Hi Marco, On similar lines, as Joe suggested please try with refpolicy 2.20151208 from morty, also I would like to recommend start with refpolicy-minimum policy variant, then you can explore other variants like refpolicy-targeted.
On Mon, Jul 24, 2017 at 1:15 PM, Marco Ostini <ma...@ostini.org> wrote: > > Hi Joe & Shrikant, > > Many thanks for your response. It was good to know that busybox can function with SELinux enforcing enabled. > I also confirm busybox works fine with enforcing mode on minimum variant, used it in multiple ways. > Sorry not to mention the policy we're currently using. It's: > refpolicy-targeted > > ||/ Name Version Architecture Description > +++-===============================-====================-====================-==================================================================== > ii refpolicy-targeted git-r0 amd64 SELinux targeted policy > > We'll build policy based on 2.20151208 and give it a try to see how it behaves. > > It appears to me that policy itself is responsible for semanage not functioning. When I try: > > semanage -v port -l > > I see errors like this: > > 1088. 07/24/17 07:29:46 semanage unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write system_u:object_r:lib_t:s0 denied 1095 > 1089. 07/24/17 07:29:46 semanage unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 2 dir write system_u:object_r:lib_t:s0 denied 1096 > > or > > time->Mon Jul 24 07:29:46 2017 > type=PROCTITLE msg=audit(1500881386.907:1101): proctitle=2F7573722F62696E2F707974686F6E002D4573002F7573722F7362696E2F73656D616E616765002D7600706F7274002D6C > type=SYSCALL msg=audit(1500881386.907:1101): arch=c000003e syscall=2 success=no exit=-13 a0=7ddf20 a1=2c1 a2=81a4 a3=5640003640100 items=0 ppid=496 pid=1201 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="semanage" exe="/usr/bin/python2.7" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1500881386.907:1101): avc: denied { write } for pid=1201 comm="semanage" name="sepolgen" dev="vda" ino=6091 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 > > The majority of the errors however are related to start_getty: > > 142. 07/24/17 06:14:04 start_getty system_u:system_r:getty_t:s0 4 dir search system_u:object_r:default_t:s0 denied 149 > > time->Mon Jul 24 07:34:21 2017 > type=PROCTITLE msg=audit(1500881661.906:1160): proctitle=2F62696E2F7368002F62696E2F73746172745F676574747900313135323030007474795330 > type=SYSCALL msg=audit(1500881661.906:1160): arch=c000003e syscall=59 success=no exit=-13 a0=6fca60 a1=6fcc40 a2=6faf90 a3=59a items=0 ppid=1244 pid=1246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="start_getty" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) > type=AVC msg=audit(1500881661.906:1160): avc: denied { search } for pid=1246 comm="start_getty" name="sbin" dev="vda" ino=7236 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0 > > I've applied an appropriate context to start_getty, but that didn't prevent the errors: > > ls -alZ /bin/start_getty > -rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 99 Jul 21 02:55 /bin/start_getty > > start_getty is a shell script that points back to /sbin/getty which is a symlink to /usr/lib/busybox/sbin/getty > > So I applied a context to /usr/lib/busybox/sbin/getty without it preventing the above mentioned errors: > > ls -alZ /usr/lib/busybox/sbin/getty > -rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 21 Jun 9 03:39 /usr/lib/busybox/sbin/getty > I think you are trying to patch the policy Or fixing the avc denials w.r.to context, To do it, we have audit tools available from meta-selinux which will help to understand the avc denials in detail, please try using audit2why on avc denials to get why we hit with denials. & further using audit2allow to generate the allow rules based on current policy & then try with generated allow rules. Hope it helps :) > I'm keen to see how policy based on 2.20151208 will look. > > Additional to trying 2.20151208 if you have any suggestions or advice I'd be grateful to hear it. Please start exploring with refpolicy-minimum.. > > Cheers, > Marco > > Thanks Shrikant > > On 22 July 2017 at 05:46, Joe MacDonald <joe_macdon...@mentor.com> wrote: >> >> Hi Justin / Marco, >> >> [Re: SELinux with Busybox on morty] On 17.07.19 (Wed 16:05) Justin Clacherty wrote: >> >> > Hi Joe, >> > >> > Is this something you or one of the other meta-selinux devs are able >> > to help out with or is it more of an upstream question? >> >> I'll see if I can give this a shot. :-) >> >> > >> > Cheers, >> > Justin. >> > >> > >> > > On 17 Jul 2017, at 4:57 pm, Marco Ostini <ma...@ostini.org> wrote: >> > > >> > > >> > > Hi All, >> > > >> > > At the moment I'm attempting to prepare a VM of morty with SELinux >> > > running well in enforcing mode. Once bedded down this will be >> > > running on an embedded system. >> > > >> > > We use Busybox to keep the environment slim. >> > > >> > > As you may be aware the file contexts of >> > > /etc/selinux/targeted/contexts/files/file_contexts don't include >> > > appropriate paths (/sbin + /usr/lib/busybox/sbin/) and relative file >> > > contexts for commands provided by Busybox. The /sbin files provided >> > > by Busybox are symlinks to their counterparts in >> > > /usr/lib/busybox/sbin/. >> > > >> > > I've attempted to use semanage to apply file contexts and look up >> > > login contexts. Any time I use semanage I receive this message: >> > > >> > > Error: Failed to read //etc/selinux/targeted/policy/policy.30 policy file >> > > >> > > In an attempt to mitigate this error I ran semodule --build and >> > > while it did rebuild the policy file, it didn't mitigate the error >> > > message generated by semanage. At the moment I'm applying temporary >> > > file contexts with chcon. >> > > >> > > My questions are: >> > > >> > > 1. Is it possible to run Busybox (providing init, getty, syslog ...) >> > > in SELinux enforcing. If so, where's the policy files? >> >> You haven't mentioned which policy you're currently using so I'm >> guessing it is the default you get from meta-selinux, that is >> refpolicy-git. I've been debugging some (I think) unrelated issues with >> refpolicy-git this week, so my advice would first to be try out >> 2.20151208, the current release version we have in tree. That's >> obviously also out of date, but it is currently better tested than the >> git recipe. >> >> All that said, yes, we have been, in the past, able to use busybox with >> SELinux enforcing enabled, though as you can see from the layer, we've >> had to tweak refpolicy to make it work well. I'm adding a colleague of >> mine here, Shrikant, who has done a fair bit of recent work with >> meta-selinux as well, he might have some additional insight into the >> current status of busybox-based systems. >> >> > > 2. Is there some documentation somewhere on reference builds of >> > > Morty with SELinux enforcing ? >> >> There is not at the moment, as far as I know. It's possible that >> someone else currently using that combination can help out with some >> guidance, but we haven't done any Morty+SELinux specific documentation. >> Since I'm investigating some other issues right now in a slightly >> different area, though, I may get some time next week to write up >> something quick for this for you, though. If I do, I'll be sure to share >> it here. >> >> -- >> -Joe MacDonald. >> :wq > > > > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto >
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto