was going wrong there.

You can find the output later on in this same email.

2.1) I have been reading about audit2allow in 
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow 
and https://danwalsh.livejournal.com/24750.html .

For what I understand this is a useful tool for those systems where 
basic SELinux support is working and some programs are not working as 
expected because of incomplete SELinux policies.

Given the errors you have on the journal log you can create a .te file 
(source code for policy) and then also compile it as a .pp (binary for 
policy).

2.2) So I guess that if I managed to create those .pp files and use them 
in the build process so that they are now considered per-default 
policies in the live-build image I would be able to boot the live-build 
image in SELinux enforced mode.

If I'm being honest I have many ideas on how this should be dealt with 
because I'm not expert enough on SELinux. So here there are some random 
ideas.

1) I also don't know what you expect me to do. I mean... Do you actually 
want a SELinux enforced mode on live-build? Is it something that as a 
SELinux community around Debian you would like to see?
2) Maybe there should be an specific policy for live systems which 
should not be applied to regular systems. Does Fedora or similar distros 
have that approach? Or do they have a single policy for both regular 
systems and live systems?
3) If an specific policy rule (Sorry I don't know how you call the 
different components of a policy, I will call them rules) needs to be 
written. Should I complain to the package owner so that it adds that 
rule to the package? Or is it something that you regurarly do from 
selinux-devel mailing list, e.g., helping package maintainers to add 
SELinux support / policies ? ( I mean, I have no idea if policies come 
from packages themselves, if there are specific SELinux policy packages 
or if you want packages not to break some extended attributes on their 
post scripts somehow. )
4) How one is supposed to know if  a given policy is a good idea or not? 
I guess that what audit2allow outputs is technically correct... but is 
it security-wise? I guess that the answer is to create some policies 
blindly and then ask you here what you think about them, isn't it ?

Thank you for your feedback!

adrian15

---

`journalctl -b | audit2allow` output from within a SELinux enabled 
live-build image boot in permissive mode (with LxQT desktop):

```

#============= auditctl_t ==============
allow auditctl_t kernel_t:fd use;

#============= auditd_t ==============
allow auditd_t kernel_t:fd use;

#============= crond_t ==============
allow crond_t kernel_t:fd use;

#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
allow crond_t tmpfs_t:dir { getattr search };

#============= devicekit_disk_t ==============
allow devicekit_disk_t kernel_t:fd use;
allow devicekit_disk_t tmpfs_t:dir watch;
allow devicekit_disk_t tmpfs_t:file { open read };

#============= dhcpc_t ==============
allow dhcpc_t random_device_t:chr_file { getattr ioctl open read };
allow dhcpc_t tmpfs_t:dir { add_name remove_name write };
allow dhcpc_t tmpfs_t:file { append create getattr open read setattr 
unlink };

#============= dmidecode_t ==============
allow dmidecode_t kernel_t:fd use;
allow dmidecode_t tmpfs_t:dir search;

#============= fsadm_t ==============
allow fsadm_t kernel_t:fd use;

#============= getty_t ==============
allow getty_t kernel_t:fd use;
allow getty_t self:capability2 checkpoint_restore;
allow getty_t tmpfs_t:dir { getattr search };

#============= groupadd_t ==============
allow groupadd_t kernel_t:fd use;
allow groupadd_t tmpfs_t:dir { add_name getattr remove_name search write };
allow groupadd_t tmpfs_t:file { create getattr link lock open read 
unlink write };

#============= hostname_t ==============
allow hostname_t kernel_t:fd use;
allow hostname_t tmp_t:fifo_file append;

#============= ifconfig_t ==============
allow ifconfig_t tmp_t:fifo_file { append write };
allow ifconfig_t tmpfs_t:dir search;

#============= initrc_t ==============
allow initrc_t unconfined_t:dbus send_msg;

#============= local_login_t ==============
allow local_login_t kernel_t:fd use;

#============= mount_t ==============
allow mount_t kernel_t:fd use;

#!!!! This avc can be allowed using the boolean 'allow_mount_anyfile'
allow mount_t tmpfs_t:file { open read };

#============= policykit_t ==============
allow policykit_t kernel_t:fd use;

#============= syslogd_t ==============
allow syslogd_t tmpfs_t:dir { getattr search };

#============= system_dbusd_t ==============
allow system_dbusd_t kernel_t:fd use;

#============= systemd_binfmt_t ==============
allow systemd_binfmt_t kernel_t:fd use;
allow systemd_binfmt_t tmpfs_t:dir { getattr search };

#============= systemd_generator_t ==============
allow systemd_generator_t tmpfs_t:dir read;

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t initrc_t:dbus send_msg;
allow systemd_hostnamed_t kernel_t:fd use;
allow systemd_hostnamed_t tmpfs_t:dir { getattr search };

#============= systemd_logind_t ==============
allow systemd_logind_t kernel_t:fd use;

#============= systemd_modules_load_t ==============
allow systemd_modules_load_t kernel_t:fd use;

#============= systemd_sessions_t ==============
allow systemd_sessions_t kernel_t:fd use;

#============= systemd_sysctl_t ==============
allow systemd_sysctl_t kernel_t:fd use;
allow systemd_sysctl_t tmpfs_t:dir { getattr search };

#============= systemd_sysusers_t ==============
allow systemd_sysusers_t kernel_t:fd use;
allow systemd_sysusers_t tmpfs_t:dir { add_name write };
allow systemd_sysusers_t tmpfs_t:file { create lock open write };

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t etc_t:lnk_file { relabelfrom relabelto };
allow systemd_tmpfiles_t kernel_t:fd use;

#!!!! This avc can be allowed using the boolean 
'systemd_tmpfiles_manage_all'
allow systemd_tmpfiles_t policykit_var_lib_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t ssh_home_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t user_home_dir_t:dir { relabelfrom relabelto };

#============= systemd_user_runtime_dir_t ==============
allow systemd_user_runtime_dir_t kernel_t:fd use;

#============= udev_t ==============
allow udev_t self:process setrlimit;
allow udev_t sysctl_fs_t:dir search;
allow udev_t sysctl_fs_t:file { getattr ioctl open read };

#============= unconfined_t ==============

#!!!! This avc can be allowed using one of the these booleans:
# allow_execmem, allow_execstack
allow unconfined_t self:process execmem;

#============= useradd_t ==============
allow useradd_t kernel_t:fd use;
allow useradd_t tmp_t:fifo_file { ioctl write };
allow useradd_t tmpfs_t:dir { add_name getattr remove_name search write };
allow useradd_t tmpfs_t:file { create getattr link lock open read unlink 
write };

#============= xauth_t ==============
allow xauth_t home_root_t:dir { add_name remove_name write };
allow xauth_t home_root_t:file { create getattr link open read rename 
unlink write };
allow xauth_t kernel_t:fd use;
allow xauth_t tmpfs_t:dir { getattr search };
allow xauth_t tmpfs_t:filesystem getattr;
allow xauth_t unconfined_t:unix_stream_socket { read write };
allow xauth_t user_tmp_t:file { unlink write };

#============= xserver_t ==============

#!!!! This avc can be allowed using one of the these booleans:
# allow_execmem, allow_execstack
allow xserver_t self:process execmem;
```