You are not logged in.

#1 2021-02-06 17:14:50

B3l3tte
Member
Registered: 2016-10-26
Posts: 14

[SOLVED] 5.10.13 kernel bug with SELinux

Hello,

I am a newbie when it comes to SELinux, but I installed it in order to play with it a little and learn things.

Sadly, the last kernel update (5.10.13) seems to break things. I tried both 5.10.13-arch1 (linux) and 5.10.13-hardened1 (linux-hardened).

5.10.13 kernel log :

# journalctl -k -b -1

Problems start to arise when SELinux policy loads. It fails to set the context of some system files :

févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:device_t for /dev/core: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:device_t for /dev/fd: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:device_t for /dev/stdin: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:device_t for /dev/stdout: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:device_t for /dev/stderr: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd/system: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd/inaccessible: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd/inaccessible/reg: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd/inaccessible/dir: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd/inaccessible/fifo: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd/inaccessible/sock: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd/inaccessible/chr: Invalid argument
févr. 06 17:18:22 Laptop systemd[1]: Failed to set SELinux security context system_u:object_r:init_runtime_t for /run/systemd/inaccessible/blk: Invalid argument


....
Many other errors (see link below)

https://0bin.net/paste/R9xPL5mz#5dsbb2G … d6u621en+5

DBus fails to start, causing a cascade reaction of failures : CUPS, avahi, .... No graphical target, and I can't even boot in a tty.
Soft reset required (ctrl + alt + del).

5.10.12 kernel log :

# journalctl -k

https://0bin.net/paste/c+yD0WdU#-sw0vIK … 7axcmWoTrg

No SELinux context error.

=======================

I am using the selinux binary repo (modified my /etc/pacman.conf like it is explained here.
I just installed the whole selinux thing (all the packages).

$ yay -Qs selinux
local/base-devel-selinux 1-1 (selinux)
local/base-selinux 1-1 (selinux)
local/checkpolicy 3.1-1 (selinux)
local/coreutils-selinux 8.32-1 (selinux)
local/cronie-selinux 1.5.5-2 (selinux)
local/dbus-docs-selinux 1.12.20-1 (selinux)
local/dbus-selinux 1.12.20-1 (selinux)
local/findutils-selinux 4.7.0-2 (selinux)
local/iproute2-selinux 5.10.0-1 (selinux)
local/libselinux 3.1-2 (selinux)
local/libsemanage 3.1-2 (selinux)
local/libsepol 3.1-1 (selinux)
local/logrotate-selinux 3.18.0-1 (selinux)
local/mcstrans 3.1-1 (selinux)
local/openssh-selinux 8.4p1-2 (selinux)
local/pam-selinux 1.5.1-1 (selinux)
local/pambase-selinux 20200721.1-3 (selinux)
local/policycoreutils 3.1-1 (selinux)
local/psmisc-selinux 23.3-4 (selinux)
local/restorecond 3.1-1 (selinux)
local/secilc 3.1-1 (selinux)
local/selinux-alpm-hook 0.1-3 (selinux)
local/selinux-dbus-config 3.1-1 (selinux)
local/selinux-gui 3.1-1 (selinux)
local/selinux-python 3.1-2 (selinux)
local/selinux-refpolicy-arch 20200818-1 (selinux)
local/selinux-refpolicy-git RELEASE_2_20200818.r174.g072c0a945-1 (selinux)
local/selinux-refpolicy-src 20200818-1 (selinux selinux-policies)
local/selinux-sandbox 3.1-1 (selinux)
local/semodule-utils 3.1-1 (selinux)
local/setools 4.3.0-2 (selinux)
local/shadow-selinux 4.8.1-4 (selinux)
local/sudo-selinux 1.9.5.p2-1 (selinux)
local/systemd-libs-selinux 247.2-1 (selinux)
local/systemd-resolvconf-selinux 247.2-1 (selinux)
local/systemd-selinux 247.2-1 (selinux)
local/systemd-sysvcompat-selinux 247.2-1 (selinux)
local/util-linux-libs-selinux 2.36.1-4 (selinux)
local/util-linux-selinux 2.36.1-4 (selinux)

I tried to change refpolicy (I have three installed), but no luck.

=======================
Booting with EFISTUB with arch-efistub using the following command line :

$ cat /boot/cmdline.txt 
root=PARTUUID=33a9cf78-694f-xxxx-xxxx-67f5545a39a1 rw security=selinux selinux=1 initrd=\intel-ucode.img initrd=\initramfs-linux.img

I am forced to use arch-efistub as I own a Dell laptop having this bug.

I tried it on a second computer and I have the same issue.

Last edited by B3l3tte (2021-02-07 11:52:12)

Offline

#2 2021-02-06 17:30:08

loqs
Member
Registered: 2014-03-06
Posts: 12,987

Re: [SOLVED] 5.10.13 kernel bug with SELinux

What if you change security=selinux to lsm=selinux ?  There were two security related changes that I can see in the kernel config between 5.10.12 and 5.10.13 [1].  I do not see a related commit in 5.10.13 [3].

[1] https://github.com/archlinux/svntogit-p … f7944d8408
[2] https://github.com/archlinux/svntogit-p … f7944d8408
[3] https://cdn.kernel.org/pub/linux/kernel … og-5.10.13

https://www.kernel.org/doc/Documentatio … meters.txt

Offline

#3 2021-02-06 18:40:22

B3l3tte
Member
Registered: 2016-10-26
Posts: 14

Re: [SOLVED] 5.10.13 kernel bug with SELinux

Hello,
Thanks for your quick answer.

lsm=selinux is working but it seems that it overrides CONFIG_LSM, so I guess I should rather append selinux to the kernel CONFIG_LSM parameter.
I saw the "bpf" modification in 5.10.13 and I thought it might be the source of my issue.
Bingo !
lsm=lockdown,yama,bpf,selinux is not working
lsm=lockdown,yama,selinux is working

So, what do I do now ?
I'd like to keep bpf enabled if it is important, but I guess I don't know what it is, so I'll look around to get some infos.
Thanks !

Last edited by B3l3tte (2021-02-07 10:58:56)

Offline

#4 2021-02-06 19:04:53

loqs
Member
Registered: 2014-03-06
Posts: 12,987

Re: [SOLVED] 5.10.13 kernel bug with SELinux

The lsm parameter initializes modules in the order in the comma separated list.  As the major LSM you probably want selinux first.  I think security=selinux is equivalent to lsm=selinux,lockdown,yama,bpf so lsm=selinux,lockdown,yama will probably work.
I do not know what bpf does as a LSM.
Edit:
https://www.kernel.org/doc/html/latest/bpf/bpf_lsm.html
Enabling the framework is enough to cause the issue?

Last edited by loqs (2021-02-06 19:16:26)

Offline

#5 2021-02-07 00:07:08

B3l3tte
Member
Registered: 2016-10-26
Posts: 14

Re: [SOLVED] 5.10.13 kernel bug with SELinux

So many weird things are happening ...

I got it working with lsm=selinux,lockdown,yama,bpf on my laptop. I didn't think of putting selinux first, thanks for the hint.

However, on my desktop it's not working, but my setup is a bit different : I compiled my own custom linux-hardened with signing keys for out of tree modules (DKMS). With this setup, I am able to enable kernel lockdown.
Same packages though.
I am using rEFInd as bootloader.
My kernel parameter line currently looks like this :

rd.luks.uuid=xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx root=UUID=xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx lsm=selinux,lockdown,yama,bpf selinux=1 nvidia_drm.modeset=1 module.sig_enforce=1 lockdown=confidentiality initrd=/intel-ucode.img
$ uname -r
5.10.13-hardened1-1-hardened-with-keys

I have various errors :

Failed to initialize SELinux labeling handle: No such file or directory
...
lvm2-lvmetad.socket: Failed to determine SELinux label: Function not implemented
Failed to listen on LVM2 metadata daemon socket.
lvm2-lvmpolld.socket: Failed to determine SELinux label: Function not implemented
Failed to listen on LVM2 poll daemon socket.
systemd-coredump.socket: Failed to determine SELinux label: No data available
Failed to listen on Process Core Dump Socket.
systemd-udevd-control.socket: Failed to determine SELinux label: No data available
Failed to listen on udev Control Socket.
systemd-udevd-kernel.socket: Failed to determine SELinux label: No data available
Failed to listen on udev Kernel Socket.

Then I reach graphical target but no keyboard or mouse available, hard reset mandatory. Xorg mentions that it cannot connect to D-Bus.
It is working correctly without the SELinux part in my kernel parameters.

5.10.12-hardened1-1-hardened-with-keys works (like 5.10.13 without bpf). See my post below !

The sad thing is that I didn't find any help on the internet, these issues seems quite related to my end ?

I'll put the exact logs tomorrow in this message.
Thanks for your time.

Last edited by B3l3tte (2021-02-07 10:58:15)

Offline

#6 2021-02-07 10:57:04

B3l3tte
Member
Registered: 2016-10-26
Posts: 14

Re: [SOLVED] 5.10.13 kernel bug with SELinux

Hello again.

I'm back with a clear morning mind.

I discovered that it didn't work on my desktop with 5.10.13 without bpf :

lsm=selinux,lockdown,yama selinux=1

So I thought it was another issue, with SELinux file labeling.
I tried :

# restorecon -RF /

but it seems that it didn't do anything (quitting immediately without doing anything while it should be a long task).

So I did :

# touch /.autorelabel
# reboot

and it booted successfully.

Then I re-enabled bpf and it worked :

$ cat /sys/kernel/security/lsm
capability,selinux,lockdown,yama,bpf

So now I have the same behavior with both computers. Thanks for your help !

Just to be sure, I retried security=selinux selinux=1 without any lsm value on my desktop and it failed the same way it did for my laptop.

Maybe we should mention that security=selinux is obsolete in the wiki ?

Last edited by B3l3tte (2021-02-07 11:08:12)

Offline

#7 2021-02-23 04:20:36

zaciars
Member
Registered: 2020-11-13
Posts: 14

Re: [SOLVED] 5.10.13 kernel bug with SELinux

B3l3tte wrote:

Hello again.

I'm back with a clear morning mind.

I discovered that it didn't work on my desktop with 5.10.13 without bpf :

lsm=selinux,lockdown,yama selinux=1

So I thought it was another issue, with SELinux file labeling.
I tried :

# restorecon -RF /

but it seems that it didn't do anything (quitting immediately without doing anything while it should be a long task).

So I did :

# touch /.autorelabel
# reboot

and it booted successfully.

Then I re-enabled bpf and it worked :

$ cat /sys/kernel/security/lsm
capability,selinux,lockdown,yama,bpf

So now I have the same behavior with both computers. Thanks for your help !

Just to be sure, I retried security=selinux selinux=1 without any lsm value on my desktop and it failed the same way it did for my laptop.

Maybe we should mention that security=selinux is obsolete in the wiki ?

I followed your step but still can't boot with selinux enforcing, is this a different issue?

journal

Offline

Board footer

Powered by FluxBB