# selinux denials due to race conditions? [solved]

## vaxbrat

I just joined the hardened-gentoo mailing list but thought I might give this a shot here too.  I'm on the 2006.1 unstable profile for selinux and think I may have a race condition that results in avc denials before selinux has finished labeling things like /dev.  For example, the first denial below appears to be where /etc/hotplug.d/default/default.hotplug is peeking and poking around with /dev/null.  The denial has it as a system_u:object_r:file_t, but when I look at it from a running system I see it as a system_u:object_r:null_device_t.  Can the hardened folk chime in about whether I'm missing something blatantly obvious?  Should I be messing around in /etc/runlevels/boot to put dependencies in various scripts (although selinux isn't a script so how would I make it a dependency?)

snippet from a dmesg:

```
security:  5 users, 5 roles, 1376 types, 81 bools

security:  59 classes, 61906 rules

security:  class dccp_socket not defined in policy

security:  permission dccp_recv in class node not defined in policy

security:  permission dccp_send in class node not defined in policy

security:  permission dccp_recv in class netif not defined in policy

security:  permission dccp_send in class netif not defined in policy

SELinux:  Completing initialization.

SELinux:  Setting up existing superblocks.

SELinux: initialized (dev sda5, type ext3), uses xattr

inode_doinit_with_dentry:  context_to_sid(unlabeled) returned 22 for dev=sda5 ino=1938273

audit(1182137416.171:2): avc:  denied  { ioctl } for  pid=884 comm="default.hotplug" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137416.203:3): avc:  denied  { read } for  pid=889 comm="env" name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137416.204:4): avc:  denied  { read } for  pid=884 comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t tclass=file

audit(1182137416.206:5): avc:  denied  { search } for  pid=884 comm="default.hotplug" name="var" dev=sda5 ino=1254177 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t tclass=dir

audit(1182137416.221:6): avc:  denied  { search } for  pid=884 comm="default.hotplug" name="log" dev=sda5 ino=1255669 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_log_t tclass=dir

SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts

SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts

SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs

SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts

SELinux: initialized (dev devpts, type devpts), uses transition SIDs

SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs

SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts

SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs

SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts

SELinux: initialized (dev pipefs, type pipefs), uses task SIDs

SELinux: initialized (dev sockfs, type sockfs), uses task SIDs

SELinux: initialized (dev proc, type proc), uses genfs_contexts

SELinux: initialized (dev bdev, type bdev), uses genfs_contexts

SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts

SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts

audit(1182137416.259:7): policy loaded auid=4294967295

audit(1182137416.261:8): avc:  denied  { read write } for  pid=1 comm="init" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137416.275:9): avc:  denied  { ioctl } for  pid=1 comm="init" name="tty0" dev=sda5 ino=735467 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137416.277:10): avc:  denied  { read } for  pid=891 comm="hotplug" name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137416.279:11): avc:  denied  { write } for  pid=891 comm="hotplug" name="tty" dev=sda5 ino=734192 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137416.296:12): avc:  denied  { ioctl } for  pid=893 comm="default.hotplug" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137416.758:13): avc:  denied  { read write } for  pid=970 comm="rc" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137417.033:14): avc:  denied  { read write } for  pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137417.034:15): avc:  denied  { search } for  pid=994 comm="consoletype" name="dev" dev=sda5 ino=732961 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=dir

audit(1182137417.034:16): avc:  denied  { getattr } for  pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137417.035:17): avc:  denied  { ioctl } for  pid=994 comm="consoletype" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137417.082:18): avc:  denied  { ioctl } for  pid=997 comm="stty" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137417.172:19): avc:  denied  { getattr } for  pid=970 comm="bash" name="null" dev=sda5 ino=733068 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137417.196:20): avc:  denied  { read write } for  pid=1001 comm="dmesg" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137417.220:21): avc:  denied  { read write } for  pid=1004 comm="mount" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file

SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs

audit(1182137417.478:22): avc:  denied  { read write } for  pid=1038 comm="restorecon" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137417.716:23): avc:  denied  { write } for  pid=1042 comm="bash" name="null" dev=tmpfs ino=2106 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1182137417.875:24): avc:  denied  { read write } for  pid=1062 comm="udevd" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182137418.770:25): avc:  denied  { read } for  pid=1194 comm="modprobe" name="console" dev=tmpfs ino=2100 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1182137424.374:26): avc:  denied  { getattr } for  pid=2059 comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100 scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t tclass=file

audit(1182137424.376:27): avc:  denied  { read } for  pid=2112 comm="grep" name="modprobe.conf" dev=sda5 ino=1515100 scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t tclass=file

```

Last edited by vaxbrat on Fri Jun 22, 2007 3:21 am; edited 1 time in total

----------

## vaxbrat

Got confirmed that it is indeed a race condition.  However I noticed that udev really has taken over everything from hotplug so that it's no longer needed.  That got rid of a good number of denials since udev doesn't get around to doing its thing until later and thus avoids the race.

----------

## vaxbrat

Here's the detailed story for the race condition.  Until udev has finished doing its thing and mounted its own /dev, the system is using the primordial static /dev from your root's filesystem.  Selinux gets /selinux up and running and is still at work doing the genfs context labeling of /dev, /tmp and company when the init process gets kicked.  So init initially gets busy using the static nodes.   Unfortunately these all have the default labeling of file_t and don't get picked up later by relabeling since udev now overlays the /dev directory with its own.

In order to relabel the static /dev you need to get a bit sneaky by "remounting" your root filesystem somewhere else.  Let's say /mnt/rawroot

```
# mkdir /mnt/rawroot

# mount --bind / /mnt/rawroot
```

The --bind option remounts the filesystem to a different directory but doesn't apply all of the submounts.  Thus the udev version of /dev is left behind to unconver the static /dev as /mnt/rawroot/dev.  Now we can use setfilecon to manually relabel contexts.  For example, the init process was getting denied access to /dev/console:

audit(1182137416.261: :Cool: : avc:  denied  { read write } for  pid=1 comm="init" name="console" dev=sda5 ino=734292 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file 

In a running system, the /dev/console device is labeled as system_u:object_r:console_device_t.  To label the static console properly I did:

```
# cd /mnt/rawroot/dev

# setfilecon system_u:object_r:console_device_t console
```

Some of the other device nodes that were getting hit too early include /dev/tty0 (tty_device_t) and /dev/urandom (urandom_device_t)

----------

## vaxbrat

Can't seem to stay away from this thread for some reason   :Razz: 

Here's a couple more things in the rawroot that need proper labeling:

```
# cd /mnt/rawroot2

# setfilecon system_u:object_r:device_t dev

# setfilecon system_u_object_r_security_t security
```

The label for security removes a mount denial warning when /selinux is mounted.  Sort of a "chicken and egg" thing.

----------

## R. Bosch

 *vaxbrat wrote:*   

> Can't seem to stay away from this thread for some reason  
> 
> ```
> # cd /mnt/rawroot2
> 
> ...

 

I'm not sure what you mean with the last line, nor with /mnt/rawroot2. For instance I don't see the file /security.

----------

## vaxbrat

This:

```
# cd /mnt/rawroot2

# setfilecon system_u:object_r:device_t dev 

# setfilecon system_u_object_r_security_t security
```

Should be

```
# cd /mnt/rawroot

# setfilecon system_u:object_r:device_t dev 

# setfilecon system_u_object_r_security_t selinux

```

That's what I get for not directly cutting and pasting from the server I was working on.  The /mnt/rawroot refers to the remount that I had done in an earlier part of the thread.

----------

## R. Bosch

Thought of that, but failed:

```
setfilecon:  setfilecon(selinux,system_u_object_r_security_t) failed
```

Even if I run it from an other installment of selinux (my second try).

It did accept the device type   :Shocked: 

When listed in root the context looks like it should, but not when I take a look under /mnt/rawroot.

This is how it is listed atm:

```
drwxr-xr-x  root root system_u:object_r:device_t       selinux
```

 I also tried unmounting /selinux  in case there was a lock. Then tried to change, both of them (under / and /mnt/rawroot), to no effect  :Sad: 

I don't understand what would block the change of context. Even in a new build, it won't accept.

Also passing on the context to mkdir doesn't help.

```
ReboliLaptop ~ # sestatus 

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   permissive

Mode from config file:          permissive

Policy version:                 21

Policy from config file:        strict
```

Thanks for sharing this thread  :Smile: 

----------

## vaxbrat

So if you do

```
# cd /mnt/rawroot

# ls -Z | grep security
```

You see device_t and not file_t or security_t?  That's bizarre.  What type of filesystem is root (ext3 I hope)?

Also realize that I'm working with the unstable 2006.1 profile and the 20070329 security policy (refpolicy).  I haven't looked at the "example" policy and the 2005.1? stable profile in a while but may set up an example at work sometime soon.

One thing that bit me on another server I was playing with is reiserfs.  Even though I thought from the kernel filesystem options that it would include extended attribute support, it turned out not to work right for selinux labeling.  After my first attempt at labeling, everything came up as nfs_t or something like that after a reboot.  Then when I looked at the dmesg log, I noticed selinux mentioning that it was labeling using genfscontexts instead of xattrs.  I'm going to have to move that server's root to somewhere else and convert to ext3 I guess.

If I recall, only ext3 and xfs had selinux xattr labeling support.

----------

## R. Bosch

Yes, but the thing is; I can't repeat this. I removed /selinux and ran mkdir /selinux to see if it would make any difference, but the system still refuses to set the context correctly.

```
ReboliLaptop ~ # ls -lZ /

drwxr-xr-x  root root system_u:object_r:bin_t          bin

drwxr-xr-x  root root system_u:object_r:boot_t         boot

drwxr-xr-x  root root system_u:object_r:device_t       dev

drwxr-xr-x  root root system_u:object_r:etc_t          etc

drwxr-xr-x  root root system_u:object_r:home_root_t    home

drwxr-xr-x  root root system_u:object_r:lib_t          lib

drwx------  root root system_u:object_r:lost_found_t   lost+found

drwxr-xr-x  root root system_u:object_r:mnt_t          media

drwxr-xr-x  root root system_u:object_r:mnt_t          mnt

drwxr-xr-x  root root system_u:object_r:usr_t          opt

dr-xr-xr-x  root root system_u:object_r:proc_t         proc

drwx------  root root root:object_r:sysadm_home_dir_t  root

drwxr-xr-x  root root system_u:object_r:bin_t          sbin

drwxr-xr-x  root root user_u:object_r:root_t           selinux

drwxr-xr-x  root root system_u:object_r:sysfs_t        sys

drwxrwxrwt  root root system_u:object_r:tmp_t          tmp

drwxr-xr-x  root root system_u:object_r:usr_t          usr

drwxr-xr-x  root root system_u:object_r:var_t          var
```

Even tried making such directory in root's homedir:

```
ReboliLaptop ~ # mkdir -Z system_u_object_r_security_t selinux

Sorry, cannot set default context to system_u_object_r_security_t.
```

```
ReboliLaptop ~ # ls /etc/make.profile -ld

lrwxrwxrwx 1 root root 40 Jun 19 10:48 /etc/make.profile -> /usr/portage/profiles/selinux/x86/2006.1

software:

libselinux-1.34.0

libsemanage-1.10.0

libsepol-1.16.3

selinux-base-policy-20070329

checkpolicy-1.34.0

policycoreutils-1.34.1

ReboliLaptop ~ # sestatus 

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   permissive

Mode from config file:          permissive

Policy version:                 21

Policy from config file:        strict

ReboliLaptop ~ # mount  

/dev/hda2 on / type ext3 (rw,noatime)

Linux version 2.6.21-suspend2-r6 (root@ReboliLaptop) (gcc version 4.1.2 (Gentoo 4.1.2)) #2 Sun Jun 24 23:05:35 CEST 2007
```

What could prevent me from setting the context in permissive mode?  :Confused: 

----------

## vaxbrat

What role are you in when you try to label?  Even in permissive mode, I wonder if context labeling wants you to be a sysadm_t before doing its thing.

It's interesting that the security_t type may only be on the /selinux mount point and the security filesystem itself.  I don't see a file labeling rule for security_t in /etc/selinux/strict/contexts/files/file_contexts.  It must be hard coded somewhere.

----------

## R. Bosch

Did not matter... root admin or root the user.  Both incapable. A way around it is to compile the kernel with security labels but without selinux support. I use this kernel to install the base system before reboot.

Did any of this made it in any documentation yet?

----------

## seventhguardian

 *R. Bosch wrote:*   

> 
> 
> Even tried making such directory in root's homedir:
> 
> ```
> ...

 

You are repeating vaxbrat's type errors! lol.. note what you are using:

```
system_u_object_r_security_t
```

It should be:

```
system_u:object_r:security_t
```

----------

## DeathStar

An easier way to fix this along with all other labels is to:

Boot into Permissive mode, then do the following:

mount -o bind / /mnt/rawroot

chroot /mnt/rawroot /bin/bash

env-update && source /etc/profile

rlpkg -avr

This will relabel all files on the system, including all dev devices back to what they should be for SELinux.

----------

