refpolicy icon indicating copy to clipboard operation
refpolicy copied to clipboard
verified publisher icon SELinuxProject

use refpolicy in bare metal,login failed with out any avc log

Open huzai9527 opened this issue 2 years ago • 7 comments

  1. When I use permissive mode, I collect all the deny information in the auth.log and make it pass in the policy.
  2. After I used permissive mode with no rejection logs, I switched to enforcing mode.
  3. The strange thing is that after switching to enforcing, everything works fine without logging in again, but when I log in again, I will be prompted that the password is incorrect.

huzai9527 avatar Mar 05 '24 01:03 huzai9527

I tried using the method proposed by #342 , gen_tunable(authlogin_pam, false) , but still have the same problem。

huzai9527 avatar Mar 05 '24 02:03 huzai9527

when In permissive mode,login success,no avc deny

root@XP5:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
root@XP5:~# cat /var/log/audit/audit.log
type=DAEMON_START msg=audit(1709604612.347:675): op=start ver=3.0.7 format=enriched kernel=5.10.115-rt67+ auid=4294967295 pid=227 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t res=successAUID="unset" UID="root"
type=MAC_STATUS msg=audit(1709604660.812:35): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709604696.792:36): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605160.164:37): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605568.800:38): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
root@XP5:~# login
XP5 login: root
root@XP5:~# success
-bash: success: command not found
root@XP5:~# exit
logout

when in enforcing mode. login failed. no avc deny.

root@XP5:~# setenforce 1
root@XP5:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
root@XP5:~# login
XP5 login: root
Password:
Login incorrect
XP5 login: ^C
root@XP5:~# ^C
root@XP5:~# cat /var/log/audit/audit.log
type=DAEMON_START msg=audit(1709604612.347:675): op=start ver=3.0.7 format=enriched kernel=5.10.115-rt67+ auid=4294967295 pid=227 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t res=successAUID="unset" UID="root"
type=MAC_STATUS msg=audit(1709604660.812:35): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709604696.792:36): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605160.164:37): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605568.800:38): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605619.308:39): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"

huzai9527 avatar Mar 05 '24 02:03 huzai9527

login (at least in my experience with RedHat systems) is a funny one to deal with because it is SELinux aware and will change behavior when running in enforcing. So it expects that certain things will fail in enforcing and do things a different way. This makes it a bit challenging to debug. I assume you are not on a RedHat system, but there could be a similar thing going on.

dsugar100 avatar Mar 07 '24 16:03 dsugar100

There are probably a bunch of dontaudit rules in the login policy to hide some actions that are really not allowed. Probably worth using 'semodule -DB' (to rebuild the policy with dontaudit's disabled) that will show you denials that have been intentionally hidden to see maybe if something is affecting you. Be warned, there will be lots of messages to go through.

dsugar100 avatar Mar 07 '24 16:03 dsugar100

login (at least in my experience with RedHat systems) is a funny one to deal with because it is SELinux aware and will change behavior when running in enforcing. So it expects that certain things will fail in enforcing and do things a different way. This makes it a bit challenging to debug. I assume you are not on a RedHat system, but there could be a similar thing going on.

Actually, I compiled rootfs using buildroot and compiled kernel 5.10 myself. Then I compiled refpolicy (with enableaudit)

huzai9527 avatar Mar 08 '24 02:03 huzai9527

hi, does this problem solve in your side @huzai9527 , this problem occurred in my platform too

Brucefang avatar Apr 02 '24 09:04 Brucefang

If you are using Modular policy you can try to semodule -DB to enable all dontaudit rules, see if there are any audit logs.

gxshao avatar May 15 '24 03:05 gxshao

THANKS FOR ALL. I have solved this problem, cause buildroot doesn't install selinux on /var/selinux semodule -DB doesn't work. I add this in buildroot/package/refpolicy.mk, image and when i use login, below avc log coms, image fix the avc, now i can login with enforcing mode.

huzai9527 avatar Jun 20 '24 01:06 huzai9527