SELinux on Debian blocks dhcp, 3D

Lord Estraven · 10-04-2008, 06:50 PM

'lo again... I'm trying to set up SELinux on a Debian system but I keep running into problems with the default SELinux profile. Two problems specifically, networking doesn't work and OpenGL doesn't work.

On the networking front, I *can* run dhclient on eth0, and it appears to succeed, but I cannot connect to the internet or anything on the local network. NetworkManager likewise says that it can connect, but when I try to access any web page I just get "Page Not Found" or "Cannot Load While Offline".

With OpenGL - any application that uses GL (e.g. glxgears) segfaults on start. If I try to use LIBGL_ALWAYS_INDIRECT to make AIGLX handle it, then the X server crashes and restarts. glxinfo always works fine though, and tells me I have working 3D acceleration with no problems.

Can anyone tell me what I have to do to get networking and OpenGL working again? Is the problem with the Debian default SElinux configuration, or is it with the default configuration of dhclient and DRI?

Lord Estraven · 10-05-2008, 01:15 PM

Okay this is strange - networking gets blocked with SELinux in "permissive" mode too, not just enforcing mode. Anyone?

unSpawn · 10-06-2008, 02:11 PM

If anything gets blocked by SE Linux you'll have logging.
Logging could help us determine what's going on.

Lord Estraven · 10-07-2008, 12:23 AM

FWIW which log file should I be looking in? kern.log?

unSpawn · 10-07-2008, 02:50 AM

AFAIK check audit.log first if you run auditd, else whatever makes Syslog dump *.info to?

Lord Estraven · 10-07-2008, 12:22 PM

Okay, here's what auditd has to say about glxgears:

Quote:

type=AVC msg=audit(1223396408.851:25): avc: denied { execmem } for pid=3064 comm="glxgears" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1223396408.851:25): arch=40000003 syscall=192 success=no exit=-1302155264 a0=0 a1=a00000 a2=7 a3=22 items=0 ppid=3052 pid=3064 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4294967295 comm="glxgears" exe="/usr/bin/glxgears" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

I'll post the output for networkmanager as soon as it gets logged.

(FWIW, I loaded the SELinux .pp modules for dhcp and networkmanager... Those didn't seem to do anything though.)

[Edit: edited so as not to break formatting.]

unSpawn · 10-08-2008, 02:59 AM

In permissive mode things only get logged. The kind of thing "execmem" problem shown should be easy to correct with a local policy anyway. I'm much more interested in why some networking wouldn't work as you say. It would be good if any (SE Linux) logging shown for any network-related errors should be accompanied by exact application errors, iptables rules and diagnostics like ping, tcptraceroute and such.

Lord Estraven · 10-08-2008, 10:58 AM

Here we go:

Quote:

type=AVC msg=audit(1223408803.780:27): avc: denied { execute } for pid=435 comm="run-parts" name="bind" dev=sda2 ino=33912 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u

bject_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1223408803.780:27): arch=40000003 syscall=33 success=yes exit=0 a0=85fe020 a1=1 a2=85ff410 a3=85fe020 items=0 ppid=433 pid=435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="run-parts" exe="/bin/run-parts" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223408803.781:28): avc: denied { execute_no_trans } for pid=437 comm="run-parts" path="/etc/resolvconf/update.d/bind" dev=sda2 ino=33912 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u

bject_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1223408803.781:28): arch=40000003 syscall=11 success=yes exit=0 a0=85fe020 a1=85fe008 a2=bfba00a8 a3=0 items=0 ppid=435 pid=437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bind" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223408803.814:29): avc: denied { execute_no_trans } for pid=443 comm="libc" path="/lib/resolvconf/list-records" dev=sda2 ino=254588 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u

bject_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1223408803.814:29): arch=40000003 syscall=11 success=yes exit=0 a0=805e7dc a1=805e808 a2=805e814 a3=872c23d items=0 ppid=441 pid=443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="list-records" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223430318.045:30): avc: denied { execute } for pid=550 comm="run-parts" name="bind" dev=sda2 ino=33912 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u

bject_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1223430318.045:30): arch=40000003 syscall=33 success=yes exit=0 a0=89d0020 a1=1 a2=89d1410 a3=89d0020 items=0 ppid=544 pid=550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="run-parts" exe="/bin/run-parts" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223430318.045:31): avc: denied { execute_no_trans } for pid=553 comm="run-parts" path="/etc/resolvconf/update.d/bind" dev=sda2 ino=33912 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u

bject_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1223430318.045:31): arch=40000003 syscall=11 success=yes exit=0 a0=89d0020 a1=89d0008 a2=bf979508 a3=0 items=0 ppid=550 pid=553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bind" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223430318.069:32): avc: denied { execute_no_trans } for pid=557 comm="libc" path="/lib/resolvconf/list-records" dev=sda2 ino=254588 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u

bject_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1223430318.069:32): arch=40000003 syscall=11 success=yes exit=0 a0=805e7dc a1=805e808 a2=805e814 a3=8aaf345 items=0 ppid=555 pid=557 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="list-records" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)

It looks to me as though NM is getting denied permission to use commands in needs... How do I fix this (if this is the problem)?

unSpawn · 10-08-2008, 03:05 PM

Like I said in my previous reply, most problems shown could be easily corrected with a local policy. However, for our understanding, maybe we should go back to the start and let you explain what sources guides you, what steps your took to enable SE Linux?..

Lord Estraven · 10-08-2008, 05:28 PM

Sources? Debian has a precompiled default policy...

I installed selinux-basics, selinux-policy-default, and some other tools; edited GRUB's menu.lst to append selinux=1 to the kopt line and ran update-grub; touched /.autorelabel; edited /etc/selinux/config so the SELinux mode would be "enforcing"; and rebooted. As far as I can tell the relabeling worked fine.