[SOLVED] SELinux: command output printed on serial but not on ssh

I am trying to configure SELinux on Poky Linux distro.

I am connecting to the board both on serial and ssh.

Launching ping and ifconfig on ssh the board prints nothing, whereas the same command on serial is printing the correct one.

At first, ping was completely disabled, so I had to patch the netutils SELinux policy (now works correctly).

They work properly in permissive mode (enforcing=0), the issue arises in enforcing mode (enforcing=1)

The command

Code:

journalctl -xe | grep "denied"

shows no "denied" for ping neither ifconfig.

How can I fix this issue? Or where should I look further? Maybe a /dev/pts error?

Well, obviously access is denied somewhere due to SELinux. I don't know SeLinux, sorry, but probably a good start would be audit logs (/var/log/audit/audit.log) or /var/log/messages if you have no audit. Or some of the solutions here to get more info on the issue:
https://wiki.gentoo.org/wiki/SELinux...denial_details

If you don't have any tools, it might be better to dig around in securityfs /sys/kernel/security if you have sysfs.

Since SELinux is not pathname based, I would guess that SSH/ping would be granted the same access as TTY/ping if you have granted SSH access to execute ping, or maybe I am wrong. Maybe you need to grant all the EXACT access ping needs, seperately for SSH/ping that TTY/ping (which works) already have. Most obvious is network access and send network data.

That's just my guess though, but it would be interesting to see what you find out and how things go.

Maybe also post the output of ls -Z /usr/bin/ping and id -Z (both from serial and ssh).

I don't know how Poky handles this, but there are such things as ping_selinux(8) and ifconfig_selinux(8).

At least, CentOS 8 doesn't use them:

Code:

$ getenforce
Enforcing
$ ps -eZ|grep ping
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 222807 pts/1 00:00:00 ping

Quote:

Originally Posted by zeebra Maybe also post the output of ls -Z /usr/bin/ping and id -Z (both from serial and ssh).

Actually, rather tty and sshd probably need to have the same label access to execute ping and use netutils.

Quote:

Originally Posted by zeebra Well, obviously access is denied somewhere due to SELinux. I don't know SeLinux, sorry, but probably a good start would be audit logs (/var/log/audit/audit.log) or /var/log/messages if you have no audit. Or some of the solutions here to get more info on the issue: https://wiki.gentoo.org/wiki/SELinux...denial_details If you don't have any tools, it might be better to dig around in securityfs /sys/kernel/security if you have sysfs. Since SELinux is not pathname based, I would guess that SSH/ping would be granted the same access as TTY/ping if you have granted SSH access to execute ping, or maybe I am wrong. Maybe you need to grant all the EXACT access ping needs, seperately for SSH/ping that TTY/ping (which works) already have. Most obvious is network access and send network data. That's just my guess though, but it would be interesting to see what you find out and how things go. Maybe also post the output of ls -Z /usr/bin/ping and id -Z (both from serial and ssh).

Hi there,

thank your for the reply and sorry for me being late.

Launching:

Code:

~# which ping
/bin/ping

Then, on serial:

Code:

~# ls -lZ /bin/ping
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug  4  2021 /bin/ping -> /bin/ping.iputils

~# ls -lZ /bin/ping.iputils
-r-sr-xr-x. 1 root root system_u:object_r:ping_exec_t:s0 42888 Aug  4  2021 /bin/ping.iputils

~# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023

Whereas, on ssh:

Code:

~# ls -lZ /bin/ping
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug  4  2021 /bin/ping -> /bin/ping.iputils

~# ls -lZ /bin/ping.iputils
-r-sr-xr-x. 1 root root system_u:object_r:ping_exec_t:s0 42888 Aug  4  2021 /bin/ping.iputils

~# id -Z
root:sysadm_r:sysadm_t:s0

Is there anything meaningful from these command output?

Meanwhile, I will try to analyze the source you linked in order to find more details about the matter, if possible.

Quote:

Originally Posted by JuventusFC Hi there, thank your for the reply and sorry for me being late. Launching: Code: ~# which ping /bin/ping Then, on serial: Code: ~# ls -lZ /bin/ping lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug 4 2021 /bin/ping -> /bin/ping.iputils ~# ls -lZ /bin/ping.iputils -r-sr-xr-x. 1 root root system_u:object_r:ping_exec_t:s0 42888 Aug 4 2021 /bin/ping.iputils ~# id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 Whereas, on ssh: Code: ~# ls -lZ /bin/ping lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug 4 2021 /bin/ping -> /bin/ping.iputils ~# ls -lZ /bin/ping.iputils -r-sr-xr-x. 1 root root system_u:object_r:ping_exec_t:s0 42888 Aug 4 2021 /bin/ping.iputils ~# id -Z root:sysadm_r:sysadm_t:s0 Is there anything meaningful from these command output? Meanwhile, I will try to analyze the source you linked in order to find more details about the matter, if possible.

I think I have found something.

After

Code:

semodule --disable_dontaudit --build

like described here,

then:

Code:

~# journalctl -xe | grep "denied" | grep "ping"
Aug 04 13:04:42  audit[2510]: AVC avc:  denied  { use } for  pid=2510 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd                                                                                                                      permissive=0
Aug 04 13:04:42 audit[2510]: AVC avc:  denied  { use } for  pid=2510 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd                                                                                                                      permissive=0
Aug 04 13:04:42  audit[2510]: AVC avc:  denied  { use } for  pid=2510 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd                                                                                                                      permissive=0
Aug 04 13:04:42  audit[2510]: AVC avc:  denied  { rlimitinh } for  pid=2510 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:42 audit[2510]: AVC avc:  denied  { siginh } for  pid=2510 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:42  audit[2510]: AVC avc:  denied  { noatsecure } for  pid=2510 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:49  audit[2511]: AVC avc:  denied  { use } for  pid=2511 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd                                                                                                                      permissive=0
Aug 04 13:04:49  audit[2511]: AVC avc:  denied  { use } for  pid=2511 comm="ping" path="/dev/pts/0"dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd                                                                                                                      permissive=0
Aug 04 13:04:49  audit[2511]: AVC avc:  denied  { use } for  pid=2511 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd                                                                                                                      permissive=0
Aug 04 13:04:49  audit[2511]: AVC avc:  denied  { rlimitinh } for  pid=2511 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:49  audit[2511]: AVC avc:  denied  { siginh } for  pid=2511 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:49  audit[2511]: AVC avc:  denied  { noatsecure } for  pid=2511 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0

EDIT1: After launching

Code:

~# cat /var/audit/audit.log | audit2allow -m fix_ping_ifconfig.te

Then compiling the patch, it seems that issue is fixed. I added specific patches on yocto for ping e ifconfig on the *.te files where their type is declared

Code:

serial
root:sysadm_r:sysadm_t:s0-s15:c0.c1023

ssh
root:sysadm_r:sysadm_t:s0

Quote:

Is there anything meaningful from these command output?

Yes. If you analyze the "diff" on the output, that is what you are left with, and most likely the reason for the problem. Everything else looks the same. But, like I said, I know some LSM, but not SELinux specifically. But that's the first thing I would look into.

"pts" is pseudoterminal aka terminal emulator, and if you want the same result with ssh and serial on pts, it should have the same attributes in SELinux, most likely.

Quote:

Originally Posted by JuventusFC Then compiling the patch, it seems that issue is fixed. I added specific patches on yocto for ping e ifconfig on the *.te files where their type is declared

So it now works? Good to hear, well done in rolling your sleeves up etc

But I don't know why parts of the output mentions "permissive", specifically the ones tailing what I mentioned with "diff".

And.. From what I understand, you added full SELinux audit, which is good, but you probably need to take some steps to rotate and flush logs to prevent huge audit log files.

Quote:

Originally Posted by zeebra So it now works? Good to hear, well done in rolling your sleeves up etc

Thank you. The lines that had to be added were

Quote:

policy/modules/admin/netutils.te +allow ping_t devpts_t:chr_file { getattr ioctl }; +allow ping_t init_t:fd use; policy/modules/system/sysnetwork.te +allow ifconfig_t devpts_t:chr_file { read write getattr };

So it was a devpts issue as thought but the process to solve it was found disabling the dountaudit rules