libselinux issue

libselinux issue

[Dominick Grift]

We can get into a state where selinux is enabled without a policy.

Reproducer:

cat > /etc/selinux/config <<EOF
ELINUX=disabled
SELINUXTYPE=blah
EOF

Further info:

Reproduced on Debian Bullseye
5.10.0-8-amd64
SELinux 3.1

Note that *both conditions* above have to be met to trigger this.

If you only have a typo "ELINUX=disabled" then SELinux will boot in
permissive mode

If you only have a type "SELINUXTYPE=blah" then SELinux will not be
enabled because the policy cannot be found

root@bullseye:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             dssp5
Current mode:                   permissive
Mode from config file:          error (Success)
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Memory protection checking:     actual (secure)
Max kernel policy version:      33

root@bullseye:~# ls /sys/fs/selinux
access                create            mls                  ss
avc                   deny_unknown      null                 status
booleans              disable           policy               user
checkreqprot          enforce           policy_capabilities  validatetrans
class                 initial_contexts  policyvers
commit_pending_bools  load              reject_unknown
context               member            relabel

root@bullseye:~# ls /etc/selinux
config  dssp5-debian  semanage.conf

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

Re: libselinux issue

[Dominick Grift]

Dominick Grift <dominick.grift@defensec.nl> writes:

> We can get into a state where selinux is enabled without a policy.

Someone was sharp enough to notice an inconsistency in the info below. I
used "SELINUXTYPE=blah" where when I actually tested it I used
"SELINUXTYPE=dssp5".

Both are invalid and lead to the same results. So just read
s/dssp5/blah/


>
> Reproducer:
>
> cat > /etc/selinux/config <<EOF
> ELINUX=disabled
> SELINUXTYPE=blah
> EOF
>
> Further info:
>
> Reproduced on Debian Bullseye
> 5.10.0-8-amd64
> SELinux 3.1
>
> Note that *both conditions* above have to be met to trigger this.
>
> If you only have a typo "ELINUX=disabled" then SELinux will boot in
> permissive mode
>
> If you only have a type "SELINUXTYPE=blah" then SELinux will not be
> enabled because the policy cannot be found
>
> root@bullseye:~# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             dssp5
> Current mode:                   permissive
> Mode from config file:          error (Success)
> Policy MLS status:              disabled
> Policy deny_unknown status:     denied
> Memory protection checking:     actual (secure)
> Max kernel policy version:      33
>
> root@bullseye:~# ls /sys/fs/selinux
> access                create            mls                  ss
> avc                   deny_unknown      null                 status
> booleans              disable           policy               user
> checkreqprot          enforce           policy_capabilities  validatetrans
> class                 initial_contexts  policyvers
> commit_pending_bools  load              reject_unknown
> context               member            relabel
>
> root@bullseye:~# ls /etc/selinux
> config  dssp5-debian  semanage.conf

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

Re: libselinux issue

[Christian Göttsche]

On Tue, 31 Aug 2021 at 13:51, Dominick Grift <dominick.grift@defensec.nl> wrote:
>
> Dominick Grift <dominick.grift@defensec.nl> writes:
>
> > We can get into a state where selinux is enabled without a policy.
>

While testing a potential fix several questions came up:

I. What are the expected/desired outcomes after the following
configuration setups:

    * invalid SELINUX=, valid SELINUXTYPE=  (currently permissive,
except cmdline contains `enforcing=1` then system halt)
    * valid SELINUX=, invalid SELINUXTYPE=  (currently disabled if
SELINUX=disabled, system halt if SELINUX=enforcing or `enforcing=1`,
else zombie state)

II. When does the kernel considers SELinux to be *enabled*? After the
mount of a selinuxfs or after the first policy load?
    With SELinux being unable to disable at runtime in the near future
and SELinux being initialized after a selinuxfs mounting, that
probably needs selinux_init_load_policy(3) to check for a valid
SELINUXTYPE= before mounting a selinuxfs.

Also selinux_init_load_policy(3) libselinux should probably reset its
state via `umount(selinux_mnt); fini_selinuxmnt();` after a
selinux_mkload_policy(3) failure.

Re: libselinux issue

[Petr Lautrbach]

Christian Göttsche <cgzones@googlemail.com> writes:

> On Tue, 31 Aug 2021 at 13:51, Dominick Grift <dominick.grift@defensec.nl> wrote:
>>
>> Dominick Grift <dominick.grift@defensec.nl> writes:
>>
>> > We can get into a state where selinux is enabled without a policy.
>>
>
> While testing a potential fix several questions came up:
>
> I. What are the expected/desired outcomes after the following
> configuration setups:
>
>     * invalid SELINUX=, valid SELINUXTYPE=  (currently permissive,
> except cmdline contains `enforcing=1` then system halt)

Unspecified or invalid SELINUX defaults to enforce = 0. I guess it could
help administrators during initial selinux setup - the system would boot
even with a typo.

`enforcing=1` on the kernel command line overrides value set
in config file (in this case it is not set). If SELINUXTYPE is valid,
the policy is loaded and systemd boots. If it's invalid, the systemd
freeze, see bellow.



>     * valid SELINUX=, invalid SELINUXTYPE=  (currently disabled if
> SELINUX=disabled, system halt if SELINUX=enforcing or `enforcing=1`,
> else zombie state)

If systemd can't load policy it logs the problem and freeze in
enforcing. The result of selinux_init_load_policy is ignored in
permissive and systemd continue with boot, see bellow.

                if (enforce > 0) {
                        if (!initialized)
                                return log_emergency_errno(SYNTHETIC_ERRNO(EIO),
                                                           "Failed to load SELinux policy.");

                        log_warning("Failed to load new SELinux policy. Continuing with old policy.");
                } else
                        log_debug("Unable to load SELinux policy. Ignoring.");
        }



>
> II. When does the kernel considers SELinux to be *enabled*? After the
> mount of a selinuxfs or after the first policy load?

My understanding is that internally in kernel is SELinux enabled during
build process and it considers SELinux to be enabled unless selinux=0 is
used on kernel command line.

For userspace it's propagated as availability of /sys/fs/selinux.


>     With SELinux being unable to disable at runtime in the near future
> and SELinux being initialized after a selinuxfs mounting, that
> probably needs selinux_init_load_policy(3) to check for a valid
> SELINUXTYPE= before mounting a selinuxfs.

AFAIK whether /sys/fs/selinux is mounted or not doesn't say anything
about status of SELinux inside kernel. It's just used as simple
indicator for userspace whether it can use SELinux API or not.


> Also selinux_init_load_policy(3) libselinux should probably reset its
> state via `umount(selinux_mnt); fini_selinuxmnt();` after a
> selinux_mkload_policy(3) failure.