# Problems with selinux setup

## michaels70

I just installed selinux on the AMD64 hardened version of Gentoo and am seeing the following denials when booting in permissive mode.  Am I missing a selinux module or is there something else I have to do?  I relabeled the whole file-system after installing everything.

```
Jan  1 00:00:24 localhost dhcpcd[1811]: eth0: sending IPv6 Router Solicitation

Jan  1 00:00:24 localhost dhcpcd[1811]: eth1: sending IPv6 Router Solicitation

Jan  1 00:00:25 localhost dhcpcd[1811]: eth0: leased 192.168.2.160 for 86400 seconds

Jan  1 00:00:25 localhost kernel: [   17.808711] audit_printk_skb: 6 callbacks suppressed

Jan  1 00:00:25 localhost kernel: [   17.808714] type=1400 audit(1356998425.336:28): avc:  denied  { write } for  pid=1989 comm="dhcpcd-run-hook" name="ntp.conf" dev="sda3" ino=650700 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file

Jan  1 00:00:25 localhost kernel: [   17.813252] type=1400 audit(1356998425.341:29): avc:  denied  { execute } for  pid=1991 comm="rc-service" name="rc" dev="sda3" ino=456696 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file

Jan  1 00:00:25 localhost kernel: [   17.813264] type=1400 audit(1356998425.341:30): avc:  denied  { read open } for  pid=1991 comm="rc-service" path="/sbin/rc" dev="sda3" ino=456696 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file

Jan  1 00:00:25 localhost kernel: [   17.813312] type=1400 audit(1356998425.341:31): avc:  denied  { execute_no_trans } for  pid=1991 comm="rc-service" path="/sbin/rc" dev="sda3" ino=456696 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t tclass=file

Jan  1 00:00:25 localhost dhcpcd[1811]: eth1: broadcasting for a lease

Jan  1 00:00:28 localhost dhcpcd[1811]: eth0: sending IPv6 Router Solicitation

Jan  1 00:00:28 localhost dhcpcd[1811]: eth0: no IPv6 Routers available

Jan  1 00:00:28 localhost dhcpcd[1811]: eth1: sending IPv6 Router Solicitation

Jan  1 00:00:28 localhost dhcpcd[1811]: eth1: no IPv6 Routers available

Jan  1 00:00:38 localhost kernel: [   31.005795] type=1400 audit(1356998438.523:32): avc:  denied  { read } for  pid=1995 comm="rc" name="profile.env" dev="sda3" ino=650786 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file

Jan  1 00:00:38 localhost kernel: [   31.005807] type=1400 audit(1356998438.523:33): avc:  denied  { open } for  pid=1995 comm="rc" path="/etc/profile.env" dev="sda3" ino=650786 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file

Jan  1 00:00:38 localhost kernel: [   31.005821] type=1400 audit(1356998438.523:34): avc:  denied  { getattr } for  pid=1995 comm="rc" path="/etc/profile.env" dev="sda3" ino=650786 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file

Jan  1 00:00:38 localhost kernel: [   31.007716] type=1400 audit(1356998438.525:35): avc:  denied  { search } for  pid=1995 comm="rc" name="1" dev="proc" ino=1154 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:init_t tclass=dir

Jan  1 00:00:38 localhost kernel: [   31.007733] type=1400 audit(1356998438.525:36): avc:  denied  { read } for  pid=1995 comm="rc" name="environ" dev="proc" ino=1155 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:init_t tclass=file

Jan  1 00:00:38 localhost kernel: [   31.007742] type=1400 audit(1356998438.525:37): avc:  denied  { open } for  pid=1995 comm="rc" path="/proc/1/environ" dev="proc" ino=1155 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:init_t tclass=file

Jan  1 00:00:38 localhost kernel: [   31.007761] type=1400 audit(1356998438.525:38): avc:  denied  { getattr } for  pid=1995 comm="rc" path="/proc/1/environ" dev="proc" ino=1155 scontext=root:sysadm_r:run_init_t tcontext=system_u:system_r:init_t tclass=file

Jan  1 00:00:38 localhost kernel: [   31.007838] type=1400 audit(1356998438.525:39): avc:  denied  { read } for  pid=1995 comm="rc" name="softlevel" dev="tmpfs" ino=3105 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file

Jan  1 00:00:38 localhost kernel: [   31.007848] type=1400 audit(1356998438.525:40): avc:  denied  { open } for  pid=1995 comm="rc" path="/run/openrc/softlevel" dev="tmpfs" ino=3105 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file

Jan  1 00:00:38 localhost kernel: [   31.007859] type=1400 audit(1356998438.525:41): avc:  denied  { getattr } for  pid=1995 comm="rc" path="/run/openrc/softlevel" dev="tmpfs" ino=3105 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
```

Here's a list of the installed modules...

```
application   1.2.0   

authlogin   2.5.0   

automount   1.14.0   

bind   1.13.0   

bootloader   1.14.0   

clock   1.7.0   

consolekit   1.9.0   

consoletype   1.10.0   

cron   2.6.0   

dhcp   1.11.0   

dmesg   1.3.0   

fstools   1.16.0   

getty   1.10.0   

gpg   2.8.0   

hostname   1.8.0   

hotplug   1.16.0   

init   1.20.0   

ipsec   1.14.0   

iptables   1.14.0   

irqbalance   1.6.0   

libraries   2.10.0   

locallogin   1.12.0   

logging   1.20.0   

lvm   1.15.0   

mandb   1.1.0   

miscfiles   1.11.0   

modutils   1.14.0   

mount   1.16.0   

mta   2.7.0   

netutils   1.12.0   

nscd   1.11.0   

ntp   1.11.0   

openrc   0.1   

portage   1.14.0   

raid   1.13.0   

rpc   1.15.0   

rpcbind   1.6.0   

rsync   1.13.0   

screen   2.6.0   

selinuxutil   1.17.0   

setrans   1.8.0   

shutdown   1.2.0   

ssh   2.4.0   

staff   2.4.0   

storage   1.11.0   

su   1.12.0   

sudo   1.10.0   

sysadm   2.6.0   

sysnetwork   1.15.0   

udev   1.16.0   

unprivuser   2.4.0   

userdomain   4.9.0   

usermanage   1.19.0   

xdg   1.0.0
```

Here's a listings of the bools...

```
allow_execheap --> off

allow_execmem --> off

allow_execmod --> off

allow_execstack --> off

allow_gssd_read_tmp --> off

allow_mount_anyfile --> off

allow_nfsd_anon_write --> off

allow_polyinstantiation --> off

allow_ptrace --> off

allow_rsync_anon_write --> off

allow_ssh_keysign --> off

allow_user_mysql_connect --> off

allow_user_postgresql_connect --> off

allow_ypbind --> off

authlogin_nsswitch_use_ldap --> off

console_login --> on

cron_can_relabel --> off

cron_userdomain_transition --> off

dhcpd_use_ldap --> off

fcron_crond --> off

global_ssp --> on

gpg_agent_env_file --> off

init_upstart --> off

mail_read_content --> off

mmap_low_allowed --> off

named_tcp_bind_http_port --> off

named_write_master_zones --> off

nfs_export_all_ro --> off

nfs_export_all_rw --> off

nscd_use_shm --> off

portage_use_nfs --> off

racoon_read_shadow --> off

rsync_client --> off

rsync_export_all_ro --> off

rsync_use_cifs --> off

rsync_use_fusefs --> off

rsync_use_nfs --> off

secure_mode --> off

secure_mode_insmod --> off

secure_mode_policyload --> off

ssh_sysadm_login --> off

use_nfs_home_dirs --> off

use_samba_home_dirs --> off

user_direct_mouse --> off

user_dmesg --> off

user_ping --> off

user_rw_noexattrfile --> off

user_tcp_server --> off

user_ttyfile_stat --> off
```

and selinux status...

```
SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             strict

Current mode:                   permissive

Mode from config file:          permissive

Policy MLS status:              disabled

Policy deny_unknown status:     denied

Max kernel policy version:      28

Process contexts:

Current context:                root:sysadm_r:sysadm_t

Init context:                   system_u:system_r:init_t

/sbin/agetty                    system_u:system_r:getty_t

File contexts:

Controlling terminal:           root:object_r:user_tty_device_t

/sbin/init                      system_u:object_r:init_exec_t

/sbin/agetty                    system_u:object_r:getty_exec_t

/bin/login                      system_u:object_r:login_exec_t

/sbin/rc                        system_u:object_r:rc_exec_t

/usr/sbin/sshd                  system_u:object_r:sshd_exec_t

/sbin/unix_chkpwd               system_u:object_r:chkpwd_exec_t

/etc/passwd                     system_u:object_r:etc_t

/etc/shadow                     system_u:object_r:shadow_t

/bin/sh                         system_u:object_r:bin_t -> system_u:object_r:shell_exec_t

/bin/bash                       system_u:object_r:shell_exec_t

/usr/bin/newrole                system_u:object_r:newrole_exec_t

/lib/libc.so.6                  system_u:object_r:lib_t -> system_u:object_r:lib_t

/lib/ld-linux.so.2              system_u:object_r:lib_t -> system_u:object_r:ld_so_t

```

Any ideas?

Michael

----------

## spike88

your enforce mode is permissive?

----------

## michaels70

Yea I wanted to see what would be denied by selinux.  It seems to have a lot of denials with the default installation.  It makes me think I must be missing a module or something.

----------

## spike88

by default enforce setting denies everything you have to set up access i believe like manually

----------

## landdie

OK I'm far from an expert there's two things you can do here. Simplest/safest is 

```
semodule -i /usr/share/selinux/strict/dhcp.pp
```

Which will insert the official dhcp policy module to your running policy. You can see a lot of the AVC denied lines you posted above are about dhcp. Not sure if this will get rid of the comm"rc" denials.

But, if you're feeling adventurous you could also build your own policy for the whole problem. Make a directory to work in and then take your denied lines from above and put them in a file called avc_lines (or whatever name you like) and then do, 

```
cat avc_lines | audit2allow -m mymod > mymod.te
```

You will get an output to a file called mymod.te that looks like this.

```
module mymod 1.0;

require {

        type initrc_state_t;

        type init_t;

        type dhcpc_t;

        type rc_exec_t;

        type etc_runtime_t;

        type etc_t;

        type run_init_t;

        class dir search;

        class file { execute read execute_no_trans write getattr open };

}

#============= dhcpc_t ==============

allow dhcpc_t etc_t:file write;

allow dhcpc_t rc_exec_t:file { read execute open execute_no_trans };

#============= run_init_t ==============

allow run_init_t etc_runtime_t:file { read getattr open };

allow run_init_t init_t:dir search;

allow run_init_t init_t:file { read getattr open };

allow run_init_t initrc_state_t:file { read getattr open };

```

The  mymod name could and proberbly should have been dhcpmod so you remember what it's for. It doesn't matter what you call it just be consistant/descriptive from start to end here. Oh and don't use numbers!

If you then do.

```
checkmodule -m -o mymod.mod mymod.te
```

You will generate a file called mymod.mod This is the base module for building your own selinux policy module for the denials your getting. 

Next you will need to do,

```
semodule_package -o mymod.pp -m mymod.mod
```

This will generate an selinux policy called mymod.pp

Then you will need to insert it into your current running policy with

```
semodule -i mymod.pp
```

This will survive a reboot and become a permenent part of you system policy. You can remove it again with

```
semodule -r mymod
```

Note the .pp suffix is not used.

This is a simple way to get rid of AVC denials. The running policy won't allow you to make idiot additions to it but be aware that the first thing to do when getting AVC denials is to check your file contexts, which I see you did, and have a look at the official policy modules in 

```
/usr/share/selinux/strict/
```

  otherwise you might be in for a lot of work!  :Wink: 

Whatever if you are going to be running SELinux you will need to get used to writing policy.pp's and fiddling with file contexts!  :Smile: 

I'd recommend creating a working directory in which to build all you policy.pp's in and build each one in it's own sub directory. It's also not a silly idea to keep a record of the AVC denial lines you've used to build your policy.pp with in the same directory, just for future reference! 

If you are systematic with your module names you will be able to see them all in the future with a simple 

```
semodule -l | grep yourmodending
```

 Which I promise will make you very happy at some point!  :Smile: 

Hope this helps a bit!

----------

