2013-09-18 13:47:43

by a.kuckartz

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

Any suggestions from here?

Cheers,
Andreas

-------- Original Message --------
Date: Tue, 17 Sep 2013 14:36:41 +0200
From: Andreas Kuckartz <[email protected]>
To: selinux-user at lists.alioth.debian.org

I am running a Debian unstable system with SELinux in permissive mode.

I have appended the result of
$ cat /var/log/audit/audit.log | audit2allow -l -R

There are quite a few missing type enforcement (TE) allow rules.

In addition to that Iceweasel requires allow_execstack and allow_execmem
- which is not good. I have researched that and found these two old open
Firefox issues:

SELinux is preventing JIT from changing memory segment access
https://bugzilla.mozilla.org/show_bug.cgi?id=506693

Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error
https://bugzilla.mozilla.org/show_bug.cgi?id=574119

What do you suggest on how to proceed?

Cheers,
Andreas



-------------- next part --------------

require {
type apt_var_lib_t;
type pulseaudio_t;
type postgresql_t;
type cupsd_var_run_t;
type sysctl_vm_t;
type initrc_t;
type tmp_t;
type logrotate_t;
type dhcpc_t;
type mount_tmp_t;
type hostname_t;
type auditctl_t;
type var_run_t;
type udev_tbl_t;
type acct_t;
type ping_t;
type cupsd_t;
type sysctl_crypto_t;
type dpkg_exec_t;
type system_mail_t;
type crond_tmp_t;
type unconfined_t;
type gpg_t;
type lib_t;
type sysfs_t;
type system_dbusd_t;
type var_log_t;
type proc_net_t;
type exim_t;
type cron_log_t;
type kernel_t;
type removable_device_t;
type consolekit_t;
type mnt_t;
type dosfs_t;
type var_t;
type pcscd_t;
type var_lib_t;
type dpkg_var_lib_t;
type ntp_drift_t;
type fixed_disk_device_t;
type initrc_var_run_t;
type devicekit_disk_t;
type mount_exec_t;
class fifo_file write;
class process { execmem setfscreate getcap setcap };
class unix_stream_socket connectto;
class netlink_kobject_uevent_socket { getattr setopt read bind create };
class system module_request;
class capability sys_rawio;
class file { rename execute setattr read lock create execute_no_trans write getattr unlink open append };
class filesystem { mount unmount };
class sock_file { write create unlink };
class blk_file { ioctl read open getattr };
class dir { search read create mounton write getattr rmdir remove_name add_name };
}

#============= acct_t ==============
allow acct_t initrc_var_run_t:file { read lock open };

#============= auditctl_t ==============
allow auditctl_t var_t:file read;

#============= consolekit_t ==============
allow consolekit_t self:process setfscreate;

#============= cupsd_t ==============
allow cupsd_t var_run_t:sock_file unlink;

#============= devicekit_disk_t ==============
allow devicekit_disk_t udev_tbl_t:file { read open };

#============= dhcpc_t ==============
allow dhcpc_t ntp_drift_t:dir search;

#============= exim_t ==============
allow exim_t crond_tmp_t:file { read write };
allow exim_t dpkg_var_lib_t:file read;
allow exim_t sysctl_crypto_t:dir search;
allow exim_t sysctl_crypto_t:file { read getattr open };
allow exim_t sysfs_t:file { read open };
allow exim_t var_t:file read;

#============= gpg_t ==============
allow gpg_t cron_log_t:file { read getattr open };
#!!!! The source type 'gpg_t' can write to a 'dir' of the following types:
# gpg_secret_t, user_home_dir_t, gpg_agent_tmp_t, user_tmp_t, user_home_t, tmp_t

allow gpg_t var_log_t:dir { write add_name };
#!!!! The source type 'gpg_t' can write to a 'file' of the following types:
# gpg_secret_t, gpg_agent_tmp_t, user_tmp_t, user_home_t

allow gpg_t var_log_t:file { write create open };

#============= hostname_t ==============
allow hostname_t var_lib_t:file append;

#============= logrotate_t ==============
#!!!! The source type 'logrotate_t' can write to a 'dir' of the following types:
# var_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, acct_data_t, var_spool_t, var_lib_t

allow logrotate_t cupsd_var_run_t:dir { write remove_name add_name };
allow logrotate_t cupsd_var_run_t:file { write create unlink };
allow logrotate_t initrc_t:unix_stream_socket connectto;
allow logrotate_t sysfs_t:file { read open };
allow logrotate_t tmp_t:sock_file { create unlink };
allow logrotate_t var_run_t:sock_file write;

#============= pcscd_t ==============
allow pcscd_t self:netlink_kobject_uevent_socket read;

#============= ping_t ==============
allow ping_t self:process { getcap setcap };

#============= postgresql_t ==============
allow postgresql_t var_run_t:sock_file write;

#============= pulseaudio_t ==============
allow pulseaudio_t initrc_var_run_t:file { read getattr open };
#!!!! The source type 'pulseaudio_t' can write to a 'dir' of the following types:
# user_fonts_cache_t, user_tmp_t, pulseaudio_var_lib_t, pulseaudio_var_run_t, user_home_t, user_tmpfs_t, pulseaudio_home_t, var_lib_t, var_run_t, xdm_tmp_t

allow pulseaudio_t tmp_t:dir { write remove_name add_name };
allow pulseaudio_t tmp_t:file { write execute read create unlink open };

#============= system_dbusd_t ==============
allow system_dbusd_t apt_var_lib_t:dir getattr;
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t dosfs_t:dir write;
allow system_dbusd_t dosfs_t:filesystem { mount unmount };
allow system_dbusd_t dpkg_exec_t:file { read execute open execute_no_trans };
allow system_dbusd_t fixed_disk_device_t:blk_file { read ioctl open getattr };
allow system_dbusd_t initrc_var_run_t:file { read getattr open };
allow system_dbusd_t kernel_t:system module_request;
allow system_dbusd_t lib_t:file execute_no_trans;
allow system_dbusd_t mnt_t:dir { write search rmdir remove_name create add_name mounton };
allow system_dbusd_t mount_exec_t:file { read execute open execute_no_trans };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t mount_tmp_t:dir { write remove_name add_name };
#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
# system_dbusd_tmp_t, system_dbusd_var_run_t

allow system_dbusd_t mount_tmp_t:file { rename setattr read lock create write getattr unlink open };
allow system_dbusd_t proc_net_t:file { read getattr open };
allow system_dbusd_t removable_device_t:blk_file { read ioctl open };
allow system_dbusd_t self:capability sys_rawio;
allow system_dbusd_t self:netlink_kobject_uevent_socket { read bind create setopt getattr };
allow system_dbusd_t sysctl_vm_t:dir search;
allow system_dbusd_t sysctl_vm_t:file { read open };
allow system_dbusd_t udev_tbl_t:file { read getattr open };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t var_lib_t:dir { write remove_name add_name };
#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
# system_dbusd_tmp_t, system_dbusd_var_run_t

allow system_dbusd_t var_lib_t:file { rename read lock create write getattr unlink open };
allow system_dbusd_t var_run_t:fifo_file write;
allow system_dbusd_t var_t:dir read;

#============= system_mail_t ==============
allow system_mail_t crond_tmp_t:file getattr;
allow system_mail_t dpkg_var_lib_t:file read;
allow system_mail_t sysctl_crypto_t:dir search;
allow system_mail_t sysctl_crypto_t:file { read getattr open };
allow system_mail_t var_lib_t:file { read getattr open };

#============= unconfined_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# allow_execstack, allow_execmem

allow unconfined_t self:process execmem;


2013-09-18 19:40:02

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

On Wed, 2013-09-18 at 15:47 +0200, Andreas Kuckartz wrote:
> Any suggestions from here?

Iceweasel 32 bit? As far as i know execmem is only needed on 32 bit
iceweasel, and not 64 bit.

Debian's policy configuration is based off of an older reference policy,
and Debian is working to rebase on the latest stable reference policy.

Hopefully she will also organize a solid system to stay in sync and work
with upstream to make selinux work better on debian.

I think debian is working to get that sorted out

However, truth be told, selinux policy is never perfect, and probably
never will be. The nature of integrity is to contain processes, but
process change over time and so policy configuration needs to change
along with it.

SELinux is really a framework, and policy is really just configuration,
and so you are able to control SELinux.

But to get to the point. here is how the process should work

you file bug reports to the debian selinux policy bugzilla, and enclose
avc denials ( this is important ), They will fix it in debian ( if they
need help from the community then they know where to go #selinux at
freenode or the maillinglists ), Then debian will send all the
modifications (patches) they made to upstream reference policy. Upstream
reference policy will review the changes, and if all is well adopt the
changes.

Then every once in a while refpolicy releases a stable version. Debian
should rebase her policy on the latest refpolicy as soon as possible
after refpolicy is released and then the circle is round and it all
start over again.

As for the audit2allow output you enclosed. I cannot do much with this
output. I would need avc denials instead because i need the information
avc denials provide to make sound decisions.

But again, selinux is a framework, and you can perfect your policy
yourself, it will help if you know some of the basic selinux concepts
and principles but its not as hard as you might think. I and others on
#selinux at freenode are also trying to be helpful so if you need help
let us know

You can also send patches to this maillist but they will have to be
proper see:
http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute

If you do, then it is a good idea to save any avc denials you have
related, because patches get reviewed and need to be justified.

I hope this helps, and that i didn't scare you or disappointed you

>
> Cheers,
> Andreas
>
> -------- Original Message --------
> Date: Tue, 17 Sep 2013 14:36:41 +0200
> From: Andreas Kuckartz <[email protected]>
> To: selinux-user at lists.alioth.debian.org
>
> I am running a Debian unstable system with SELinux in permissive mode.
>
> I have appended the result of
> $ cat /var/log/audit/audit.log | audit2allow -l -R
>
> There are quite a few missing type enforcement (TE) allow rules.
>
> In addition to that Iceweasel requires allow_execstack and allow_execmem
> - which is not good. I have researched that and found these two old open
> Firefox issues:
>
> SELinux is preventing JIT from changing memory segment access
> https://bugzilla.mozilla.org/show_bug.cgi?id=506693
>
> Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error
> https://bugzilla.mozilla.org/show_bug.cgi?id=574119
>
> What do you suggest on how to proceed?
>
> Cheers,
> Andreas
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2013-09-18 19:54:42

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

On Wed, 2013-09-18 at 15:47 +0200, Andreas Kuckartz wrote:
> Any suggestions from here?
>

you can allow the execmem issue with audit2allow

debian has no active selinux maintainers. this is the problem.
the latest refpolicy needs to be packaged and distributed, and then also
maintained.

> Cheers,
> Andreas
>
> -------- Original Message --------
> Date: Tue, 17 Sep 2013 14:36:41 +0200
> From: Andreas Kuckartz <[email protected]>
> To: selinux-user at lists.alioth.debian.org
>
> I am running a Debian unstable system with SELinux in permissive mode.
>
> I have appended the result of
> $ cat /var/log/audit/audit.log | audit2allow -l -R
>
> There are quite a few missing type enforcement (TE) allow rules.
>
> In addition to that Iceweasel requires allow_execstack and allow_execmem
> - which is not good. I have researched that and found these two old open
> Firefox issues:
>
> SELinux is preventing JIT from changing memory segment access
> https://bugzilla.mozilla.org/show_bug.cgi?id=506693
>
> Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error
> https://bugzilla.mozilla.org/show_bug.cgi?id=574119
>
> What do you suggest on how to proceed?
>
> Cheers,
> Andreas
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2013-09-18 20:10:27

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

On Wed, 2013-09-18 at 21:54 +0200, Dominick Grift wrote:
> On Wed, 2013-09-18 at 15:47 +0200, Andreas Kuckartz wrote:
> > Any suggestions from here?
> >
>
> you can allow the execmem issue with audit2allow

err .... there actually is probably a boolean that you can toggle to
allow it:

allow_execmem
allow_execstack

if you pipe the avc denial into the input stream of audit2why it should
suggest booleans to toggle if they are available

>
> debian has no active selinux maintainers. this is the problem.
> the latest refpolicy needs to be packaged and distributed, and then also
> maintained.

2013-09-19 07:24:51

by a.kuckartz

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

Dominick Grift:
>> you can allow the execmem issue with audit2allow
>
> err .... there actually is probably a boolean that you can toggle to
> allow it:
>
> allow_execmem
> allow_execstack
>

This is suggested by audit2allow:

-----
#============= unconfined_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# allow_execstack, allow_execmem

allow unconfined_t self:process execmem;
-----

I really hesitate to accept this as a safe resolution of the issue.
Hopefully Mozilla will improve Firefox...

Cheers,
Andreas

2013-09-19 07:39:36

by a.kuckartz

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

Hi Dominick,

thanks for your replies.

> Iceweasel 32 bit? As far as i know execmem is only needed on 32 bit
> iceweasel, and not 64 bit.

It is running on 64 bit Debian unstable and according to
about:buildconfig the build target is x86_64-pc-linux-gnu.

> Debian's policy configuration is based off of an older reference policy,
> and Debian is working to rebase on the latest stable reference policy.

That might explain some of the avc denials.

> However, truth be told, selinux policy is never perfect, and probably
> never will be. The nature of integrity is to contain processes, but
> process change over time and so policy configuration needs to change
> along with it.

Yes, but the packaged policy should work out of the box as long as only
Debian packages are installed without any special configuration *and*
those packages have no security issues.

> you file bug reports to the debian selinux policy bugzilla, and enclose
> avc denials ( this is important ),

I will do that.

Cheers,
Andreas

2013-09-19 07:59:22

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

On Thu, 2013-09-19 at 09:24 +0200, Andreas Kuckartz wrote:
> Dominick Grift:
> >> you can allow the execmem issue with audit2allow
> >
> > err .... there actually is probably a boolean that you can toggle to
> > allow it:
> >
> > allow_execmem
> > allow_execstack
> >
>
> This is suggested by audit2allow:
>
> -----
> #============= unconfined_t ==============
> #!!!! This avc can be allowed using one of the these booleans:
> # allow_execstack, allow_execmem
>
> allow unconfined_t self:process execmem;
> -----
>
> I really hesitate to accept this as a safe resolution of the issue.
> Hopefully Mozilla will improve Firefox...

You're running as unconfined_t , which is a domain basically designed to
be exempt from selinux enforcement.

SELinux framework is a very flexible/configurable and you can set it up
to enforce almost anything you want. So whatever you have in mind, it
you want it; go and get it. Like many of us do.

Ive confined basic desktop sessions (actually various times) I actually
recorded the whole process of my latest endeavor and put it on your tube
( it is a 100 plus hours worth of screencast ) (youtube.com/domg4721)

As for perfect coverage of a basic systems. Yes in a perfect world
maybe. Not this world unfortunately. Besides Debian has no active
selinux maintainers. Things been stale for quite a while there now.

Want to take on the challenge of maintaining SELinux in Debian?

>
> Cheers,
> Andreas

2013-09-19 09:07:25

by a.kuckartz

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

Dominick Grift:
> Ive confined basic desktop sessions (actually various times) I
> actually recorded the whole process of my latest endeavor and put it
> on your tube ( it is a 100 plus hours worth of screencast )
> (youtube.com/domg4721)

Thanks. (But edited best-of versions would help ;-)

> Besides Debian has no active selinux maintainers.
> Things been stale for quite a while there now.

I noticed that the reference policy used by Debian is more than two
years old. But some work on the policy build system seems to have
started again in May 2013.

> Want to take on the challenge of maintaining SELinux in Debian?

I can not promise anything at the moment but I am having a closer look
at the state of SELinux in Debian.

Cheers,
Andreas

2013-09-19 12:53:52

by debian

[permalink] [raw]
Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel

Hi,

Am 19 Sep 2013 09:39:36 +0200
schrieb "Andreas Kuckartz" <[email protected]>:
> > However, truth be told, selinux policy is never perfect, and
> > probably never will be. The nature of integrity is to contain
> > processes, but process change over time and so policy configuration
> > needs to change along with it.
>
> Yes, but the packaged policy should work out of the box as long as
> only Debian packages are installed without any special configuration
> *and* those packages have no security issues.
>
Yes that is true. Therefore, generally please report bugs in the
debian bts (using reportbug for example) against refpolicy for
individual issues, attaching avc denials /and a description of what
does not work/. You know, if you get an avc denial but everything works
then it is still a bug, but only a wishlist bug.
There are two catches:
1. We will try, but given our resources, we likely won't be able to fix
all bugs. Your help is welcome (-:
2. As dgrift wrote, the policy in debian unstable is very old at the
moment. There is probably no point reporting bugs against it, we won't
fix them before we get a new version of policy into the archive.

Cheers,

Mika

--

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20130919/7d907f59/attachment.bin