SELinux Regression with new GRKERNSEC options.
Posted: Wed Apr 24, 2013 7:33 am
Hi,
I'm running grsecurity-2.9.1-2.6.32.60-201301181517.patch against a vanilla 2.6.32.60 kernel on CentOS 6.4 VMs running on ESXi in production. SELinux is being used as the RBAC system.
I am staging a potential upgrade to the latest version - grsecurity-2.9.1-2.6.32.60-201304181846.patch.
If I do 'make oldconfig', there are two new options:
GRKERNSEC_RAND_THREADSTACK
GRKERNSEC_DEVICE_SIDECHANNEL
Enabling them results in some strange errors at boot time:
kernel: Uniform CD-ROM driver Revision: 3.20
kernel: EXT4-fs (sda2): mounted filesystem with ordered data mode
kernel: dracut: Remounting /dev/disk/by-uuid/b2d1ce65-0552-4807-97d9-8cfab3841f91 with -o noatime,nodiratime,errors=remount-ro,ro
kernel: EXT4-fs (sda2): mounted filesystem with ordered data mode
kernel: dracut: Mounted root filesystem /dev/sda2
kernel: dracut: Loading SELinux policy
kernel: type=1404 audit(1366739719.000:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
kernel: type=1403 audit(1366739719.500:3): policy loaded auid=4294967295 ses=4294967295
kernel: dracut:
kernel: dracut: Switching root
kernel: type=1400 audit(1366800382.000:4): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:5): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:6): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:7): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:8): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:9): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:10): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: udev: starting version 147
kernel: shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
kernel: piix4_smbus 0000:00:07.3: Host SMBus controller not enabled!
kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0
kernel: sr 2:0:0:0: Attached scsi generic sg1 type 5
kernel: input: PC Speaker as /devices/platform/pcspkr/input/input3
kernel: Floppy drive(s): fd0 is 1.44M
kernel: FDC 0 is a post-1991 82077
The highlighted lines are not present when those two GRKERNSEC options are removed - everything else in the boot sequence stays the same. System seems to run fine, but I'd rather not deploy something with strange behavior, and the old grsecurity patch is perfectly stable for me.
Let me know if any other input is required.
I'm running grsecurity-2.9.1-2.6.32.60-201301181517.patch against a vanilla 2.6.32.60 kernel on CentOS 6.4 VMs running on ESXi in production. SELinux is being used as the RBAC system.
I am staging a potential upgrade to the latest version - grsecurity-2.9.1-2.6.32.60-201304181846.patch.
If I do 'make oldconfig', there are two new options:
GRKERNSEC_RAND_THREADSTACK
GRKERNSEC_DEVICE_SIDECHANNEL
Enabling them results in some strange errors at boot time:
kernel: Uniform CD-ROM driver Revision: 3.20
kernel: EXT4-fs (sda2): mounted filesystem with ordered data mode
kernel: dracut: Remounting /dev/disk/by-uuid/b2d1ce65-0552-4807-97d9-8cfab3841f91 with -o noatime,nodiratime,errors=remount-ro,ro
kernel: EXT4-fs (sda2): mounted filesystem with ordered data mode
kernel: dracut: Mounted root filesystem /dev/sda2
kernel: dracut: Loading SELinux policy
kernel: type=1404 audit(1366739719.000:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
kernel: type=1403 audit(1366739719.500:3): policy loaded auid=4294967295 ses=4294967295
kernel: dracut:
kernel: dracut: Switching root
kernel: type=1400 audit(1366800382.000:4): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:5): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:6): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:7): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:8): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:9): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: type=1400 audit(1366800382.000:10): avc: denied { mknod } for pid=338 comm="restorecon" capability=27 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
kernel: udev: starting version 147
kernel: shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
kernel: piix4_smbus 0000:00:07.3: Host SMBus controller not enabled!
kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0
kernel: sr 2:0:0:0: Attached scsi generic sg1 type 5
kernel: input: PC Speaker as /devices/platform/pcspkr/input/input3
kernel: Floppy drive(s): fd0 is 1.44M
kernel: FDC 0 is a post-1991 82077
The highlighted lines are not present when those two GRKERNSEC options are removed - everything else in the boot sequence stays the same. System seems to run fine, but I'd rather not deploy something with strange behavior, and the old grsecurity patch is perfectly stable for me.
Let me know if any other input is required.