[Bug 1208071] New: SELinux: restricting kernel_t causes issues for the way we setup Micro
https://bugzilla.suse.com/show_bug.cgi?id=1208071 Bug ID: 1208071 Summary: SELinux: restricting kernel_t causes issues for the way we setup Micro Classification: openSUSE Product: openSUSE Leap Micro Version: 5.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Base Assignee: screening-team-bugs@suse.de Reporter: jsegitz@suse.com QA Contact: qa-bugs@suse.de CC: kukuk@suse.com Found By: --- Blocker: --- With 1e8688ea694393c9d918939322b72dfb44a01792 kernel_t isn't an unconfined domain anymore. This causes issues for us since we load the policy in selinux-microos-relabel.sh (of microos-tools) before we pivot. Previously that was okay since kernel_t could do whatever, but with the change kernel_t get restricted so much that this script doesn't work anymore. I tried moving part of the script that do the relabeling into a separate file and create a module that transitions away from kernel_t into something like dracut_t (for now unconfined). The problem is that the transition doesn't work properly in the franken-state of initrd, with half of the system believing not to be SELinux enabled and the /sysroot part already being aware of SELinux and the loaded policy. I smashed my head against this for a while now and want to bring in additional eyes. I see these options: - keep kernel_t as unconfined. Don't want to do this, as there's a real benefit in not having this unconfined. An attacker will be able abuse the kernel_t permissions, but it significantly raises the bar (try to work a bit with the current policy loaded in initrd and you'll see how limited you are). - Ensure a proper transition away from kernel_t for dracut modules. I tried at this today, but it doesn't work and the test environment is horrible due to the restriction placed by SELinux. I would prefer that, but I'll have to figure out why this doesn't work - Check if systemd's /run/systemd/relabel-extra.d mechanism could be used. I assume it can't be used directly, but maybe there's a way around this. Any other ideas on how to approach this? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208071 https://bugzilla.suse.com/show_bug.cgi?id=1208071#c1 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |filippo.bonazzi@suse.com --- Comment #1 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- What is special about this in MicroOS compared to a regular SELinux system? I'm afraid I don't know the nitty gritty of how the policy is loaded in either system. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208071 https://bugzilla.suse.com/show_bug.cgi?id=1208071#c2 --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- MicroOS has a read only system. So to work around this the labeling happens pre-pivot in the initrd. To be able to label files it loads the policy. Which wasn't a problem, since kernel_t was unconfined. Since this is now different this doesn't work anymore. On regular systems labeling is done post-pivot in a normal environment and transitions away from kernel_t. I try to recreate this behavior in the initrd environment now -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208071 https://bugzilla.suse.com/show_bug.cgi?id=1208071#c3 --- Comment #3 from Johannes Segitz <jsegitz@suse.com> --- So this works now, but unfortunately not only the relabel operation breaks, but also some operations after this. I'll try to figure out a way to now have to load the policy in initrd, this will be a permanent pain with this change. If I don't find a way we might have to keep kernel_t unconfined -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208071 https://bugzilla.suse.com/show_bug.cgi?id=1208071#c4 --- Comment #4 from Johannes Segitz <jsegitz@suse.com> --- I now have the real fix. That leaves us with a couple of denials during boot: Feb 20 08:59:54 localhost kernel: audit: type=1400 audit(1676883594.092:4): avc: denied { relabelfrom } for pid=670 comm="systemd-tmpfile" name="issue" dev="vda3" ino=33751 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=0 Feb 20 08:59:54 localhost kernel: audit: type=1400 audit(1676883594.092:5): avc: denied { relabelfrom } for pid=670 comm="systemd-tmpfile" name="resolv.conf" dev="vda3" ino=33785 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0 Feb 20 08:59:54 localhost kernel: audit: type=1400 audit(1676883594.092:6): avc: denied { relabelfrom } for pid=670 comm="systemd-tmpfile" name="yp.conf" dev="vda3" ino=33786 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=0 Feb 20 08:59:54 localhost kernel: audit: type=1400 audit(1676883594.096:7): avc: denied { relabelfrom } for pid=670 comm="systemd-tmpfile" name="mtab" dev="vda3" ino=33752 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=0 Strangely the files end up with the correct permissions, will need to check this further -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208071 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |kernel-bugs@opensuse.org -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208071 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|kernel-bugs@opensuse.org |jsegitz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208071 https://bugzilla.suse.com/show_bug.cgi?id=1208071#c5 Fabian Vogt <fvogt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |fvogt@suse.com Resolution|--- |FIXED --- Comment #5 from Fabian Vogt <fvogt@suse.com> --- Should we close this and continue only in bug 1208593? (Reopen if you disagree) After https://github.com/openSUSE/microos-tools/pull/14 got merged, the policy is no longer loaded in the initrd but other issues with kernel_t make it unusable still. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com