DevHeads.net

I want to turn on a part of the kernel to make SELinux checking more stringent.

I wrote a systemd unit file to enable it, and to allow a user to disable the
feature if he wants.

# cat /usr/lib/systemd/system/selinux-checkreqprot.service
[Unit]
Description=SELinux check actual protection flags applied by kernel, rather
than checking what application requested.

[Service]
Type=oneshot
RemainAfterExit=yes
Environment="CHECKREQPROT=0"
EnvironmentFile=-/etc/selinux/config
ExecStart=/bin/sh -c '/bin/echo $CHECKREQPROT > /sys/fs/selinux/checkreqprot'

I would like to enable this service on the post install of a initial install
of libselinux. But I believe this will not happen with

%systemd_post_enable selinux-checkreqprot.service

How would I go about doing this?

I know there is one problem in the unit file, it will fail if
/sys/fs/selinux/checkreqprot, does not exist. Is their an easy check to just
exit if this file does not exist?

Also is using a unit file for this, the best way to handle this?

Comments

Re: I want to turn on a part of the kernel to make SELinux check

By Kevin Kofler at 01/25/2014 - 14:37

Just replying to the subject, without going into the implementation details:
We've just hit two critical regressions, one in Fedora 20 (see the 2+
threads about it) and one in Rawhide
(<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1052317" title="https://bugzilla.redhat.com/show_bug.cgi?id=1052317">https://bugzilla.redhat.com/show_bug.cgi?id=1052317</a>, still open!), as a
result of SELinux checking being TOO stringent, and you want to make it even
MORE stringent???

Big -1!

It's time to stop the madness and just disable SELinux altogether by
default!

Kevin Kofler

Re: I want to turn on a part of the kernel to make SELinux check

By Bill Nottingham at 01/24/2014 - 11:50

Daniel J Walsh (<a href="mailto: ... at redhat dot com"> ... at redhat dot com</a>) said:

... why is this not a sysctl?

Bill

Re: I want to turn on a part of the kernel to make SELinux check

By Zbigniew =?utf-... at 01/24/2014 - 11:44

On Fri, Jan 24, 2014 at 10:22:56AM -0500, Daniel J Walsh wrote:
I think we really need an echo command with sudo syntax. I keep a local
script which does that, called "fecho". The syntax is 'fecho [-a] arg... file',
where -a means append. Maybe something like this could be added to util-linux
or somewhere.

Zbyszek

Re: I want to turn on a part of the kernel to make SELinux check

By =?UTF-8?B?IkrDs... at 01/24/2014 - 11:45

On 01/24/2014 03:44 PM, Zbigniew Jędrzejewski-Szmek wrote:
When we started the migration of units, using "ExecStart=/bin/sh -c" was
generally frown upon since unit files aren't shell scripts and weren't
supposed to be used as such, has this changed?

JBG

Re: I want to turn on a part of the kernel to make SELinux check

By Benjamin Lewis at 01/24/2014 - 11:34

What does this actually do/mean?

(Sorry if it's obvious, it isn't to me!)

Re: I want to turn on a part of the kernel to make SELinux check

By Lennart Poettering at 01/24/2014 - 11:32

Heya,

Do we really need a service for this? Can't this be done instead via a
tmpfiles snippet that uses "f" and the extra argument at the end?

I mean I am not convinced it's worth involving shell here. Also the
canonical way to write things to /proc or /sys is
{/etc,/usr/lib/}/sysctl.d/ and {/etc,/usr/lib/}/tmpfiles.d/ if it's
simple and static. And I don't see why we shouldn't do this differently
in this case than in all others...

If you would ship a simple tmpfiles snippet in /usr/lib/tmpfiles.d/,
then users who want to opt out of this could simply symlink the file to
/dev/null in /etc/tmpfiles.d/.

Lennart

Re: I want to turn on a part of the kernel to make SELinux check

By Till Maas at 01/26/2014 - 04:03

Using tmpfiles.d for this is not very obvious. Who would expect that a
service intended to handle temporary files is used for configuration?
For example the man page says:

| tmpfiles.d — Configuration for creation, deletion and cleaning of
| volatile and temporary files

Regards
Till

Re: I want to turn on a part of the kernel to make SELinux check

By Daniel J Walsh at 01/24/2014 - 12:01

Here is the request from upstream to enable this feature in Rawhide, with an
explanation of what it does.

Re: I want to turn on a part of the kernel to make SELinux check

By Richard W.M. Jones at 01/26/2014 - 16:38

Slightly OT, but is SELinux stopping programs from executing code at
address zero? (And how can I stop it doing that?)

JONESFORTH, a public domain FORTH I wrote, is written in x86 assembler
and prefers to put its threaded interpreter at address 0. This worked
fine before, but has now stopped working, and this is reported to be
due to SELinux.

<a href="http://rwmj.wordpress.com/2010/08/07/jonesforth-git-repository/#comment-6591" title="http://rwmj.wordpress.com/2010/08/07/jonesforth-git-repository/#comment-6591">http://rwmj.wordpress.com/2010/08/07/jonesforth-git-repository/#comment-...</a>

Rich.

Re: I want to turn on a part of the kernel to make SELinux check

By Matthew Garrett at 01/27/2014 - 00:36

Can you change its preference? Permitting the mapping of executable code
at address 0 makes it much easier to exploit null pointer
vulnerabilities in the kernel. Recent (within the past few years…)
kernels will refuse to let you mmap stuff below 64K or so regardless of
selinux policy, so this may break on other distributions as well.

Re: I want to turn on a part of the kernel to make SELinux check

By drago01 at 01/26/2014 - 16:53

On Sun, Jan 26, 2014 at 9:38 PM, Richard W.M. Jones < ... at redhat dot com> wrote:
Maybe you just need to set /proc/sys/vm/mmap_min_addr to 0 ? But
that's a bad idea as it makes kernel bugs (null pointer deference)
easy to exploit.

Re: I want to turn on a part of the kernel to make SELinux check

By Andrew Lutomirski at 01/26/2014 - 16:49

On Sun, Jan 26, 2014 at 12:38 PM, Richard W.M. Jones < ... at redhat dot com> wrote:
IIRC, in new kernels, /proc/sys/vm/mmap_min_addr and MAC policy both
have to allow the mmap call. In older kernels, only one of them had
to allow it.

Maybe some day SMAP-capable machines (e.g. Haswell, I think) will
ignore these settings entirely -- I think that SMAP covers all the
cases that mmap_min_addr was meant to pretect against.

--Andy

Re: I want to turn on a part of the kernel to make SELinux check

By Daniel J Walsh at 01/27/2014 - 11:45

On 01/26/2014 03:49 PM, Andrew Lutomirski wrote:
Will turn off this protection from an SELinux point of view, although you
should be careful with this.

Re: I want to turn on a part of the kernel to make SELinux check

By =?iso-8859-1?q?... at 01/24/2014 - 15:11

Daniel J Walsh wrote:
I'm afraid all I understand of that explanation is that this has
something to do with executable stacks. How does the proposed change
affect programs that need an executable stack?

Björn Persson

Re: I want to turn on a part of the kernel to make SELinux check

By Daniel J Walsh at 01/24/2014 - 15:20

On 01/24/2014 02:11 PM, Björn Persson wrote:
# grep check /lib/tmpfiles.d/selinux-policy.conf
w /sys/fs/selinux/checkreqprot 1

I believe you can revert it by adding

echo "w /sys/fs/selinux/checkreqprot 0" >> /etc/tmpfiles.d/selinux-policy.conf

Re: I want to turn on a part of the kernel to make SELinux check

By Alek Paunov at 01/24/2014 - 20:29

On 24.01.2014 21:20, Daniel J Walsh wrote:
SELinux newbie question: Where the daemons exception is actually
defined. My practical interest is: What should be added to LuaJIT [1] to
be able to run e.g. non-packaged web servers like [2]?

Thanks,
Alek

[1] <a href="http://pkgs.fedoraproject.org/cgit/luajit.git/plain/luajit.spec" title="http://pkgs.fedoraproject.org/cgit/luajit.git/plain/luajit.spec">http://pkgs.fedoraproject.org/cgit/luajit.git/plain/luajit.spec</a>
[2] <a href="https://github.com/kernelsauce/turbo" title="https://github.com/kernelsauce/turbo">https://github.com/kernelsauce/turbo</a>

Re: I want to turn on a part of the kernel to make SELinux check

By Daniel J Walsh at 01/27/2014 - 11:46

On 01/24/2014 07:29 PM, Alek Paunov wrote:
When you run your Web Server does SELinux actually block anything?

Re: I want to turn on a part of the kernel to make SELinux check

By Andrew Lutomirski at 01/24/2014 - 14:36

I admit that I'm extremely late to the party (if I could go back in
time, I'd do my best to nack the relevant kernel parts), but...

Why is execmem part of MAC policy in the first place? As I understand
it, the point of MAC is to prevent programs (whether malicious,
compromised, or just dumb) from doing things to other parts of the
system that they have no business doing.

execmem restrictions, on the other hand, serves to prevent a program
from doing something *to itself* that may make it easier to compromise
that program. Note that, by the time you've pwned a daemon hard
enough to get it to call personality, mprotect, or *write another ELF
image with strange flags*[1], you've already gotten past the point
where preventing execmem is going to do any good.

IOW, I consider restrictions to execmem to be in the same category as
-fstack-protector, and I'd be happier if this stuff were split out
from selinux entirely.

(To be fair, if the point is to make it more transparent which
programs are using execmem for legitimate purposes, so that the rest
can be fixed, then something like file labels makes sense. On the
other hand, sticking an equivalent check into, say, the Fedora RPM
scripts makes even more sense to me.)

[1] Don't even get me started on that one. If you can get a buggy php
program to write attacker-controlled files, you're not going to write
ELF programs that fiddle with PT_GNU_STACK. You're going to write ELF
programs that *already contain shellcode*. So this particular
protection is IMO completely worthless.

--Andy

Re: I want to turn on a part of the kernel to make SELinux check

By Daniel J Walsh at 01/24/2014 - 11:52

On 01/24/2014 10:32 AM, Lennart Poettering wrote: