anhedonic

dynamic soap bubbles

Nov 30, 2020

When audit2allow won’t

Berend De Schouwer

Who Is This Post For?

Anyone who is developing SELinux and wants to know why users and administrators keep turning SELinux off.

What Is SELinux?

For the purposes of this post, SELinux is a powerful security tool.

It’s installed and enabled by default in RedHat products, and has successfully stopped a number of attacks in the wild that would have worked without SELinux.

It enforces policies.

Expectation

Security tools are effective as long as they run. It should be possible to keep them running as long and often as possible, and easy to work with by a legitamite user using a simple tool.

For example, the root or administrator account remain unused except when necessary, and privilege escalation should be easy. sudo and doas are such tools, and they work well.

SELinux should have a tool that makes it possible to create and extend the policies it enforces to suit the user’s needs.

Current Tool

The current tool to fix problems in SELinux is audit2allow. Search in any forum on SELinux violations, and you’ll find this tool mentioned.

Should the user install a new, unknown application hello-world, and need to create policies to run it, all documentation points to:

grep hello-world /var/log/audit/audit.log \
    | audit2allow -M myhelloworld
semodule -i helloworld.pp

or, a newer version:

ausearch -m AVC --start 1/1/1970 00:00:00 --end 2/1/2038 00:00:00 \
    | audit2allow -a -M myhelloworld
semodule -i helloworld.pp

It’s recommended to set SELinux into permissive mode when doing this to log all failures at once, and reduce the lather, rinse, repeat aspect of the process.

Doesn’t Work

audit2allow often fails. There are a number of common problems that it simply does not provide a solution for.

The problems that fail to be solved by the audit2allow recipy are listed here more-or-less in order of frequency of occurence.

Mostly when it fails it fails silently. It won’t tell you that there is a likely problem, it just won’t work.

1. dontaudit

The first problem that you’ll likely hit is that some programs simply don’t log anything in audit.log. These are the dontaudit rules.

If the problems aren’t logged, grep won’t find them and audit2allow won’t create a policy.

Nothing in the logs will tell you to do this, and neither ausearch nor audit2allow will warn you that you need to do this. It is documented, but you need to know that it exists to find the documentation, since the documentation is called semanage-dontaudit.

Yet it’s so common that it’s pretty much the first thing mentioned when RedHat announced that it wants to make disabling SELinux impossible: https://lwn.net/Articles/831748/

Anyway, here’s how to disable it:

semodule -DB

2. permissive doesn’t work

Some programs test for the presence of SELinux, and when found behave differently than when SELinux is missing.

While this is good for said program, it fails for audit2allow. Should you set SELinux into permissive mode, the program will skip all SELinux behaviour, and hence you won’t get logs. Again.

Common programs that do this:
  • crond
  • pam_selinux

You may be forced to run in Enforcing and lather, rinse, repeat.

3. myhelloworld.pp is an identifier

The default examples in the howtos can easily trip people into removing old, working, modified policies.

audit2allow -a -M myhelloworld created a file myhelloworld.pp This file is also the identifier. You include the policy by running semodule -i myhelloworld.pp

After installing a later version of hello-world — six months down the line — you find it needs more fine-tuning. So you run the exact same command. This puts the new policies under the same identifier.

Unless your audit.log is infinitely long, your new policy will only include new policies. The old policies will be gone. So hello-world will suddenly fail exactly where it failed 6 months ago.

4. audit2allow has silent warnings

There are some things audit2allow cannot write rules for.

When this happens it’s smart enough to notice, so it puts a comment in the policy file, but it doesn’t tell you, and it doesn’t tell you how to fix it.

The comment will look something like:

#!!!! This avc is a constraint violation.  You would need to modify
#!!!! the attributes of either the source or target types to allow this access.

For a login service, specifically:

This is because it’s trying to change the owner of /dev/pts — which login has to do — and fails. This is normally performed by pam_selinux.

If you see a constraint comment like that you have to manually create a policy file. Documentation is lacking, and is OS-version specific.

Conclusion

audit2allow is nowhere close to mature enough to allow for running SELinux when third-party or in-house applications are deployed.

Users will turn off SELinux because audit2allow fails too often, and often silently.

This is a shame, because SELinux really is a powerful tool to defend against attacks.

posted at 09:00  ·   ·  selinux