Package: selinux-policy-default
Version: 2:2.20190201-7
Followup-For: Bug #874191
Control: -1 + patch
I have fixed this by making the following changes:
1. Patch libselinux with
<https://github.com/SELinuxProject/selinux/commit/1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9>
2. Modify /etc/selinux/default/contexts/users/* by adding the following lines
(taken from my Fedora machine)
$ grep init_t /etc/selinux/default/contexts/users
/etc/selinux/default/contexts/users/guest_u:system_r:init_t:s0
guest_r:guest_t:s0
/etc/selinux/default/contexts/users/staff_u:system_r:init_t:s0
staff_r:staff_t:s0
/etc/selinux/default/contexts/users/unconfined_u:system_r:init_t:s0
unconfined_r:unconfined_t:s0
/etc/selinux/default/contexts/users/user_u:system_r:init_t:s0
user_r:user_t:s0
/etc/selinux/default/contexts/users/xguest_u:system_r:init_t:s0
xguest_r:xguest_t:s0
3. Reboot the machine (I don't know why a simple 'loginctl teminate-user
$USER' followed by logging in is not sufficient, any ideas?)
As for the purpose of that patch; see
<https://github.com/SELinuxProject/selinux/issues/28>. Note the ERANGE error
when writing to /sys/fs/selinux/user:
$ strace -s 2048 python3 -c 'import selinux;
selinux.get_ordered_context_list("unconfined_u", "system_u:system_r:init_t:s0")'
[...]
openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=584, ...}) = 0
read(3, "# This file controls the state of SELinux on the system.\n#
SELINUX= can take one of these three values:\n# enforcing - SELinux security
policy is enforced.\n# permissive - SELinux prints warnings instead of
enforcing.\n# disabled - No SELinux policy is loaded.
\nSELINUX=permissive\n# SELINUXTYPE= can take one of these two values:\n#
default - equivalent to the old strict and targeted policies\n# mls
- Multi-Level Security (for military and educational use)\n# src -
Custom policy built from
source\nSELINUXTYPE=default\n\n# SETLOCALDEFS= Check local definition
changes\nSETLOCALDEFS=0\n", 4096) = 584
read(3, "", 4096) = 0
close(3) = 0
futex(0x7f546b70db40, FUTEX_WAKE_PRIVATE, 2147483647) = 0
access("/var/run/setrans/.setrans-unix", F_OK) = -1 ENOENT (No such file or
directory)
futex(0x7f546b70dbc8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3
write(3, "system_u:system_r:init_t:s0 unconfined_u", 40) = -1 ERANGE
(Numerical result out of range)
close(3) = 0
openat(AT_FDCWD, "/etc/selinux/default/contexts/failsafe_context",
O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=21, ...}) = 0
read(3, "sysadm_r:sysadm_t:s0\n", 4096) = 21
close(3) = 0
openat(AT_FDCWD, "/sys/fs/selinux/context", O_RDWR|O_CLOEXEC) = 3
write(3, "unconfined_u:sysadm_r:sysadm_t:s0\0", 34) = -1 EINVAL (Invalid
argument)
close(3)
This matches one of the comments,
"On our experimental Ubuntu 18.04.3 LTS machine running SELinux with
latest official reference policy, we always get pam_selinux.so
complaining âunable to get valid context for gdmâ during system
bootup. And we found it is the security_compute_user() hits the 4k
page size bound with error -ERANGE from sel_write_user().
Specifically, we intend to transition from
âsystem_u:system_r:init_tâ to âsystem_u:system_r:xdm_tâ in order to
run the systemd user instance for system user gdm. With some
instruments in the kernel, we realize we need roughly 16k for
complete set of reachable contexts."
and
I believe Fedora has worked around the issue by altering their
policy to restrict outbound transitions from init_t and other
unconfined domains to only legitimate ones.
And indeed, on my Fedora machine the write is successful and is followed
by a read that returns 19 contexts.
So.
Rather than figuring out how Fedora modified refpolicy to make the transitions
fit into a single page, applying the patch above does the job. But refpolicy
must still be modified by adding entries for init_t to the selinux user default
context files as descibed above (refer to Fedora's versions of these files at
<https://github.com/fedora-selinux/selinux-policy/tree/rawhide/config/appconfig-standard>;
it looks like Fedora are keeping their modifications directly in that repo
rather than as a seriers of patches to be applied to vanilla refpolicy?)
-- System Information:
Debian Release: 10.3
APT prefers stable-debug
APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'),
(550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500,
'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages selinux-policy-default depends on:
ii libselinux1 3.0-1+b1
ii libsemanage1 2.8-2
ii libsepol1 3.0-1
ii policycoreutils 2.8-1
ii selinux-utils 3.0-1+b1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.8-1
ii setools 4.2.0-1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/contexts/default_contexts changed [not included]
-- no debconf information
