Comments (7)
Hey, thanks for the quick testing of the sample policy and the bug report.
Can you reboot in permissive and grab the journal log and share that (journalctl -b 0 > journal.txt
)?
Likely issues would contain either a log entry with the string "AVC" or the string "SELinux", but there are a number of things that could cause a boot hang (either SELinux denials, or failures in SELinux aware userspace components such as systemd, dbus, xwayland and others). Each of the different user daemons has its own logging, so it's hard to say precisely what to look for in the abstract. If you are able to share the full log, I'll take a look through it and should be able to zero in on the problem from there.
from cascade.
Thank you for the help and quick response. I've attached my journal.txt as requested. I did see some AVC denials in there.
journal.txt
from cascade.
Thanks for the logs. It looks like everything is fine up until this point and at least most of what follows seems to be consequences of this part:
Jan 26 18:34:33 fedora.example.com audit[1]: AVC avc: denied { search } for pid=1 comm="systemd" name="/" dev="dm-0" ino=128 scontext=system_u:system_r:kernel_sid tcontext=system_u:object_r:unlabeled_sid tclass=dir permissive=1
Jan 26 18:34:33 fedora.example.com audit[1]: AVC avc: denied { getattr } for pid=1 comm="systemd" name="systemd" dev="dm-0" ino=299959 scontext=system_u:system_r:kernel_sid tcontext=system_u:object_r:unlabeled_sid tclass=file permissive=1
Jan 26 18:34:33 fedora.example.com audit[1]: AVC avc: denied { dyntransition } for pid=1 comm="systemd" scontext=system_u:system_r:kernel_sid tcontext=system_u:system_r:kernel_sid tclass=process permissive=1
Jan 26 18:34:33 fedora.example.com audit[1]: AVC avc: denied { read } for pid=1 comm="systemd" name="file_contexts" dev="dm-0" ino=22255515 scontext=system_u:system_r:kernel_sid tcontext=system_u:object_r:unlabeled_sid tclass=file permissive=1
Jan 26 18:34:33 fedora.example.com audit[1]: AVC avc: denied { ioctl } for pid=1 comm="systemd" path="/etc/adjtime" dev="dm-0" ino=17328184 ioctlcmd=0x5401 scontext=system_u:system_r:kernel_sid tcontext=system_u:object_r:unlabeled_sid tclass=file permissive=1
There are two issues here: 1. systemd seems to be running as the "kernel_sid" type. It should have transitioned to the "general" domain. 2. Several files are unlabeled, including /, /etc and some of the contents of /etc.
Can you check the labels (ls -Z
) on a few files, including /etc and /usr/lib/systemd/systemd? Most of the system should be system_u:object_r:all_files, with the exception of /usr/lib/systemd/systemd, which should be system_u:object_r:init_exec. Double check that you ran restorecon as root and used the -F flag?
from cascade.
Running ls -Z
on those files revealed they both had types of "unlabeled_sid". When I run restorecon -RF /etc/
, or any other directory, I get flooded with errors saying the Operation is not supported.
from cascade.
Thanks. Those errors are definitely relevant. The "Operation is not supported" error indicates that the filesystem doesn't support extended attributes, which are necessary for relabeling. Looking in your logs some more, it seems that you're using xfs for your root, which does have extended attribute support, but it isn't specified in the policy. Would you mind building this PR branch #100 and retesting and see if that resolves your problem?
from cascade.
Success! I was able to boot into enforcing.
One thing I will note, is I still have two lingering AVCs:
allow kernel_sid self:capability2 syslog;
allow kernel_sid self:system syslog_console;
From the audit.log:
type=AVC msg=audit(1674874943.471:186): avc: denied { syslog } for pid=354 comm="plymouthd" capability=34 scontext=system_u:system_r:kernel_sid tcontext=system_u:system_r:kernel_sid tclass=capability2 permissive=0
type=AVC msg=audit(1674874943.471:186): avc: denied { syslog_console } for pid=354 comm="plymouthd" scontext=sys
Thank you for your help and quick responses!
from cascade.
Glad it's working for you. Thanks for reporting the AVCs as well. Looks like plymouthd logs to the console in some situations, so it's reasonable to add to the policy. I've made a PR for that. #103
from cascade.
Related Issues (20)
- Adding annotations on nested extensions doesn't work
- Drop default SIDs
- Error messages about invalid permissions refer to "type"
- Build failure based on dependencies HOT 1
- Can't call functions on arguments
- Propagate collection names and aliases through compilation HOT 2
- Member function not being found HOT 1
- Can object classes and permissions conditionally resolve based on context?
- Context should provide a one stop shop for symbol resolution
- Require annotation on ambiguous bindings
- FunctionInfo::symbol_to_caller_symbol() ignores permission lists
- Late annotations are being dropped
- Teach CascadeStrings about files
- Cascade is reporting no type errors on the full type.function
- collect_aliases() ignores duplicates
- Add the ability for InternalErrors to take a help string of some sort
- Support genhomedircon path substitutions
- Missing passwd object class definition in built in object classes
- Display warnings along with errors on unsuccessful complilations
- Downgrade to warnings unknown types in arguments as well
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cascade.