> From: Bighead Wang [mailto:ex200208049@xxxxxxxxx] > Sent: Tuesday, May 25, 2021 11:19 AM > In cgroup filesystem, security_kernfs_init_security() will initialize > the security data for newly created kernfs node after kernel 5.2., > however, new EVM xattr value is not initialized, and the no_label > error appears when evm_verify_hmac() is triggered. > > > The detailed description: > When system boots up with IMA/EVM and SELinux enabled, we get: > " May 25 14:13:01 raspberrypi audit[1212]: INTEGRITY_METADATA pid=1212 > uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t > op=appraise_metadata cause=no_label comm="(systemd)" > name="cgroup.procs" dev="cgroup2" ino=1360 res=0 errno=0 " > > The root cause is that our customized SELinux file_contexts file does > not contain the line "/sys/fs/cgroup/.* <<none>>". > When systemd relabels directories under /sys/fs/cgroup/ during > booting, it will set SELinux label inside the iattr member of kernfs > node, and then security_kernfs_init_security() will initialize the > security data at the time new kernfs node created. > After systemd executes something to trigger evm_verify_hmac(), we get > this no_label error. > > In evm_verify_hmac(), if there is no EVM xattr value, it will check > any other xattr values protected by EVM exist or not. > In this situation, there is no EVM xattr value (got from the iattr > member of kernfs node in cgroup filesystem), but SELinux label (also > got from the iattr member of kernfs node instead of from inode) > exists. > To sum up, the error seems to me is EVM mechanism doesn't initialize > EVM xattr value in kernfs node. Hi Hank this patch should help: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/commit/?h=next-integrity-testing&id=4a804b8a4572dfc81c3a59709d49ae206e4370ba Could you please try it? Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli > The environment: > /proc/version: Linux version 5.13.0-rc3-v7l+ (bighead@52-0453463-02) > (arm-linux-gnueabi-gcc (GCC) 9.1.0, GNU ld (GNU Binutils) 2.32) #1 SMP > Tue May 25 12:33:01 CST 2021 > /proc/sys/kernel/tainted: 0 > Operating System: Raspbian GNU/Linux 10 (buster) > Architecture: armv7l > systemd version: systemd 241 (241) +PAM +AUDIT +SELINUX +IMA > +APPARMOR > +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ > +LZ4 > +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 > default-hierarchy=hybrid > IMA/EVM kernel parameter: ima_policy=appraise_tcb ima_appraise=fix > SELinux kernel parameter: security=selinux selinux=1 (permissive mode) > > How to reproduce the error in Raspbian: > 1. Prepare an environment which SELinux and IMA/EVM are enabled and > boot up with kernel parameters: security=selinux selinux=1 > ima_policy=appraise_tcb ima_appraise=fix evm=fix > 2. Remove the line "/sys/fs/cgroup/.* <<none>>" in file_contexts > file, and fully relabel all system with SELinux official reference > policy > 3. Walk through all regular files and generate ima/evm hash: > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \; > 4. Reboot with kernel parameters: security=selinux selinux=1 > ima_policy=appraise_tcb ima_appraise=fix > 5. After boot up, you will get this EVM no_label error message > > Reproduce the error directly: > 1. Prepare an environment which SELinux and IMA/EVM are enabled and > boot up with kernel parameters: security=selinux selinux=1 > ima_policy=appraise_tcb ima_appraise=fix evm=fix > 2. Fully relabel all system with SELinux official reference policy > 3. Walk through all regular files and generate ima/evm hash: > /usr/bin/find / -type f -uid 0 -exec sh -c "< '{}'" \; > 4. Reboot with kernel parameters: security=selinux selinux=1 > ima_policy=appraise_tcb ima_appraise=fix > 5. sudo setfattr -n security.selinux -v system_u:object_r:cgroup_t > /sys/fs/cgroup/unified > 6. sudo mkdir /sys/fs/cgroup/unified/testevm > 7. sudo chmod +x /sys/fs/cgroup/unified/testevm/cgroup.procs: you will > get this EVM error message > > Reference: > Kernel config: https://140.96.154.7:5001/sharing/9cPNowmhK > Journal log: https://140.96.154.7:5001/sharing/sRISz6IPt > Patch for security_kernfs_init_security() : > https://lore.kernel.org/selinux/20190130114150.27807-1- > omosnace@xxxxxxxxxx/ > > -- > Best Regards, > Hank Wang
