IRC Logs from the #gentoo-hardened and #selinux IRC channels on FreeNode
2018-01-27 23:13:50 --> ilmostro (~ilmostro@unaffiliated/ilmostro) has joined #gentoo-hardened
2018-01-27 23:13:50 -- Topic set by Zorry (~quassel@gentoo/developer/zorry) on Wed, 06 Dec 2017 19:01:01
2018-01-27 23:13:51 -- Channel #gentoo-hardened: 270 nicks (9 ops, 38 voices, 223 normals)
2018-01-27 23:13:52 -- Channel created on Sun, 26 Nov 2006 00:42:49
2018-01-27 23:54:23 ilmostro Does anyone here know why the 17.0 SELinux profile is in "dev" still? I'm on a 17.0 systemd desktop profile right now. AFAICT, the stable selinux profile is part of the hardened, unversioned profile set. Has anyone used the 17.0 selinux profile successfully?
2018-01-28 00:29:20 ilmostro I come from a RHEL background, where, AFAIK, the default SELinux setup is "targeted" with "unconfined" domain enabled. After reading the wiki page for SELinux/Installation, I realize that might not be as secure as I had assumed. Alternatively, RHEL does offer MLS, which is experimental on Gentoo. The "strict" policy, however, apparently doesn't use the "unconfined" domain at all. I'd be interested
2018-01-28 00:29:20 ilmostro to get some input from current users of SELinux on Gentoo with regards to the recommended use on a Desktop, in terms of security vs. usability.
2018-01-28 00:41:08 R0b0t1 ilmostro: It works
2018-01-28 00:41:36 R0b0t1 ilmostro: Major policies tend to be usable, but you may still have odd issues e.g. Firefox not saving to anywhere besides ~/Downloads
2018-01-28 00:41:48 R0b0t1 If you know how to fix these there is not much of a problem
2018-01-28 00:46:21 ilmostro R0b0t1: "fixing" that would be changing fcontext labels, I presume?
2018-01-28 00:47:29 ilmostro or, it's a trivial procedure that doesn't require me to propose a code change lol is what I'm wondering
2018-01-28 00:51:16 R0b0t1 No changing policies, generally
2018-01-28 00:51:22 R0b0t1 No, changing policies, generally*
2018-01-28 00:51:30 R0b0t1 Sometimes that might involve relabeling of files
2018-01-28 01:09:24 R0b0t1 ilmostro: You can gain some amount of security on a desktop using targetted or MLS policies (for e.g. your sshd) but the vast majority of worrisome exploits would happen against your browser or other day-to-day desktop applications
2018-01-28 01:09:38 R0b0t1 So I'd recommend strict if possible
2018-01-28 01:22:34 ilmostro R0b0t1: got it; makes sense
2018-01-28 01:22:39 ilmostro thanks again
2018-01-28 01:25:20 ilmostro R0b0t1: have you, or perhaps anyone else available, used SELinux with the default profiles? i.e. not "hardened"
2018-01-28 01:26:08 ilmostro I'm assuming that should be possible as long as the kernel supports SELinux and everything else is configured as advised in Gentoo's wiki pages for SELinux
2018-01-28 01:35:19 @perfinion ilmostro: i prefer strict, (ie targeted without unconfined) unconfined should work fine tho if thats what you're used to
2018-01-28 01:36:02 @perfinion ilmostro: the hardened 17.0 selinux profile is marked stable, the non-hardened one may not be marked not sure
2018-01-28 01:36:15 @perfinion ilmostro: you can select it anyway tho if you want it
2018-01-28 01:37:23 @perfinion ilmostro: and strict works fine for my desktop stuff too. i personally think unconfined is just like a cop-out, if it doesnt work on strict, the policies need fixin
2018-01-28 01:37:26 @perfinion g
2018-01-28 01:38:20 @perfinion ilmostro: and by default firefox and chrome dont have wide access, but there are booleans for enabling read / rw access to the rest of stuff if you want
2018-01-28 01:38:44 @perfinion semanage boolean -l | grep mozilla
2018-01-28 01:39:10 @perfinion but i'd just use the hardened selinux proflie, there isnt really much point to the non-hardened one
2018-01-28 01:39:19 @perfinion especially now that the grsec kernel is gone
2018-01-28 01:39:32 @perfinion the toolchain only has a few differences nowadays
2018-01-28 01:45:07 ilmostro perfinion: awesome stuff; thank you for your help. And, yeah, I definitely agree with the unconfined stuff. I was surprised that I had never realized the non-secure nature of the "unconfined" domain
2018-01-28 01:45:27 @perfinion yeah i really dont like it haha
2018-01-28 01:45:46 @perfinion i mean staff_t already has a LOT of access
2018-01-28 01:45:58 @perfinion theres really no need to give it everything else too
2018-01-28 01:49:16 ilmostro yup; otherwise, like you said, it should be covered by appropriate policy assignment or context
2018-01-28 01:53:48 @perfinion ilmostro: our xdg module is quite nice, it has types for ~/.config, ~/.cache/ etc and per-program within those and the booleans for allowing writes are all generated automatically by that module
2018-01-28 01:54:09 @perfinion ilmostro: so generally there should be a boolean for the common things
2018-01-28 01:54:27 @perfinion but yeah more complicated things its just a small policy update which you're probably already familiar with
2018-01-28 01:54:42 @perfinion or like, send me patches ;)
2018-01-28 01:56:17 ilmostro 👍 excellent; it's nice to have a place like this to bring up concerns or even notify of patches if needed.
2018-01-28 01:57:49 @perfinion yeah definitely
2018-01-28 01:58:12 @perfinion you can always just ping me and i'll see it eventually
2018-01-28 02:25:57 ilmostro nice; ty
2018-01-28 02:43:28 ilmostro interesting...I'm getting some problems rebuilding packages with SELinux in place and systemd
2018-01-28 02:49:20 @perfinion ilmostro: oh
2018-01-28 02:49:24 @perfinion ilmostro: its masked currently
2018-01-28 02:49:40 @perfinion there were some policy issues before and people broke their systems
2018-01-28 02:49:45 @perfinion it *should* work now tho
2018-01-28 02:50:07 @perfinion ilmostro: you'll have to unmask systemd in your profile
2018-01-28 02:50:27 ilmostro hmm...So, I'm going from "[18] default/linux/amd64/17.0/desktop/gnome/systemd (stable)" to " [13] default/linux/amd64/17.0/selinux (dev)"
2018-01-28 02:50:34 ilmostro that's sane enough, right?
2018-01-28 02:50:53 @perfinion ilmostro: and you want to keep using systemd or switch to openrc?
2018-01-28 02:51:02 ilmostro keep systemd
2018-01-28 02:52:06 @perfinion okay then mkdir /etc/portage/profile
2018-01-28 02:52:26 @perfinion then copy the stuff from the features/selinux dir that is masking systemd but reverse it instead
2018-01-28 02:53:00 ilmostro ok, thanks; I've got some ruby and python stuff in there already, so it should be similar
2018-01-28 02:53:26 @perfinion bug 528674
2018-01-28 02:53:28 willikins perfinion: https://bugs.gentoo.org/528674 "[TRACKER] Support systemd with SELinux"; Gentoo Linux, SELinux; CONF; swift:selinux
2018-01-28 02:53:52 @perfinion ilmostro: /etc/portage/profile/package.* is different from /etc/portage/package.* just to be clear
2018-01-28 02:53:58 @perfinion some things only exist in the profile one
2018-01-28 02:54:03 @perfinion like package.use.mask
2018-01-28 02:54:23 @perfinion the ones that exist in both (like package.unmask) you can put straight in /etc/portage
2018-01-28 02:55:17 @perfinion ilmostro: there were big issues before, so i had to mask it to stop people accidentally getting unbootable systems. it should work now tho but i havent tested so i havent unmasked
2018-01-28 02:55:44 ilmostro the ones that exist in both, e.g. systemd, can be added directly to "/etc/portage"?
2018-01-28 02:55:44 @perfinion if you get it all booting in enforcing mode and give me and changes to the policy that are required i'll unmask it
2018-01-28 02:55:53 @perfinion yep
2018-01-28 02:56:51 ilmostro so simply adding echo 'sys-apps/systemd' >> /etc/portage/package.unmask should work then
2018-01-28 02:57:09 @perfinion the systemd useflag is masked too
2018-01-28 02:57:28 @perfinion you'll probably need echo "-systemd" >> /etc/portage/profile/package.use.mask
2018-01-28 02:57:37 ilmostro ahh, gotcha
2018-01-28 02:58:05 @perfinion just look through the files in features/selinux and reverse them
2018-01-28 02:58:09 @perfinion either mask->unmask
2018-01-28 02:58:13 @perfinion or put a - in front
2018-01-28 03:01:03 ilmostro I'll have to back up a little first, though, now that I have the systemd USE flag enabled. For selinux-base-policy
2018-01-28 03:02:37 @perfinion ilmostro: you're following hte selinux install guide on the wiki right?
2018-01-28 03:02:46 @perfinion ilmostro: there are a few steps where order matters, make sure you follow it
2018-01-28 03:02:47 ilmostro yeah...cause the selinux-base as well as selinux-base-policy packages display the systemd USE flag now. I'll have to make sure other packages that were pulled in as dependencies also have the systemd USE flag set correctly
2018-01-28 03:02:54 ilmostro yeah
2018-01-28 03:02:58 @perfinion yeah cool
2018-01-28 14:56:05 -- Channel #gentoo-hardened: 274 nicks (9 ops, 38 voices, 227 normals)
2018-01-28 14:56:07 -- Channel created on Sun, 26 Nov 2006 00:42:49
2018-01-28 14:58:21 ilmostro1 perfinion: the move to SELinux on 17.0 profile with systemd worked correctly. I just booted into it after a lengthy rebuild procedure; still working on relabeling stuff
2018-01-28 15:07:31 ilmostro1 I've had to make sure to exclude the "qt3support" USE flag for some qt applications; not sure if/how that's related, but that took a while to sort out. Specifically, dev-qt/qt-meta and dev-qt/qtcore
2018-01-28 15:09:57 ilmostro1 if restoration is needed.
2018-01-28 15:09:57 ilmostro1 One more thing worth mentioning, along with the parts about unmasking systemd that we mentioned last night, is to perhaps add a reminder to the wiki page to exclude backups directory or unmount that before applying security contexts across the system; in case restoration is needed, I'm not sure if the added security contexts to backups that were created before the move to SELinux would pose a problem
2018-01-28 15:10:50 ilmostro1 aside from that, I would say that systemd should be safe to unmask with SELinux. I'll provide additional info based on my findings if needed
2018-01-28 16:30:34 ilmostro I'm still working on finalizing SELinux with systemd and 17.0 profiles. No issues thus far, as the system is in Permissive mode still. It may be necessary to adjust/add policies for systemd-networkd; though, I haven't gotten that far yet
2018-01-28 19:11:05 ilmostro another item worth adding to the wiki selinux installation page: echo '-selinux' >> /etc/portage/profile/use.stable.mask as well as the previously-discusses "-systemd" to unmask systemd
2018-01-29 01:45:54 @perfinion ilmostro: awesome to hear its working!
2018-01-29 01:46:07 @perfinion ilmostro: in full enforcing mode?
2018-01-29 01:46:15 @perfinion ilmostro: and strict?
2018-01-29 01:47:15 @perfinion ilmostro: once you've gotten it all up and running, can you show me any denials from a full reboot and and policy modifications you had to make?
2018-01-29 02:22:50 ilmostro perfinion: I'm actually still working on resolving some stuff. Although most things are handled by the appropriate booleans, there are some things that I'm still trying to figure out.
2018-01-29 02:23:38 ilmostro The wiki page suggests that with systemd the tmpfs changes in fstab for /tmp and /run may not be needed, but the avc denials kept pointing to tmpfs
2018-01-29 02:23:55 ilmostro I'm still working on it, so I'll have to get back to you on that
2018-01-29 02:30:12 ilmostro I'm still trying to figure out how to deal with pam_selinux with gnome/gdm and systemd
2018-01-29 02:38:54 ilmostro might be tied to PAM; i.e. pam_selinux, pam_systemd, and pam_gdm
2018-01-29 04:01:16 @perfinion okay cool
2018-01-29 04:01:40 @perfinion if you forcefully add the rootcontext= line to fstab it may help
2018-01-29 04:01:48 @perfinion but i think systemd mounts it super early
2018-01-29 04:02:09 @perfinion and you cant mount -o remount,rootcontext= so not sure how systemd handles that
2018-01-29 04:36:32 ilmostro also, the root filesystem is XFS. I see that there's an selinux policy for XFS. I'm not sure what that's about; I'm wondering if/how that affects things as well
2018-01-29 04:39:46 ilmostro FWIW, there's an "tmp.mount" systemd service, which has the Exec line (ExecMount, actually) set to tmpfs. Maybe I can change that around to avoid using tmpfs
2018-01-29 04:42:18 ilmostro actually, that's not necessary, as the options from /etc/fstab are implemented in that ExecMount line; which includes the rootfscontext
2018-01-29 04:45:38 ilmostro Still remaining, however, are issues with users; specifically, systemd creates session directories for users under "/run/". While "/run" itself is mounted as instructed in the wiki and in fstab, the subsequent session directories have "systemd_sessions_var_run_t" fcontext. The "gnome-shell" process tries to access those directories and gets denied by SELinux
2018-01-29 04:50:21 ilmostro I'm checking on RHEL and Fedora to get a better idea how they use PAM and the relevant modules
2018-01-29 04:52:06 ilmostro I do see that /etc/pam.d/gdm-launch-environment and system-auth have "-session optional pam_systemd.so"; whereas /etc/pam.d/systemd-user shows "session optional pam_systemd.so"
2018-01-29 04:53:28 ilmostro might be in need of tweaking; though, I have to make sure it retains the intended effect, and doesn't break things in the process
2018-01-29 04:54:17 ilmostro actually, strike the previous comments about the pam_systemd stuff; same thing on Fedora
2018-01-29 04:58:02 @perfinion ilmostro: http://dpaste.com/1QKZRAF these are the contexts on /run/user/ for me, see which are different
2018-01-29 04:58:18 @perfinion consolekit relabels stuff when it mounts the /run/user/1000 dirs
2018-01-29 04:58:34 @perfinion logind is supposed to do the same im pretty sure
2018-01-29 05:00:56 ilmostro yeah, the "/run/user/0" and "/run/user/115" directories have "user_runtime_t" fcontext. However, I'm not sure why gnome-shell is trying to access "/run/systemd/session/"
2018-01-29 05:01:47 @perfinion okay if oyu manually jsut restorecon the dirs does it get further?
2018-01-29 05:02:19 @perfinion like restorecon -rFv /run/user
2018-01-29 05:02:26 @perfinion or just all of /run i guess
2018-01-29 05:04:13 ilmostro I've tried that before as well, btw.
2018-01-29 05:04:33 ilmostro https://paste.pound-python.org/show/qjYu6HALWDRrQjleibe0
2018-01-29 05:04:51 ilmostro that looks weird when compared to your results
2018-01-29 05:05:27 ilmostro rlpkg pulseaudio makes no difference
2018-01-29 05:05:33 ilmostro ^ e.g.
2018-01-29 05:08:30 ilmostro the last line in "/usr/share/selinux/strict/pulseaudio.pp" shows that "/run/user/%{USERID}/pulse(/.*)?" should have the "pulseaudio_tmp_t" fcontext
2018-01-29 05:09:12 ilmostro maybe there's some USE flag missing in one of the SELinux tools. IIRC, selinux-python had an unset "pcre" USE flag
2018-01-29 05:10:15 +gienah I'm running selinux in enforcing mode, would it be best to start with a hardened selinux stage3 to setup a chroot for testing ebuilds before committing them to portage?
2018-01-29 05:10:52 ilmostro perfinion: **actually that was the "libselinux" package with an unset "pcre2" USE flag
2018-01-29 05:12:07 @perfinion pcre2 means use libpcre2 instead of libpcre1, it doesnt change much featurewise
2018-01-29 05:12:25 ilmostro :(
2018-01-29 05:12:32 ilmostro red herring
2018-01-29 05:12:32 @perfinion gienah: cant you just test on the main system then/
2018-01-29 05:12:33 @perfinion ?
2018-01-29 05:13:14 +gienah I guess, except my main system is unstable and I thought I should start testing with mostly stable stuff
2018-01-29 05:19:59 ilmostro perfinion: the avc denials after doing "setenforce 1" while gdm was running at login screen: http://bpaste.net/show/7aa700f6f342
2018-01-29 05:22:53 ilmostro it starts with "dbus-daemon" avc denials; then, the "path" is weird, presumably dbus-related. "comm="gnome-shell" path=2F746D702F2E676C44474A30556F202864656C6574656429 dev="tmpfs""
2018-01-29 05:30:59 ilmostro actually those are of fcontext "xdm_tmp_t", which are restricted to "/tmp/.ICE-unix" and "/tmp/.X11-unix"
2018-01-29 05:36:27 @perfinion gienah: oooh, in that case a chroot works, selinux isnt really any different for those, other than inside the chroot it appears as if selinux is disabled
2018-01-29 05:36:35 @perfinion so if that was the part yo uwanted to test its not as good haha
2018-01-29 05:37:20 @perfinion ilmostro: $ sepathdecode 2F746D702F2E676C44474A30556F202864656C6574656429
2018-01-29 05:37:31 @perfinion /tmp/.glDGJ0Uo (deleted)
2018-01-29 05:37:38 @perfinion ilmostro: its an FFI thing probably
2018-01-29 05:38:08 +gienah perfinion: neat, thanks
2018-02-01 19:44:55 --> ilmostro (~ilmostro@unaffiliated/ilmostro) has joined #selinux
2018-02-01 19:44:55 -- Topic for #selinux is "English channel about NSA Security Enhanced Linux. (Denna kanal engelsk, #linux.se e svensk.) Please be patient, we're not always here, but we do like to chat so hang around. FAQ: http://www.crypt.gen.nz/selinux/faq.html | SE Linux News Portal: http://selinuxnews.org/ | Planet SE Linux: http://selinuxnews.org/planet/ | http://reddit.com/r/selinux"
2018-02-01 19:44:55 -- Topic set by pebenito (~pebenito@gentoo/developer/pebenito) on Fri, 31 May 2013 07:15:48
2018-02-01 19:44:56 -- Channel #selinux: 169 nicks (1 op, 0 voices, 168 normals)
2018-02-01 19:44:58 -- Channel created on Sun, 26 Nov 2006 00:42:40
2018-02-01 19:49:54 ilmostro anyone here who's worked on systemd's ability to act as SELinux Access Manager (as described in RHEL docs)? I wonder if those changes were made inside systemd itself (upstream) or if further changes are needed outside of systemd to make systemd interact both with SELinux and the Kernel in Enforcing mode
2018-02-01 19:50:15 * ilmostro trying to help SELinux + systemd set up on/for Gentoo
2018-02-01 19:51:32 ilmostro I suspect it's a matter of writing correct policies only; though, it doesn't hurt to ask here, too
2018-02-01 21:42:31 perfinion ilmostro: IooNag has done a bunch on getting the policies working on arch so probably knows a bunch
2018-02-01 21:44:36 ilmostro perfinion: thanks; I'll be here on and off awaiting to get further input from people with experience. It's a bit more complex as it involves two projects that affect the entire system; i.e. SELinux + systemd
2018-02-01 21:44:52 perfinion yeah hehe
2018-02-01 21:45:08 perfinion i *think* arch works mostly now with refpolicy
2018-02-01 21:45:21 perfinion so its probably not much to get gentoo working properly
2018-02-01 21:45:41 perfinion and you seem willing to do the work so i'll help in any way i can :)
2018-02-01 21:46:37 perfinion ilmostro: if you get it booting to a console fully without X that would be enough for me to lift the mask on it which would make the rest of the work less annoying
2018-02-01 21:47:00 perfinion and i suspect that getting gnome to work would be a bunch more work on top of that
2018-02-01 21:48:38 ilmostro perfinion: oh, that's done; you can remove the mask on systemd. I'm working on getting X working in enforcing mode
2018-02-01 21:48:55 perfinion oh okay
2018-02-01 21:49:14 perfinion ilmostro: and you can login as both normal user and root no problem?
2018-02-01 21:49:16 ilmostro yeah, that's been done almost immediately
2018-02-01 21:49:18 perfinion and get into the right domains?
2018-02-01 21:49:21 perfinion cool
2018-02-01 21:49:28 perfinion were there any policy changes needed?
2018-02-01 21:49:47 ilmostro perfinion: I'm working on getting the root user set up correctly still, as the login for it seems incorrect
2018-02-01 21:49:51 perfinion or in general any config settings that we should document in the wiki?
2018-02-01 21:50:26 ilmostro perfinion: I think I mentioned a number of items in #gentoo-hardened, but for the most part it was just a matter of working around the systemd mask, tbh
2018-02-01 21:50:49 perfinion ilmostro: yeah other than the mask i mean, once i kill that it'll be easy
2018-02-01 21:50:52 ilmostro as of right now, the root user logs in with "unconfined*" stuff
2018-02-01 21:51:00 perfinion oooh
2018-02-01 21:51:02 ilmostro perfinion: yup
2018-02-01 21:51:07 perfinion ilmostro: you are on targeted or strict?
2018-02-01 21:51:21 ilmostro I started out with strict, then changed to MLS
2018-02-01 21:51:39 ilmostro undoing the changes, the redoing it as in the wiki to configure MLS
2018-02-01 21:51:40 perfinion ilmostro: mLs or mCs? MLS almost definitely does not work
2018-02-01 21:51:51 perfinion ilmostro: MCS works great tho and i recommend it
2018-02-01 21:52:26 perfinion ilmostro: i have MLS working in a VM with openrc but its the kind of thing that requires shenanigans even in normal daily use
2018-02-01 21:52:47 perfinion ilmostro: what does your id -Z say?
2018-02-01 21:53:01 ilmostro perfinion: one item I notice, when compared to my RHEL setup, is that "semanage login -l" does not list "root" user in Gentoo. I've tried adding it, but keep getting errors. Still working to see where the problem is
2018-02-01 21:53:06 perfinion this is what i have as root in MCS: staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
2018-02-01 21:53:56 ilmostro perfinion: when logged in as root, it shows "unconfined_u:unconfined_r:unconfined_t:s0"
2018-02-01 21:54:01 perfinion ilmostro: http://dpaste.com/0W1ANJQ this is my stuff for MCS
2018-02-01 21:54:31 perfinion ilmostro: okay two ways to fix that, either you remove the unconfined useflag and it wont install the module at all, or you modify semanage login
2018-02-01 21:54:42 ilmostro perfinion: when I log in through the admin user, switching roles before "su", then the correct labels are in place for root
2018-02-01 21:54:46 perfinion ilmostro: show me those commands for your system
2018-02-01 21:55:13 perfinion ilmostro: oh, you know about sudo -r sysadm_r -t sysadm_t -s right?
2018-02-01 21:55:34 perfinion alternatively put this in your sudoers: %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
2018-02-01 21:55:57 ilmostro perfinion: I've done newrole -rsysadm_r ; then su
2018-02-01 21:56:17 perfinion ilmostro: yeah thats the manual way and works too just longer haha
2018-02-01 21:56:49 perfinion so that from normal user gets to root in the sysadm_t domain jus fine in enforcing?
2018-02-01 21:57:00 ilmostro perfinion: I've tried adding the root login to the unconfined_u user, to reflect the stuff on my RHEL system. However, that runs in targeted mode with unconfined allowed
2018-02-01 21:57:12 ilmostro perfinion: yeah
2018-02-01 21:57:15 perfinion and logging in from the console as root gets you to unconfined_t?
2018-02-01 21:57:34 ilmostro perfinion: but the system doesn't know the "root" user's "HOME"
2018-02-01 21:57:40 ilmostro in enforcing
2018-02-01 21:57:47 ilmostro yea
2018-02-01 21:58:14 perfinion ilmostro: /etc/selinux/mcs/contexts/users/root edit that, move unconfined to the end of the lines
2018-02-01 21:58:40 perfinion ilmostro: that file says waht order it should try when the user logs in, it finds that unconfined is valid first so goes iwth it
2018-02-01 21:59:01 perfinion you could remove it completely but i dont wanna break your system if something happens to require it till you're completely switched over
2018-02-01 21:59:26 ilmostro oh, I did add "/etc/selinux/mls/contexts/systemd_context" with "runtime=systemd_u:object_r:systemd_runtime_unit_filet:s0"
2018-02-01 21:59:56 ilmostro as it was missing anything related to "systemd"
2018-02-01 22:00:22 perfinion oh huh
2018-02-01 22:00:46 perfinion do you have an RHEL system handy?
2018-02-01 22:00:49 ilmostro there are 2 files related to "openrc"/"run_t", which I've tried removing (with backups in place), in case that was interfering with systemd's "init" stuff
2018-02-01 22:00:59 perfinion can you show me find /etc/selinux -type f | sort
2018-02-01 22:01:01 ilmostro yeah, I'm on weechat on the RHEL system right now
2018-02-01 22:01:09 ilmostro sure
2018-02-01 22:01:33 perfinion i didnt know systemd had a context file that might be new
2018-02-01 22:02:09 perfinion is there anywhere that describes what the file should contain and why?
2018-02-01 22:02:25 perfinion im guessing its how systemd looks up waht to label soemthing in /run?
2018-02-01 22:03:25 ilmostro I'll check on that; here's the "find" output url: https://ptpb.pw/YLQE
2018-02-01 22:04:36 perfinion ilmostro: systemd_runtime_unit_file_t does not exist in refpolicy at all
2018-02-01 22:05:16 ilmostro hmm, let me see what's labeled with that. Maybe it's a process label
2018-02-01 22:05:16 perfinion ilmostro: the systemd stuff was changed a bit when it was upstreamed so the types changed names sometiems
2018-02-01 22:06:16 perfinion well it should be a unit file on disk from the naming conventions
2018-02-01 22:06:39 ilmostro yeah; still...checking to make sure :p
2018-02-01 22:08:41 ilmostro actually, I don't see that on RHEL7 either
2018-02-01 22:08:54 ilmostro but that file IS provided by the targeted policy RPM
2018-02-01 22:09:15 ilmostro maybe not needed (yet)
2018-02-01 22:09:28 ilmostro it's also the same thing on a Fedora 27 system, btw
2018-02-01 22:10:51 perfinion check in /run/tmpfiles.d/ ? or maybe its one of those units made by the systemd generators, probably in /run but i dunno what path
2018-02-01 22:11:47 ilmostro perfinion: but "find / -context "systemd_runtime_unit_file_t" would've found it
2018-02-01 22:12:00 ilmostro also, "semanage fcontext -l "
2018-02-01 22:13:15 perfinion ilmostro: i think you need -context "*:systemd....", it matches the full thing including teh system_u part
2018-02-01 22:13:38 perfinion it was added to the selinux libraries in 2013
2018-02-01 22:13:44 perfinion it might be obsolete?
2018-02-01 22:13:51 perfinion ce2a8848ad45e375cfdb58cebe28bc12431bb3db that commit
2018-02-01 22:14:00 ilmostro but it's still on a Fedora27 system; that's curious
2018-02-01 22:14:16 perfinion https://github.com/SELinuxProject/selinux/commit/ce2a8848ad45e375cfdb58cebe28bc12431bb3db
2018-02-01 22:14:51 perfinion generated unit files yeah makes sense
2018-02-01 22:15:44 ilmostro yeah, good call
2018-02-01 22:16:24 perfinion try giving this a shot: systemd_unit_t
2018-02-01 22:16:31 ilmostro ohh, another thing that I've observed, issues with "journald" with the "syslogd_t" context
2018-02-01 22:16:41 ilmostro journald has issues while in enforcing mode :(
2018-02-01 22:16:45 perfinion it exists in the policy and it looks like one of the base ones so should work
2018-02-01 22:16:49 perfinion oh huh
2018-02-01 22:17:08 perfinion i seem to recall something about that, maybe IooNag had sent patches for that
2018-02-01 22:17:37 perfinion oh right, logging in over SSH works too right?
2018-02-01 22:18:02 ilmostro let me test that; I've made the changes as instructed in the wiki pages, I think
2018-02-01 22:18:37 perfinion ilmostro: the most important thing to drop the masks is that you're able to get in to the machine and setenforce 0, cuz tehn people have a shot at fixing their machines
2018-02-01 22:18:57 perfinion so console and ssh as normal and root is plenty, dont need X
2018-02-01 22:19:13 ilmostro ssh works while in permissive right now
2018-02-01 22:19:13 ilmostro yeah, that's all fine
2018-02-01 22:19:36 ilmostro I haven't tried to ssh as root, as I normally disallow that anyway, tbh
2018-02-01 22:19:39 perfinion well ssh has never been any problems for me ever so i dont see why systemd would affect it
2018-02-01 22:19:44 perfinion yeah thats fine
2018-02-01 22:19:45 ilmostro but as the "admin"-level user, it works as before
2018-02-01 22:19:51 perfinion okay i'll drop the masks then cool
2018-02-01 22:20:03 ilmostro ok, thanks for staying on top of this, too :)
2018-02-01 22:20:40 perfinion hehe i havent really :P been too lazy to setup a VM and get it all working for months :P
2018-02-01 22:21:19 ilmostro well, you've been helping me throughout; and working on removing that mask. That's very much appreciated :)
2018-02-01 22:21:36 perfinion ilmostro: so there was no need for any fstab rootcontext= or anything?
2018-02-01 22:22:21 ilmostro at first, with strict mode, I had that in place. I ended up commenting it out while in MLS, as there's a boolean, IIRC, that allows that to take care of the fcontext
2018-02-01 22:22:41 ilmostro "systemd_tmpfiles_manage_all"
2018-02-01 22:22:57 perfinion ilmostro: oh hmm https://bugs.gentoo.org/528674#c15 does shutdown work for you?
2018-02-01 22:23:01 ilmostro that allows systemd to handle the tmpfs stuff
2018-02-01 22:23:28 perfinion yeah tmpfiles manage all is fine haha
2018-02-01 22:23:30 ilmostro it works in permissive; there were a few times (in the beginning) while in enforcing mode where I've had to do "/sbin/reboot -f"
2018-02-01 22:24:07 perfinion oh hmm
2018-02-01 22:24:47 ilmostro one more thing I've noticed on RHEL system, in "/etc/semanage.conf" file, at the end, there's "ignoredirs=/root"
2018-02-01 22:25:23 ilmostro I just added it, in hopes of resolving issues in enforcing mode with root's HOME directory (where the system doesn't know where "root"'s home directory is)
2018-02-01 22:25:39 perfinion also where have you been documenting any changes needed to get things working? when its all said and done we can go thorugh and i'll commit anything needed and the rest can go on the wiki
2018-02-01 22:25:44 ilmostro but, again, that's on RHEL system with "targeted" mode in place
2018-02-01 22:26:15 perfinion ignoredirs= i think means i wont set contexts on /root
2018-02-01 22:26:19 perfinion it* wont
2018-02-01 22:26:29 ilmostro most of the documentation has been in the #gentoo-hardened channel; otherwise, I'm still working on figuring out what's truly needed and what's just a red herring
2018-02-01 22:27:28 ilmostro perfinion: yeah, based on the name, that makes sense. However, on my RHEL system the fcontext is "admin_home_t" while on Gentoo it's misconfigured.
2018-02-01 22:27:55 ilmostro actually, I should really switch back to strict mode, as that stuff is only an issue on MLS policy
2018-02-01 22:28:15 ilmostro most of the things with the "root" user are only on MLS policy
2018-02-01 22:28:24 ilmostro strict policy works much better, tbh
2018-02-01 22:29:15 perfinion ilmostro: switch to MCS instead
2018-02-01 22:29:20 ilmostro I might try out targeted policy next, actually, so that I have a more 1:1 comparison with my other systems (RHEL7, CentOS7, and Fedora27)
2018-02-01 22:29:35 perfinion MLS is like for super military level secret stuff
2018-02-01 22:29:39 ilmostro just while I'm figuring things out
2018-02-01 22:29:49 perfinion yeah that works too
2018-02-01 22:30:39 perfinion MCS and strict are almost identical, the category stuff is opt-in so it only applies to certain domains (like the libvirt and qemu stuff)
2018-02-01 22:31:00 perfinion so other than those its identical to strict except with the stuff at the end of everything haha
2018-02-01 22:31:02 ilmostro I'll keep you posted in #gentoo-hardened channel. I'll try to document these things a little better. Although, for the most part, I add it to the IRC channel first, which allows you and others with experience to review it if it's truly needed or if it's irrelevant
2018-02-01 22:31:35 perfinion ilmostro: and if you do switch policies, make sure you label the stuff underneath your mounts too (like under /dev and whatnot) there is a snippet in teh wiki
2018-02-01 22:31:56 perfinion you just bind mount / to /mnt/gentoo then setfiles -r /mnt/gentoo and it does it as thats the root
2018-02-01 22:32:10 ilmostro yeah, I've been doing that so far. Thank you
2018-02-01 22:32:32 perfinion ilmostro: yeah sounds good, just keep a text file too in case it gets lost in teh history haha
2018-02-01 22:33:09 ilmostro ok, cool. I think I have logs setup for my weechat. I'll work on retrieving those now to put in a text file
2018-02-01 22:33:34 perfinion yeah i have logs too if needed
2018-02-01 22:33:44 perfinion im just worried about overlooking something haha
2018-02-01 22:34:21 ilmostro yeah, I'll traverse the logs right now and clean it up before creating a text file with relevant info
2018-02-01 22:35:55 perfinion cool, thanks
In targeted mode, X server works when started with startx
from tty.
- Installed
selinux-xfs
for XFS filesystem - Installed
selinux-automount
- Installed
selinux-avahi
- Installed
selinux-backup
- Installed
selinux-cgroup
- Installed
selinux-tcpd
- Installed
selinux-evolution
(for some reason it wasn't pulled in as dependency) with gnome desktop installed - Installed
selinux-games
(in hopes of dealing with steam installation) - Installed
selinux-git
(not installed as dependency) - Installed
selinux-gpm
(not installed as dependency) with sys-libs/gpm installed - Installed
selinux-links
(not installed as dep) - Installed
selinux-loadkeys
(not installed as dep) - Installed
selinux-networkmanager
(not installed as dep) - Installed
selinux-resolvconf
(hoping that's not just foropenresolv
but also forsystemd-resolved
)
The "/dev/nvidia*" character file types need to be relabeled upon reboot. This can be achieved through the use of tmpfiles.d
or systemd-tmpfiles
.
( Automatic relabeling still doesn't work until running systemctl restart systemd-tmpfiles-setup-dev.service
manually)
echo 'Z /dev/nvidia*' > /etc/tmpfiles.d/nvidia.conf
semanage fcontext -a -t user_tmp_t "/tmp/.X11-unix(/.*)?"
restorecon -Rv /tmp/.X11-unix
- SELinux Boolean
setsebool -P systemd_tmpfiles_manage_all on
allows/tmp
to be relabled bysystemd
without needing to edit/etc/fstab
20180203
Status update: With "targeted" SELinux policy on Gentoo with systemd, and SELinux in "Enforcing" mode, gdm
is able to display the login screen. However, the login session is not able to proceed, with the following errors.
selinux denials and audit logs upon gdm login session
[ 6.305718] audit: initializing netlink subsys (disabled)
[ 6.305739] audit: type=2000 audit(1517647500.860:1): initialized
[ 14.051219] audit: type=1403 audit(1517647508.600:2): policy loaded auid=4294967295 ses=4294967295
[ 14.396054] audit: type=1400 audit(1517647508.940:3): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:systemd-journald.service" dev="tmpfs" ino=17542 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=1
[ 14.399638] audit: type=1400 audit(1517647508.950:4): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:init_t tclass=process permissive=1
[ 14.432699] audit: type=1400 audit(1517647508.980:5): avc: denied { getattr } for pid=6420 comm="systemd-tmpfile" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:device_t tclass=filesystem permissive=1
[ 14.444561] audit: type=1400 audit(1517647508.990:6): avc: denied { getattr } for pid=6424 comm="systemd-udevd" path="/etc/systemd/network" dev="dm-1" ino=560720 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
[ 14.446830] audit: type=1400 audit(1517647508.990:7): avc: denied { read } for pid=6424 comm="systemd-udevd" name="network" dev="dm-1" ino=560720 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
[ 14.448733] audit: type=1400 audit(1517647508.990:8): avc: denied { open } for pid=6424 comm="systemd-udevd" path="/etc/systemd/network" dev="dm-1" ino=560720 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
[ 14.610627] audit: type=1400 audit(1517647509.160:9): avc: denied { search } for pid=7974 comm="alsactl" name="root" dev="dm-1" ino=100903563 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t tclass=dir permissive=1
[ 14.613943] audit: type=1400 audit(1517647509.160:10): avc: denied { search } for pid=7948 comm="systemd-udevd" name="/" dev="efivarfs" ino=35880 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:efivarfs_t tclass=dir permissive=1
[ 14.663233] audit: type=1400 audit(1517647509.210:11): avc: denied { getattr } for pid=7982 comm="alsactl" path="/root" dev="dm-1" ino=100903563 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t tclass=dir permissive=1
[ 35.221044] audit_printk_skb: 117 callbacks suppressed
[ 35.221045] audit: type=1400 audit(1517647529.770:51): avc: denied { execute } for pid=8726 comm="login" name="gnome-keyring-daemon" dev="dm-1" ino=604120847 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:gkeyringd_exec_t tclass=file permissive=1
[ 35.221231] audit: type=1400 audit(1517647529.770:52): avc: denied { transition } for pid=8726 comm="login" path="/usr/bin/gnome-keyring-daemon" dev="dm-1" ino=604120847 scontext=system_u:system_r:local_login_t tcontext=staff_u:staff_r:staff_gkeyringd_t tclass=process permissive=1
[ 35.221862] audit: type=1400 audit(1517647529.770:53): avc: denied { read } for pid=8726 comm="gnome-keyring-d" path="pipe:[37214]" dev="pipefs" ino=37214 scontext=staff_u:staff_r:staff_gkeyringd_t tcontext=system_u:system_r:local_login_t tclass=fifo_file permissive=1
[ 35.221950] audit: type=1400 audit(1517647529.770:54): avc: denied { write } for pid=8726 comm="gnome-keyring-d" path="pipe:[37215]" dev="pipefs" ino=37215 scontext=staff_u:staff_r:staff_gkeyringd_t tcontext=system_u:system_r:local_login_t tclass=fifo_file permissive=1
[ 35.222034] audit: type=1400 audit(1517647529.770:55): avc: denied { rlimitinh } for pid=8726 comm="gnome-keyring-d" scontext=system_u:system_r:local_login_t tcontext=staff_u:staff_r:staff_gkeyringd_t tclass=process permissive=1
[ 35.222107] audit: type=1400 audit(1517647529.770:56): avc: denied { siginh } for pid=8726 comm="gnome-keyring-d" scontext=system_u:system_r:local_login_t tcontext=staff_u:staff_r:staff_gkeyringd_t tclass=process permissive=1
[ 35.234108] audit: type=1107 audit(1517647529.780:57): pid=8057 uid=109 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=GetSession dest=org.freedesktop.login1 spid=8728 tpid=8054 scontext=staff_u:staff_r:staff_gkeyringd_t tcontext=system_u:system_r:systemd_logind_t tclass=dbus permissive=1
[ 35.234393] audit: type=1107 audit(1517647529.780:58): pid=8057 uid=109 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_return dest=:1.10 spid=8054 tpid=8728 scontext=system_u:system_r:systemd_logind_t tcontext=staff_u:staff_r:staff_gkeyringd_t tclass=dbus permissive=1
[ 35.235377] audit: type=1400 audit(1517647529.780:59): avc: denied { sigchld } for pid=8120 comm="login" scontext=staff_u:staff_r:staff_gkeyringd_t tcontext=system_u:system_r:local_login_t tclass=process permissive=1
[ 53.259043] audit: type=1107 audit(1517647547.800:60): pid=8057 uid=109 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_return dest=:1.7 spid=9032 tpid=8094 scontext=system_u:system_r:systemd_hostnamed_t tcontext=system_u:system_r:init_t tclass=dbus permissive=1
[ 59.064282] audit: type=1400 audit(1517647553.610:61): avc: denied { search } for pid=8054 comm="systemd-logind" name="9035" dev="proc" ino=3953 scontext=system_u:system_r:systemd_logind_t tcontext=staff_u:sysadm_r:sysadm_su_t tclass=dir permissive=1
[ 59.065766] audit: type=1400 audit(1517647553.610:62): avc: denied { read } for pid=8054 comm="systemd-logind" name="cgroup" dev="proc" ino=35315 scontext=system_u:system_r:systemd_logind_t tcontext=staff_u:sysadm_r:sysadm_su_t tclass=file permissive=1
[ 59.068631] audit: type=1400 audit(1517647553.610:63): avc: denied { open } for pid=8054 comm="systemd-logind" path="/proc/9035/cgroup" dev="proc" ino=35315 scontext=system_u:system_r:systemd_logind_t tcontext=staff_u:sysadm_r:sysadm_su_t tclass=file permissive=1
[ 59.071739] audit: type=1400 audit(1517647553.620:64): avc: denied { getattr } for pid=8054 comm="systemd-logind" path="/proc/9035/cgroup" dev="proc" ino=35315 scontext=system_u:system_r:systemd_logind_t tcontext=staff_u:sysadm_r:sysadm_su_t tclass=file permissive=1
[ 59.077478] audit: type=1400 audit(1517647553.620:65): avc: denied { read } for pid=9035 comm="su" name=".private" dev="tmpfs" ino=35293 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:tmp_t tclass=dir permissive=1
[ 59.080627] audit: type=1400 audit(1517647553.630:66): avc: denied { open } for pid=9035 comm="su" path="/tmp/.private" dev="tmpfs" ino=35293 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:tmp_t tclass=dir permissive=1
[ 59.083870] audit: type=1400 audit(1517647553.630:67): avc: denied { write } for pid=9035 comm="su" name=".private" dev="tmpfs" ino=35293 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:tmp_t tclass=dir permissive=1
[ 59.086975] audit: type=1400 audit(1517647553.630:68): avc: denied { add_name } for pid=9035 comm="su" name="root" scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:tmp_t tclass=dir permissive=1
[ 59.090185] audit: type=1400 audit(1517647553.630:69): avc: denied { create } for pid=9035 comm="su" name="root" scontext=staff_u:sysadm_r:sysadm_su_t tcontext=staff_u:object_r:tmp_t tclass=dir permissive=1
[ 59.093546] audit: type=1400 audit(1517647553.640:70): avc: denied { read } for pid=9035 comm="su" name="root" dev="tmpfs" ino=35320 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=staff_u:object_r:tmp_t tclass=dir permissive=1
[ 161.675192] audit_printk_skb: 6 callbacks suppressed
[ 161.675193] audit: type=1107 audit(1517647656.220:73): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/etc/systemd/system/systemd-tmpfiles-setup-dev.service" cmdline="" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:object_r:etc_t tclass=service permissive=1
[ 192.395269] audit: type=1400 audit(1517647686.940:74): avc: denied { getattr } for pid=6424 comm="systemd-udevd" path="/etc/systemd/network" dev="dm-1" ino=560720 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
[ 192.395636] audit: type=1400 audit(1517647686.940:75): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:gdm.service" dev="tmpfs" ino=9840 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=1
[ 193.484482] audit: type=1400 audit(1517647688.030:76): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=1
[ 193.484530] audit: type=1400 audit(1517647688.030:77): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c1.scope" dev="tmpfs" ino=16126 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=1
[ 193.954101] audit: type=1400 audit(1517647688.500:78): avc: denied { use } for pid=9257 comm="gdbus" path="/run/systemd/inhibit/1.ref" dev="tmpfs" ino=17173 scontext=system_u:system_r:devicekit_power_t tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=1
[ 193.954114] audit: type=1400 audit(1517647688.500:79): avc: denied { write } for pid=9257 comm="gdbus" path="/run/systemd/inhibit/1.ref" dev="tmpfs" ino=17173 scontext=system_u:system_r:devicekit_power_t tcontext=system_u:object_r:systemd_logind_var_run_t tclass=fifo_file permissive=1
[ 195.043922] audit: type=1400 audit(1517647689.580:80): avc: denied { write } for pid=9332 comm="systemd-localed" name="notify" dev="tmpfs" ino=15542 scontext=system_u:system_r:systemd_locale_t tcontext=system_u:object_r:init_var_run_t tclass=sock_file permissive=1
[ 195.045176] audit: type=1107 audit(1517647689.590:81): pid=8057 uid=109 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_return dest=:1.19 spid=9332 tpid=9253 scontext=system_u:system_r:systemd_locale_t tcontext=system_u:system_r:xdm_t tclass=dbus permissive=1
[ 195.702500] audit: type=1400 audit(1517647690.240:82): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=1
[ 195.855946] audit: type=1400 audit(1517647690.400:83): avc: denied { getattr } for pid=6424 comm="systemd-udevd" path="/etc/systemd/network" dev="dm-1" ino=560720 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
[ 232.726786] audit_printk_skb: 18 callbacks suppressed
[ 232.726787] audit: type=1400 audit(1517647727.270:90): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=1
[ 252.861678] audit: type=1400 audit(1517647747.400:91): avc: denied { unlink } for pid=8054 comm="systemd-logind" name="private" dev="tmpfs" ino=31306 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:user_runtime_t tclass=sock_file permissive=1
[ 263.223391] audit: type=1107 audit(1517647757.760:92): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/etc/systemd/system/systemd-tmpfiles-setup-dev.service" cmdline="" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:object_r:etc_t tclass=service permissive=1
[ 263.233117] audit: type=1400 audit(1517647757.770:93): avc: denied { getattr } for pid=9509 comm="systemd-tmpfile" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:device_t tclass=filesystem permissive=1
[ 282.718348] audit: type=1404 audit(1517647777.260:94): enforcing=1 old_enforcing=0 auid=1000 ses=1
[ 282.756527] audit: type=1107 audit(1517647777.300:95): pid=8057 uid=109 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: received setenforce notice (enforcing=1)
[ 282.760288] audit: type=1400 audit(1517647777.300:96): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:dbus.service" dev="tmpfs" ino=29176 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 288.592697] audit: type=1107 audit(1517647783.140:97): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='avc: received setenforce notice (enforcing=1)
[ 293.642251] audit: type=1400 audit(1517647788.180:98): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:gdm.service" dev="tmpfs" ino=30670 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 293.649533] audit: type=1400 audit(1517647788.190:99): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:systemd-logind.service" dev="tmpfs" ino=29167 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 293.653945] audit: type=1400 audit(1517647788.190:100): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:user@115.service" dev="tmpfs" ino=30685 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 293.690574] audit: type=1400 audit(1517647788.230:101): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:user@115.service" dev="tmpfs" ino=30685 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 293.698290] audit: type=1400 audit(1517647788.240:102): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 293.710164] audit: type=1400 audit(1517647788.250:103): avc: denied { getattr } for pid=6424 comm="systemd-udevd" path="/etc/systemd/network" dev="dm-1" ino=560720 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=0
[ 294.711324] audit: type=1400 audit(1517647789.250:104): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=0
[ 294.711370] audit: type=1400 audit(1517647789.250:105): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 294.718156] audit: type=1400 audit(1517647789.260:106): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 294.721216] audit: type=1400 audit(1517647789.260:107): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 315.315468] audit_printk_skb: 45 callbacks suppressed
[ 315.315469] audit: type=1400 audit(1517647809.860:123): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=0
[ 315.315528] audit: type=1400 audit(1517647809.860:124): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 321.033923] audit: type=1400 audit(1517647815.580:125): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 321.314258] audit: type=1400 audit(1517647815.860:126): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 321.314515] audit: type=1400 audit(1517647815.860:127): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 321.315542] audit: type=1400 audit(1517647815.860:128): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 321.317644] audit: type=1400 audit(1517647815.860:129): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=0
[ 321.317744] audit: type=1400 audit(1517647815.860:130): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 321.323898] audit: type=1400 audit(1517647815.860:131): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 321.333191] audit: type=1107 audit(1517647815.870:132): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='avc: denied { status } for auid=n/a uid=115 gid=997 cmdline="/usr/libexec/gsd-power" scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:init_t tclass=system permissive=0
[ 321.333745] audit: type=1107 audit(1517647815.870:133): pid=8057 uid=109 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_return dest=:1.121 spid=9772 tpid=9718 scontext=system_u:system_r:systemd_hostnamed_t tcontext=system_u:system_r:xdm_t tclass=dbus permissive=0
[ 326.164382] audit: type=1400 audit(1517647820.710:134): avc: denied { write } for pid=9656 comm="systemd-localed" name="notify" dev="tmpfs" ino=15542 scontext=system_u:system_r:systemd_locale_t tcontext=system_u:object_r:init_var_run_t tclass=sock_file permissive=0
[ 370.599029] audit: type=1400 audit(1517647865.140:135): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=0
[ 370.599084] audit: type=1400 audit(1517647865.140:136): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 370.804206] audit: type=1400 audit(1517647865.340:137): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 574.092857] audit: type=1400 audit(1517648068.620:138): avc: denied { getattr } for pid=6424 comm="systemd-udevd" path="/etc/systemd/network" dev="dm-1" ino=560720 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=0
[ 574.093392] audit: type=1400 audit(1517648068.620:139): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:gdm.service" dev="tmpfs" ino=30670 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 574.095526] audit: type=1400 audit(1517648068.630:140): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:systemd-logind.service" dev="tmpfs" ino=29167 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 574.106664] audit: type=1107 audit(1517648068.640:141): pid=8057 uid=109 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=GetSession dest=org.freedesktop.login1 spid=9843 tpid=8054 scontext=staff_u:staff_r:staff_gkeyringd_t tcontext=system_u:system_r:systemd_logind_t tclass=dbus permissive=0
[ 574.107068] audit: type=1400 audit(1517648068.640:142): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-2.scope" dev="tmpfs" ino=39549 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 574.112426] audit: type=1107 audit(1517648068.640:143): pid=8057 uid=109 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=GetSession dest=org.freedesktop.login1 spid=9848 tpid=8054 scontext=staff_u:staff_r:staff_gkeyringd_t tcontext=system_u:system_r:systemd_logind_t tclass=dbus permissive=0
[ 574.112687] audit: type=1400 audit(1517648068.640:144): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-2.scope" dev="tmpfs" ino=39549 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 574.364110] audit: type=1400 audit(1517648068.900:145): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=0
[ 574.364147] audit: type=1400 audit(1517648068.900:146): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 574.442320] audit: type=1400 audit(1517648068.970:147): avc: denied { read write } for pid=9851 comm="Default" path="socket:[23221]" dev="sockfs" ino=23221 scontext=staff_u:staff_r:staff_t tcontext=system_u:system_r:xdm_t tclass=unix_stream_socket permissive=0
[ 580.309434] audit_printk_skb: 33 callbacks suppressed
[ 580.309435] audit: type=1400 audit(1517648074.840:159): avc: denied { getattr } for pid=5945 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:xdm_t tclass=process permissive=0
[ 580.309484] audit: type=1400 audit(1517648074.840:160): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 580.325879] audit: type=1400 audit(1517648074.860:161): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:session-c2.scope" dev="tmpfs" ino=30688 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 694.559479] audit: type=1400 audit(1517648189.090:162): avc: denied { read } for pid=5945 comm="systemd-journal" name="invocation:systemd-logind.service" dev="tmpfs" ino=29167 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
[ 893.521268] audit: type=1400 audit(1517648388.040:163): avc: denied { search } for pid=9879 comm="dmesg" name="root" dev="dm-1" ino=100903563 scontext=staff_u:sysadm_r:dmesg_t tcontext=system_u:object_r:default_t tclass=dir permissive=0
[ 893.522848] audit: type=1400 audit(1517648388.050:164): avc: denied { read } for pid=9879 comm="dmesg" name="xterm-256color" dev="dm-1" ino=504211605 scontext=staff_u:sysadm_r:dmesg_t tcontext=system_u:object_r:usr_t tclass=file permissive=0
[ 948.668207] audit: type=1400 audit(1517648443.190:165): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=28695 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
[ 948.673259] audit: type=1400 audit(1517648443.190:166): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=28695 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
[ 948.676813] audit: type=1400 audit(1517648443.200:167): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=28695 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
[ 948.680270] audit: type=1400 audit(1517648443.200:168): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=28695 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
[ 948.683726] audit: type=1400 audit(1517648443.200:169): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=28695 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
[ 948.687237] audit: type=1400 audit(1517648443.210:170): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=28695 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
[ 948.690713] audit: type=1400 audit(1517648443.210:171): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=28695 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
[ 948.694188] audit: type=1400 audit(1517648443.220:172): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=28695 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
[ 948.697746] audit: type=1400 audit(1517648443.220:173): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="proc" ino=1 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0
[ 948.701188] audit: type=1400 audit(1517648443.220:174): avc: denied { getattr } for pid=9884 comm="systemd-tmpfile" name="/" dev="proc" ino=1 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0
There are still issues with
systemd --user
sessions andselinux
on Gentoo; namely, the--user
session should be confined to the point where its processes are disallowed access tosystemd --system
sessions and process information.