gmane.linux.gentoo.hardened

SELinux change history

Sven Vermeulen — 2012-05-26T19:30:36

Hi guys,

I've made an attempt to document, in a high-level and simple approach, the
changes made to a SELinux installation since a particular date. This might
help users, who have installed SELinux in the past, to easily see if changes
were made that affect their system.

For instance, an entry in fstab that is no longer needed, etc.

These changes often do not warrant a Gentoo News item, but I can imagine
that it is a useful resource for users to visit from time to time (or when a
problem occurs).

A preview can be found at http://goo.gl/fvymW

Two questions:
- Is it, in your eyes, interesting
- If so, is it best placed at the end of the SELinux Handbook, or kept as a
  separate guide (and just documented in the handbook that it exists)?

Wkr,
Sven Vermeulen

SELinux base policy rev 10 in hardened-dev, Python3 support too

Sven Vermeulen — 2012-05-26T15:52:00

Hi guys,

I've pushed some updates on the SELinux userland tools to hardened-dev. It
contains a few fixes and is specifically done to support Python 3. It's been
ran on a test VM, I'm going to update my other VMs today to do some more
testing.

I've also sent the base policy revision 10 to the hardened-dev overlay,
which contains the following fixes:

#412321         Allow kdevtmpfs to setattr on the device files (udev-180 requirement)
#416323         Allow kdevtmpfs to setattr on the device files
#416305         Mark kudzu privilege as optional in ddcprobe module
#416303         Remove duplicate file context definition for firefox

Nothing major, but since it contains a few needed fixes for ~arch systems I
didn't want to wait any further.

Wkr,
Sven Vermeulen

xattr/acl/cap

Alex Efros — 2012-05-20T21:35:51

Hi!

I'm not sure is this right place to ask…

What is current status for filesystem's xattr, acl and caps?

I'm usually keep all of this disabled in kernel, because I don't use them
and wanna avoid needless complexity. But today consolekit (which I don't
use, but which is installed anyway as someone's dependency) asked me to
enable CONFIG_TMPFS_POSIX_ACL. And I decide to check all this crap once again.

I may be wrong here, but after glance look at it I got this impression:

XATTR
    Needed only if you use ACL or CAPS (or wanna play with custom file
    attributes).
ACL
    Not sure about consolekit requirement above, but otherwise it looks
    useless (if you don't need to use complicated file permissions).
CAPS
    Looks promising, it's always good to remove suid bit, BUT:
    a)looks like only app which uses it now on my workstation is
wireshark, even /bin/ping is still installed suid
    b)pam_cap.so doesn't used by default (not sure why) so you can't change
user's default capabilities using /etc

Does hardened-sources include the Gentoo patchset?

Grant — 2012-05-20T20:09:35

Does anyone know if hardened-sources includes the Gentoo patchset?

- Grant

systemd and gentoo

Tóth Attila — 2012-05-18T01:01:00

I've recently come across some articles about the hal - dbus - udev -
consolekit - upower udisks - systemd movement. And there's openrc. A
couple of months before I converted the systems to openrc.
What we should prepare for next? When will it happen? Is it already
happening?
Somebody should pull the brakes, please.

Regards:
Dw.

hardened-sources-3.2.11 + i965 + x.org: possible regression

RB — 2012-05-16T16:54:12

I'm planning on submitting a bug, but thought I'd poll the population
first since I'm having trouble putting together a good bug report
(solid lockup).

It's been a while since I updated the kernel on my T61, was at
hardened-sources-3.2.1.  Updating to 3.3.6 this week produced a viable
kernel, but when X starts the system locks hard.  In trying different
kernels I've found that the regression is somewhere between the
3.2.2-r1 and 3.2.11 versions in the mainstream portage tree.  The
following is the only dump I've been able to capture, as about 9/10
the system locks beyond SSH recovery; apologies for the zram/zcache
taint, it was captured before I started debugging and eliminated
those.  It is, however, consistent with all subsequent ones I've seen
(same IP, same call trace).  I do notice that 'make oldconfig' in the
3.2.11 tree with the config from 3.2.2-r1 comes up with a single new
option, CONFIG_KCOPY.  Thoughts?

BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: [<ffffffff8127

Paxmarkings on mail-client/thunderbird

Hinnerk van Bruinehsen — 2012-05-16T14:39:39

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

at the moment the thunderbird-ebuild in the tree does a "pax mark m"
on the binary.
At least for me thunderbird works fine if I just disable jit.

What would be the workflow for reporting that. Should I file a bugreport?

With kind regards

Hinnerk

PS: It follows a "proof of concept"-ebuild (just the diff) that works
for me:


- --- /usr/portage/mail-client/thunderbird/thunderbird-12.0.1.ebuild
2012-05-08 11:31:16.000000000 +0200
+++ thunderbird-12.0.1.ebuild2012-05-16 16:34:26.111099366 +0200
< at >< at > -33,7 +33,8 < at >< at >
 KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~x86 ~x86-fbsd ~amd64-linux
~x86-linux"
 SLOT="0"
 LICENSE="|| ( MPL-1.1 GPL-2 LGPL-2.1 )"
- -IUSE="bindist gconf +crashreporter +crypt +ipc +lightning +minimal
mozdom +webm"
+IUSE="bindist gconf +crashreporter +crypt +ipc +lightning +minimal mozdom
+pax_kernel +webm"

 PATCH="thunderbird-10.0-patches-0.1"
 PATCHFF="firefox-12.0-patches-0.1"
< at >< at > -174,6 +175,12 < at >< at >
 mozconfig_use_enable lightning calendar
 m

SELinux base policy rev 9 in hardened-dev

Sven Vermeulen — 2012-05-15T18:06:29

Hi guys,

I've pushed out rev 9 of the base policies to the hardened-dev overlay. It
includes the following changes:

** 2012-05-15 Revision 9

<no bug>        Introduce named file transition support in policies
(backport)
<no bug>        Eliminate "*_except_auth_files" expressions through new
attribute (backport)
<no bug>        Update symbol in clamav_append_log interface (backport)
#411719         Update python scripts to further enhance support #python3
#413065         Allow passwd_t to read default context definitions
#413061         Allow groupadd_t to read default context definitions
#410951         Use /usr/lib and /lib instead of the /usr/lib(64)? and
similar calls

Wkr,
Sven Vermeulen

Gentoo Hardened Meeting 2012-05-16 20:00UTC

Francisco Blas Izquierdo Riera (klondike — 2012-05-13T20:31:39

Hello,

As usual we will be holding our traditional monthly project meeting the
2012-05-16 at 20:00UTC in the #gentoo-hardened channel in the freenode
network.
You are advised to assist since in this meetings the short time goals of
the project are usually defined and we'd appreciate input regarding them
and positive criticism from any interested parties.
In the meeting also the current status of the project is stated by the
developers so if you want to know how is the project doing you may want
to either be there or read the logs although the logs may take a little
more time to be ready.
Finally if you are planning to contribute the meeting is also a good
place too see which are the issues that need handling in the project.

The agenda planned for the meeting is:
1.0 Toolchain
2.0 Kernel
3.0 Selinux
  3.1 Selinux eclass
4.0 Grsec/PaX
5.0 Profile
6.0 Docs
7.0 Bugs
8.0 Media
9.0 Open floor

Also, attached to the e-mail you will find an event invitation may you
want to add the meeting time to your calendar so

Invalid opcode

Stan Sander — 2012-04-30T16:10:20

This isn't really a hardened issue specifically, but since that's the
profile I'm running and this is the list that I'm already subscribed to,
thought I'd go ahead and post here.  See if one of you folks can offer
some suggestions for me. 

I have a old Pentium 4 machine with a fresh stable amd64 hardened
install that I am planning to use as a dedicated Asterisk server. 
Everything seems fine with one exception.  I cannot unmerge any
packages.  Neither --depclean or -C will work.  They both bomb out as
soon as the 5 second countdown starts.  The message said Invalid
instruction and the syslog indicated it was in time.so  

klogd: emerge[28440] trap invalid opcode ip:2612992f7ac sp:3bbcc5cea60
error:0 in time.so[2612992d000+4000]

Then as I was working on asterisk when I got to the point where I was
configuring voicemail and was trying to record the name from a phone
extension, asterisk crashed after starting the recording.  It will limit
the length of the recording to just a few seconds, so the common factor

Eclass update to support user-specific (overlay-driven) policy enhancements

Sven Vermeulen — 2012-04-26T18:58:41

Hi guys,

"""
tl;dr: New eclass supports users providing SELinux module files (the .fc,
.te and .if files) through their ebuilds' files/ directory rather than
through ugly patches.
"""

One of the things I'm hoping to accomplish soon is to better support users
in their quest to update the SELinux policies. Although we continue to
strive towards a working set of policies for most users, we should help
users to update the policies themselves when it matches their requirements,
but not necessarily ours.

A huge part on this is of course documentation, so I'm definitely going to
put much focus there, but another thing would be to support users in
user-specified SELinux policy modules.

Until now, the feedback to the user was to create the module, build it
manually and load it in the system. This works well of course (it is the
de-facto way of handling things) but I was wondering why users wouldn't be
able to provide these modules towards other users in overlays.

Until now, this meant that the user had to setup

Meeting log from 2012-04-18 20:00 meeting.

Magnus Granberg — 2012-04-23T22:49:47

Log from the meeting.

/Magnus

SELinux base policy rev 8 in hardened-dev

Sven Vermeulen — 2012-04-22T08:35:40

Hi guys,

Revision 8 of the 2.20120215 policies are now in the hardened-dev overlay.
It contains the following changes:

<no bug>        Update whitespace in python scripts (support python3)
#411149         Introduce httpd_setrlimit to support setrlimit/sys_resource on apache (for lighttpd)
#411943         Allow unconfined users to start X (or XFCE) from the commandline

Testing is, as always, appreciated. However, the changes are non-intrusive
and I'm going to make a few more intrusive changes now which will need a bit
more testing, so I'm heading out with rev 8 now.

Also, I've moved the repository I use for maintaining the policies from
github to gogo [1]. I didn't use the git magic, just a copy of the sources,
as patching is always done in incremental manners (and not through git
patches)... for now ;-)

I'll have our SELinux development guide also updated to have users base
their patches from this tree instead, that should make development a bit
easier for them.

Wkr,
  Sven Vermeulen

Tips for VMware Workstation with Hardened Profile ?

mRyOuNg — 2012-04-21T23:24:47

Hi,

I've just build vmware-workstation on a hardened box with 3.0.4 hardened
kernel ...
I emerged the vmware product with server flag, to be able to remotely
connect to it ...
vmware init script start, and load modules into kernel perfectly ... but,

When i try to start the vmware-workstation-server init script, i get the
following grsec log:

Apr 22 01:00:23  kernel: grsec: From denied access of range 0 -> 100000
in /dev/mem by
/opt/vmware/lib/vmware/bin/vmware-hostd[vmware-hostd:11737] uid/euid:0/0
gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Apr 22 01:02:21  kernel: grsec: From : Abort occurred at
0000000000002ed3 in
/opt/vmware/lib/vmware/bin/vmware-vim-cmd[vmware-vim-cmd:11987]
uid/euid:0/0 gid/egid:0/0, parent
/opt/vmware/lib/vmware/bin/vmware-vim-cmd[vmware-vim-cmd:11886]
uid/euid:0/0 gid/egid:0/0
Apr 22 01:02:21  kernel: grsec: From  denied resource overstep by
requesting 4096 for RLIMIT_CORE against limit 0 for
/opt/vmware/lib/vmware/bin/vmware-vim-cmd[vmware-vim-cmd:11987]
uid

RFC: Removing -unicode from all hardened profiles

Anthony G. Basile — 2012-04-21T11:05:52

Hi everyone,

I'd like to remove USE="-unicode" from make.defaults at the root level 
of all hardened profiles.  The request came from jmbsvicetto because he 
required it for the hardened stages to build, but to be honest, I don't 
know why we have it disabled in hardened and its probably leftover cruft 
from days gone by.

Any reason not to, else its gone.

SBCL working at all with GRsec and PaX?

2012-04-16T22:44:27

Heya folks,

The only version of SBCL I have that actually works is one I compiled
under gentoo-sources with vanilla GCC.

Has anyone managed to compile even a remotely recent version of SBCL
under hardened?

I was using an overlay to attempt to get dev-lisp/sbcl-1.0.55-r1 but
absolutely no version I've found works (even after changing the one in
the overlay because it was using pax-tool or something instead of
paxctl to deal with the sbcl kernel-image-thinger).

This is the last build log I got out of it: 
http://bpaste.net/show/7iYaCGigirPZI6UQFrac/
Sorry it's a huge mess but it seems a lot of the dev-lisp packages like
to ignore some of the common conventions!

It's mainly for a friend who has an account on the machine that I'm
trying to get a relatively recent version of SBCL on the go since the
machine's a bit of a powerhouse and SBCL can output some blazingly fast
programs.

Cheers!
Nay

libroffice's unopkg.bin segfaults without paxmarking on my systems

Tóth Attila — 2012-04-15T23:47:33

While I emerged libroffice-l10n upgrade, I noticed, that unopkg.bin
segfaults multiple times as it gets called. On my systems.
After paxctl -m it worked.

soffice.bin has been already paxmarked by the ebuild.
Wouldn't it be good to add:
pax-mark -m "${EPREFIX}"/usr/$(get_libdir)/libreoffice/program/unopkg.bin
as well?

Should I open a bug for it?

Regards:
Dw.

Meeting 2012-04-18 20:00UTC

Magnus Granberg — 2012-04-15T13:23:30

Hi

Time for a new meeting.
It is on gentoo-hardened at freenode (irc)

Agenda
1.0 Toolchain
2.0 Kernel
3.0 Selinux
4.0 Grsec/PaX
5.0 Profiles
6.0 Docs
7.0 Bugs
8.0 Media
9.0 Open floor

/Magnus

samba 4 MLS --> strict modules

Alain Toussaint — 2012-04-14T14:41:48

In the samba 4 howto, the instructions related to selinux apply to RH and
when I tried to compile this modules, I had an error because I'm running
in strict mode and semodule tell me it's an MLS modules. What do I need to
modify to this module to run it in strict mode?

Thanks
Alain


module samba4 1.0;


   require {
   type ntpd_t;
   type usr_t;
   type initrc_t;
   class sock_file write;
   class unix_stream_socket connectto;
  }

  #============= ntpd_t ==============
  allow ntpd_t usr_t:sock_file write;

  #============= ntpd_t ==============
  allow ntpd_t initrc_t:unix_stream_socket connectto;

emerge via ssh doesn't work

Alain Toussaint — 2012-04-12T19:41:50

Hello,

                I am building a headless server and for the most part, now
that I have labelled everything (selinux), I am not able to continue
emerging software via ssh. I know that it is a security features but is
there something I can change in my setup or else, I’ll need to get a
monitor for the machine?



Alain

SELinux base policy rev 7 in hardened-dev

Sven Vermeulen — 2012-04-11T17:46:45

Hi guys,

I just pushed selinux-base* revision 7 to the hardened-development overlay.
It contains only a few changes, namely:

#401595         Mark .pwd.lock as etc_t
#411193         Support init scripts working with cgroups (manage cgroup_t)
#403293         Support SELinux-aware cronie and have it create cronjob_t keys

Still, since rev 6 is two weeks ago and the init script stuff might be a bit
too blocking for some, and it's raining here, it's a good time to push this
out.

Wkr,
Sven Vermeulen