[Buildroot] Troubles with SELinux

[Buildroot] Troubles with SELinux

[Jonathan Bittner]

[-- Attachment #1.1: Type: text/plain, Size: 2124 bytes --]

I'm developing an embedded config on an Intel Atom board. It is a
government app and will go through vetting. Likely it will be compared to
the RedHat and Ubuntu Security Technical Implementation Guides (STIGs) as
there no specific embedded Linux STIGs.

That means I need features like iptables, displaying the government
computer warning message, preserved logs. and SELinux.

System parameters: busybox init, GUI via nodm and openbox, ext4 file
system, bootloader varies with both grub and syslinux (extlinux), sshd

I've found a few issues and fixed them with the help of audit2allow and
made a custom policy and loaded it to address some of the issues.  I think
there are some mislabels and confusion since the /var/run folder is on a
tmpfs (I tried to set a context in the fstab but that broke it worse).

On boot up, the auditd which helps so much with debugging SELinux can't
even run because it can't obtain permissions for its log files and .pid
file.  But after boot up, I can manually start it.  It might be because
restorecond runs AFTER auditd in the init order.  I also lose out on acpid
which starts earlier and it can't open it's socket (/run/acpid.socket).
Lack of early logging means I don't have enough info to add to the policy.
I've also tried to tweak /etc/selinux/restorecond.conf and move its init
script to earlier in the start up.

The system doesn't recognize /.autorelabel  and is also missing semanage
(python script not built, python hooks to libsemanage are needed even if it
was, they were deprecated in 2015)

Lastly, I can't log in via ssh as user as it can't determine my user's
default context.  Googling the error shows some results, many are decades
old.  I tried adding to the policy's local.users file but that didn't help.

I have root ssh logins working via public keys. I enabled the relevant
boolean and sshd_config values.

I wanted to see ask if anyone was actively using SELinux and was hoping you
could share some of your knowledge, tweaks, policies, and other hints.  I'm
especially interested in getting the labels correct on the image before
first boot.

Thanks,
Jonathan

[-- Attachment #1.2: Type: text/html, Size: 2450 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] Troubles with SELinux

[Jonathan Bittner]

[-- Attachment #1.1: Type: text/plain, Size: 1306 bytes --]

On Thu, Mar 16, 2023 at 12:33 PM Jonathan Bittner <
jbittner.br.bugs@gmail.com> wrote:

> I'm developing an embedded config on an Intel Atom board. It is a
> government app and will go through vetting. Likely it will be compared to
> the RedHat and Ubuntu Security Technical Implementation Guides (STIGs) as
> there no specific embedded Linux STIGs.
>
 I hate replying to my own posts but I learned two additional things during
my experimentation yesterday:
1.) an early forced relabel (S000relabel service) on a fresh filesystem
helps fix some issues
2.) Switching to SystemV init allowed more useful troubleshooting in
permissive mode: auditd could run early, reported exceptions were logged,
and authorizations could be added.  I think BusyBox init somehow just turns
SElinux off (no reporting) in permissive mode.
3.) My issues with ssh login is apparently the /etc/pam.d/sshd that ships
with the system contains no reference to any of the SELinux modules in the
auth stack which means the contexts are not set during the login.  I
haven't quite fixed this yet. Most of the sample configs I've found online
were distribution-specific and had external references (includes) to files
shipped by that distro, often incorporating distro-specific modules not
shipped with Buildroot

[-- Attachment #1.2: Type: text/html, Size: 1661 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] Troubles with SELinux

[Jonathan Bittner]

On Fri, Mar 17, 2023 at 11:20 AM Jonathan Bittner
<jbittner.br.bugs@gmail.com> wrote:
>
> On Thu, Mar 16, 2023 at 12:33 PM Jonathan Bittner <jbittner.br.bugs@gmail.com> wrote:
> 3.) My issues with ssh login is apparently the /etc/pam.d/sshd that ships with the system contains no reference to any of the SELinux modules in the auth stack which means the contexts are not set during the login.  I haven't quite fixed this yet. Most of the sample configs I've found online were distribution-specific and had external references (includes) to files shipped by that distro, often incorporating distro-specific modules not shipped with Buildroot

Replying again to add to the archive in case anyone ever searches for
this:  ssh troubles were alleviated by manually mapping the user
account to staff_u (instead of default user_u) in seusers.  Good
enough for now. Not sure why user_u is blocked or what policy to
change to fix it.  Also don't bother trying to install semanage and
the python hooks: they don't work when the policy is built as
monolithic.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot