# Questions about implementing SELinux

## Jimini

Hey folks,

I am working on a SELinux setup on one of my Gentoo boxes. At the moment, it is running in permissive mode, so the systems works fine, but AVC logs a whole bunch of denials every day, for example

```
Aleph kernel: [80079.723550] type=1400 audit(1359544352.143:2218): avc:  denied  { write } for  pid=14663 comm="iptstate" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_socket

Aleph kernel: [80079.723627] type=1400 audit(1359544352.143:2219): avc:  denied  { read } for  pid=14663 comm="iptstate" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_socket

Aleph kernel: [80356.603170] type=1400 audit(1359544629.452:2220): avc:  denied  { name_bind } for  pid=2330 comm="busybox" src=68 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket

Aleph kernel: [80475.076135] type=1400 audit(1359544748.108:2221): avc:  denied  { read write } for  pid=15261 comm="ip" path="socket:[627824]" dev="sockfs" ino=627824 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket

Aleph kernel: [81387.625721] type=1400 audit(1359545662.073:2222): avc:  denied  { node_bind } for  pid=27109 comm="squid" scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket

Aleph kernel: [81463.164770] type=1400 audit(1359545737.729:2223): avc:  denied  { create } for  pid=2330 comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket

Aleph kernel: [81463.221315] type=1400 audit(1359545737.785:2227): avc:  denied  { read } for  pid=2330 comm="busybox" path="socket:[633448]" dev="sockfs" ino=633448 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket

Aleph kernel: [62146.934761] type=1400 audit(1359526391.561:1956): avc:  denied  { open } for  pid=1640 comm="eix" path="/var/lib/portage/world" dev="md1" ino=1348507 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:portage_cache_t tclass=file

```

I identified a few applications, which produce errors: eix, iptstate, busybox, squid, dnsmasq and perhaps some more. Now I am unsure what to to - should I fix the labels of the files? Or should the applications get more rights? I read http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml but I still have problems with understanding and implementing the correct contexts.

selinux-squid and selinux-dnsmasq are installed - I guess, that I simply have to adjust the permissions.

To keep it short: I do not know how to react on log messages like the ones above.

Any help would be really appreciated.

Best regards,

Jimini

----------

## depontius

I would suggest looking into Hardened Gentoo, instead.  Hardened Gentoo includes SELinux, and they furnish a targeted policy.  I would think it much easier to pick up a working policy from there, rather than trying to do one on your own, especially if you're not currently experienced with it.

----------

## Jimini

depontius,

thank you for your reply. Maybe I misunderstand you, but I am using a hardened kernel (3.7.0) and a correct profile (hardened/linux/amd64/no-multilib/selinux). I installed all available (and needed) policies, as shown by semodule -l:

```
aide    1.6.1

apache  2.6.9

application     1.2.0

arpwatch        1.10.4

authlogin       2.4.2

bootloader      1.13.2

clock   1.6.2

consoletype     1.10.0

cron    2.5.10

dhcp    1.10.1

dmesg   1.3.0

dnsmasq 1.9.2

fstools 1.15.0

getty   1.9.1

gpm     1.8.2

hostname        1.8.0

hotplug 1.15.1

init    1.19.6

iptables        1.13.1

kerberos        1.11.6

libraries       2.9.2

locallogin      1.11.1

logging 1.19.6

lvm     1.14.1

makewhatis      0.1

miscfiles       1.10.2

modutils        1.13.3

mount   1.15.0

mta     2.6.5

netutils        1.11.2

networkmanager  1.14.5

nscd    1.10.3

ntp     1.10.3

portage 1.13.7

raid    1.12.5

rpc     1.14.4

rpcbind 1.5.4

rsync   1.12.2

selinuxutil     1.17.0

shutdown        1.1.2

slocate 1.11.1

squid   1.11.2

ssh     2.3.3

staff   2.3.1

storage 1.11.0

su      1.12.0

sysadm  2.5.1

sysnetwork      1.14.6

udev    1.15.4

unprivuser      2.3.1

userdomain      4.8.5

usermanage      1.18.1

xdg     1.0.0

zabbix  1.5.3
```

Or did you mean, that I should look for dedicated hardened support?

Best regards,

Jimini

----------

## depontius

No, I was just suggesting that hardened would be a good place to start, and I thought that their 'targeted" policy should be a good beginning.

----------

## Jimini

Hm, do you perhaps confuse hardened with SELinux? As far as I understand, Hardened Gentoo is a Project to implement numerous security concepts - one of these is SELinux (beside grsecurity and so on).

Best regards,

Jimini

----------

## depontius

No, in this case I saw Hardened as the easy entry point for SELinux under Gentoo,

----------

## Jimini

But then I simply do not understand what you mean with "I would suggest looking into Hardened Gentoo, instead". :\

Best regards,

Jimini

----------

## depontius

Your initial post left me with the impression that you were trying to roll SELinux on your own, installing it on top of regular Gentoo.  I suggested that hardned Gentoo would be a better starting point.

----------

## Jimini

Oh, then you got me wrong :)

I run a hardened kernel with the correct profile. SELinux seems to wokr so far, I have just problems with a few single applications, that seem not to have the correct permissions.

Best regards,

Jimini

----------

## Jimini

Oh, now it seems so simple...I installed sys-process/audit, which brings a few useful applications like audit2allow. This programm reads the denial messages from (e.g.) /var/log/audit/audit.log

and creates type enforcement rules.

I'll wait a few days and keep an eye on that.

Best regards,

Jimini

----------

## depontius

I've always kind of felt that I should be running something like this, but it was always too intrusive to get started.  I'll be curious to learn from your experiences.

One of the bigger problems is that in a dual-boot setting, at least when one of the boots is non-SELinux and also has access to one or more of the SELinux partitions, whenever you boot back to the SELinux it feels compelled to re-label the entire partition.  That was one of the things that led me to turn it off.

----------

## Jimini

 *depontius wrote:*   

> I've always kind of felt that I should be running something like this, but it was always too intrusive to get started.  I'll be curious to learn from your experiences.

 

I guess I had this project on my to-do-list for more than 5 years. I read a (german) book about it (http://www.amazon.de/SELinux-AppArmor-Mandatory-einsetzen-verwalten/dp/3827323630/ref=sr_1_1?ie=UTF8&qid=1359831038&sr=8-1), which explains the whole concept really well.

Afterwards, I set up the system using http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml and http://wiki.centos.org/HowTos/SELinux - but of course, you need some spare time for this stuff. Now I will check the logs over the next days, until I will switch to "Enforcing" mode.

 *Quote:*   

> One of the bigger problems is that in a dual-boot setting, at least when one of the boots is non-SELinux and also has access to one or more of the SELinux partitions, whenever you boot back to the SELinux it feels compelled to re-label the entire partition.  That was one of the things that led me to turn it off.

 

Hm...you could create the file /.autorelabel on shutdown. So the whole filesystems gets relabeled on booting the SELinux OS.

Best regards,

Jimini

----------

