Comments (8)
huzai9527
commented on August 15, 2024
I tried using the method proposed by #342 , gen_tunable(authlogin_pam, false)
, but still have the same problem。
from refpolicy.
huzai9527
commented on August 15, 2024
when In permissive mode,login success,no avc deny
root@XP5:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: refpolicy
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
root@XP5:~# cat /var/log/audit/audit.log
type=DAEMON_START msg=audit(1709604612.347:675): op=start ver=3.0.7 format=enriched kernel=5.10.115-rt67+ auid=4294967295 pid=227 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t res=successAUID="unset" UID="root"
type=MAC_STATUS msg=audit(1709604660.812:35): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709604696.792:36): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605160.164:37): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605568.800:38): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
root@XP5:~# login
XP5 login: root
root@XP5:~# success
-bash: success: command not found
root@XP5:~# exit
logout
when in enforcing mode. login failed. no avc deny.
root@XP5:~# setenforce 1
root@XP5:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: refpolicy
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
root@XP5:~# login
XP5 login: root
Password:
Login incorrect
XP5 login: ^C
root@XP5:~# ^C
root@XP5:~# cat /var/log/audit/audit.log
type=DAEMON_START msg=audit(1709604612.347:675): op=start ver=3.0.7 format=enriched kernel=5.10.115-rt67+ auid=4294967295 pid=227 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t res=successAUID="unset" UID="root"
type=MAC_STATUS msg=audit(1709604660.812:35): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709604696.792:36): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605160.164:37): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605568.800:38): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
type=MAC_STATUS msg=audit(1709605619.308:39): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1AUID="unset"
from refpolicy.
dsugar100
commented on August 15, 2024
login (at least in my experience with RedHat systems) is a funny one to deal with because it is SELinux aware and will change behavior when running in enforcing. So it expects that certain things will fail in enforcing and do things a different way. This makes it a bit challenging to debug. I assume you are not on a RedHat system, but there could be a similar thing going on.
from refpolicy.
dsugar100
commented on August 15, 2024
There are probably a bunch of dontaudit rules in the login policy to hide some actions that are really not allowed. Probably worth using 'semodule -DB' (to rebuild the policy with dontaudit's disabled) that will show you denials that have been intentionally hidden to see maybe if something is affecting you. Be warned, there will be lots of messages to go through.
from refpolicy.
huzai9527
commented on August 15, 2024
login (at least in my experience with RedHat systems) is a funny one to deal with because it is SELinux aware and will change behavior when running in enforcing. So it expects that certain things will fail in enforcing and do things a different way. This makes it a bit challenging to debug. I assume you are not on a RedHat system, but there could be a similar thing going on.
Actually, I compiled rootfs using buildroot and compiled kernel 5.10 myself. Then I compiled refpolicy (with enableaudit)
from refpolicy.
Brucefang
commented on August 15, 2024
hi, does this problem solve in your side @huzai9527 , this problem occurred in my platform too
from refpolicy.
gxshao
commented on August 15, 2024
If you are using Modular policy you can try to semodule -DB to enable all dontaudit rules, see if there are any audit logs.
from refpolicy.
Related Issues (20)
- Problem when building policy HOT 3
- libsepol.validate_user_datum: Invalid user datum HOT 4
- How to write modules for systemd user services? HOT 7
- libsepol.sepol_string_to_security_class: unrecognized class user_namespace HOT 4
- chrome->nacl_helper: user_namespace HOT 2
- 2 questions HOT 1
- Need help with transitions HOT 1
- Container issues in enforcing mode on Debian 12 HOT 13
- How to transfer the current process or its thread to another context? HOT 4
- Possible missing rule for ssh -> java HOT 2
- Debian 12.1 statd and mountd fail to start with fixed ports HOT 13
- Question: sudo HOT 5
- [Q] Permission cmd in class io_uring not defined in policy. HOT 3
- /root directory has no label specified HOT 4
- systemd v255 executor helper
- Information Disclosure vulnerability related to SSL Private Keys and CSR used by the HTTP daemon HOT 2
- Privileged container spc_t optional HOT 11
- Configuration warnings HOT 2
- Style guide link HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from refpolicy.