Unknown log from SELinux in OpenWrt

Mason · April 28, 2022, 9:06am

Hi all,

There are two issues that confuse me.

I'm testing SELinux in OpenWrt 21.02(kernel 5.4.182).
SELinux security policy: DSSP selinux-policy v1.0
SELinux works fine in OpenWrt. There is nothing wrong with the ability to grant and deny permissions.

Issue1
Change network.wan.proto to static via LuCI Web GUI or UCI command and connect Ethernet cable to Wan or Lan port. Does this setting violate any SELinux security policy?
Unknown Log:

[   98.629623] SELinux: failure in sel_netif_sid_slow(), invalid network interface (0)
[   98.637271] mroute: pending queue full, dropping entries
[   99.642109] SELinux: failure in sel_netif_sid_slow(), invalid network interface (0)
[   99.649752] mroute: pending queue full, dropping entries
[  100.655599] SELinux: failure in sel_netif_sid_slow(), invalid network interface (0)
[  100.663250] mroute: pending queue full, dropping entries
[  101.669904] SELinux: failure in sel_netif_sid_slow(), invalid network interface (0)
[  101.677551] mroute: pending queue full, dropping entries

Related code in Linux kernel:
security/selinux/netif.c

dev = dev_get_by_index(ns, ifindex);
if (unlikely(dev == NULL)) {
        pr_warn("SELinux: failure in %s(), invalid network interface (%d)\n",
                __func__, ifindex);
        return -ENOENT;
}

net/ipv4/ipmr.c

/* Deliver to mrouted */
ret = sock_queue_rcv_skb(mroute_sk, skb);
rcu_read_unlock();
if (ret < 0) {
        net_warn_ratelimited("mroute: pending queue full, dropping entries\n");
        kfree_skb(skb);
}

Issue2:
If I enable SELinux(busybox-selinux and procd-selinux are automatically enabled) and TARGET_PER_DEVICE_ROOTS in menuconfig, the settings for procd and busybox will be changed from <*> to -M-(locked).
This situation can cause conflicts at build time.
Is this a dependency flaw?

Settings:

Base system -> busybox -M-
Base system -> selinux-busybox -*-
Base system -> procd -M-
Base system -> selinux-procd -*-

Conflict Log:

Collected errors:
* check_conflicts_for: The following packages conflict with procd:
* check_conflicts_for: procd-selinux*
* opkg_install_cmd: Cannot install package procd.
* check_conflicts_for: The following packages conflict with busybox:
* check_conflicts_for: busybox-selinux*
* opkg_install_cmd: Cannot install package busybox.

Thanks in advance to anyone willing to help!!!

lleachii · April 28, 2022, 1:15pm

Did you ask the author of the policy???

From: https://github.com/tobiaswaldvogel/selinux-policy/blob/openwrt-21.02/README

Mason · May 1, 2022, 2:53pm

Hi lleachii,

Thanks for your response!
These two issues looks not related to AVC denials so I have not connected the author but asking for help here.
The SELinux security policy in the question is not just about selinux-policy v0.1. I mean all the security mechanism in SELinux.
I will refer to your suggestion to contact the author.
Thank you!