Closed g-h-97 closed 3 years ago
tqre
commented
3 years ago Did you try to edit /etc/selinux/config.refpolicy-arch to:
SELINUX=enforcing
AFAIK, this file is read on boot. I haven't used enforcing mode much yet, but be sure to backup your systems or have direct root access if something goes wrong.
g-h-97
commented
3 years ago am not sure why but this is the last thing that came to my mind just after writing the issue.
However setting SELINUX=enforcing in /etc/selinux/config caused the boot process to fail
tqre
commented
3 years ago I get the same behavior, I have QEMU/kvm VM, host is Arch too. Here are some more logs I dug out from a VM console:
:: running cleanup hook [udev]
[ 1.296014] audit: type=1404 audit(1602777451.199:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
[ 1.386341] audit: type=1403 audit(1602777451.289:3): auid=4294967295 ses=4294967295 lsm=selinux res=1
[ 1.465737] audit: type=1400 audit(1602777451.370:4): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0
[ 1.475717] audit: type=1400 audit(1602777451.370:5): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0
[ 1.484314] audit: type=1400 audit(1602777451.386:6): avc: denied { perfmon } for pid=1 comm="systemd" capability=38 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0
[ 1.490888] audit: type=1400 audit(1602777451.386:7): avc: denied { perfmon } for pid=1 comm="systemd" capability=38 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0
[ 1.494560] audit: type=1400 audit(1602777451.386:8): avc: denied { perfmon } for pid=1 comm="systemd" capability=38 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0
[ 1.498350] audit: type=1400 audit(1602777451.386:9): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0
[ 1.501449] systemd[277]: /usr/lib/systemd/system-environment-generators/10-arch terminated by signal SEGV.
[ 1.502040] audit: type=1400 audit(1602777451.393:10): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0
[ 1.523862] systemd[279]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1.
[ 1.525620] systemd[279]: /usr/lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1.
[ 1.634046] Could not create tracefs 'drm/filter' entry
[ 1.634838] Could not create tracefs 'enable' entry
[ 1.635631] Could not create tracefs 'enable' entry
[ 1.636352] Could not create tracefs 'id' entry
[ 1.637071] Could not create tracefs 'filter' entry
[ 1.637998] Could not create tracefs 'trigger' entry
[ 1.638971] Could not create tracefs 'hist' entry
[ 1.639972] Could not create tracefs 'format' entry
[ 1.641085] Could not create tracefs 'enable' entry
[ 1.642131] Could not create tracefs 'id' entry
[ 1.643135] Could not create tracefs 'filter' entry
[ 1.644174] Could not create tracefs 'trigger' entry
[ 1.645484] Could not create tracefs 'hist' entry
[ 1.646694] Could not create tracefs 'format' entry
[ 1.647866] Could not create tracefs 'enable' entry
[ 1.648859] Could not create tracefs 'id' entry
[ 1.649728] Could not create tracefs 'filter' entry
[ 1.650745] Could not create tracefs 'trigger' entry
[ 1.651896] Could not create tracefs 'hist' entry
[ 1.652533] Could not create tracefs 'format' entry
[ 1.869552] systemd-udevd[307]: Failed to determine number of local CPUs, ignoring: Permission denied
[ 1.870803] systemd-udevd[307]: Failed to get cgroup: Permission denied
[ 1.871948] systemd-udevd[307]: Failed to create socketpair for communicating with workers: Permission denied
[ 1.873559] systemd-udevd[307]: Assertion 'close_nointr(fd) != -EBADF' failed at src/basic/fd-util.c:72, function safe_close(). Aborting.
[ 1.897172] systemd-coredump[309]: Failed to get COMM: Permission denied
[ 1.891257] systemd[1]: systemd-udevd.service: Main process exited, code=dumped, status=11/SEGV
[[ 1.892685] FAILEDsystemd] [1]: Failed to start Rule-based…r for Device Events and Files.systemd-udevd.service: Failed with result 'core-dump'.I suspect there is a SELinux policy issue with udev, but I don't know enough of SELinux yet to fix it easily.
g-h-97
commented
3 years ago As far as I can tell it's a labeling issue or rather mess, selinux is denying systemd, udevadm, udevd, modprobe ... and a bunch of other system processes access, which explains the failure.
This can be seen in journalctl log as a pile of AVCs.
Sample :
. . . Oct 15 15:39:08 archserver kernel: audit: type=1400 audit(1602772747.283:4): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0 Oct 15 15:39:08 archserver kernel: audit: type=1400 audit(1602772747.283:5): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0 Oct 15 15:39:08 archserver kernel: audit: type=1400 audit(1602772747.283:6): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0 Oct 15 15:39:08 archserver kernel: audit: type=1400 audit(1602772747.283:7): avc: denied { perfmon } for pid=1 comm="systemd" capability=38 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0 Oct 15 15:39:08 archserver kernel: audit: type=1400 audit(1602772747.283:8): avc: denied { perfmon } for pid=1 comm="systemd" capability=38 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0 Oct 15 15:39:08 archserver kernel: audit: type=1400 audit(1602772747.283:9): avc: denied { perfmon } for pid=1 comm="systemd" capability=38 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0 Oct 15 15:39:08 archserver kernel: audit: type=1400 audit(1602772747.283:10): avc: denied { bpf } for pid=1 comm="systemd" capability=39 scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=capability2 permissive=0. . .
Edit :
Here is the full journalctl output :
journalctl.log
And audit log as well :
audit.log
g-h-97
commented
3 years ago I have been able to generate a policy module using audit2allow which is as expected a bit lengthy :
This ended up clearing most of the AVCs out. I guess that I have to manually write the rest of the allow rules to at least get the system up and running.
tqre
commented
3 years ago I'm really not sure what that policy module does? Why do you want to clear the logs?
But I think I found the reason, I found this from the logs of my testing laptop:
kernel: SELinux: Permission perfmon in class capability2 not defined in policy.
kernel: SELinux: Permission bpf in class capability2 not defined in policy.
kernel: SELinux: Permission perfmon in class cap2_userns not defined in policy.
kernel: SELinux: Permission bpf in class cap2_userns not defined in policy.
kernel: SELinux: Class lockdown not defined in policy.This happens when SELinux encounters new and thus unknown capabilities. Checking the deny_unknown status with sestatus command confirms this. The default for Arch's reference policy is to deny unknowns.
This can be set temporarily off with the following line in /etc/selinux/semanage.conf:
handle-unknown allow
See man semanage.conf for more configuration options.
EDIT: more to the logs, didn't test the handle-unknown -setting yet!
tqre
commented
3 years ago This probably is the policy file that needs some updating: https://github.com/archlinuxhardened/selinux-policy-arch/blob/2.20200818/policy/modules/system/init.te
Definetely need someone who understands the policy files better. I'm still learning...
EDIT: linked my own fork accidentally...
shammancer
commented
3 years ago Submitted a patch to upstream: https://github.com/SELinuxProject/refpolicy/pull/314
Hi, I would like to know if this is a known issue or just a miss configuration on my part. Since I can't seem to be able to set
enforcingmode persistently across reboots no matter what I do :setenforce 1echo 1 > /sys/fs/selinux/enforceIt reverts back to
permissive.Meanwhile on RHEL8 machine, this works perfectly fine :