Fixed
Created: May 7, 2014
Updated: Dec 3, 2018
Resolved Date: May 8, 2014
Found In Version: 6.0.0.6
Fix Version: 6.0.0.7
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Userspace
Permission denied: building openssl-fips on target under selinux enforcing mode
According to wrlinux-x/addons/wr-common/layers/wr-security/recipes-connectivity/openssl/openssl-fips/README, the end user can build openssl-fips package on target.
But it does not works well under enforcing mode. Please see log as below:
./config no-asm
ips-2.0.5# ./config no-asm
bash: ./config: Permission denied
make
/rsa/rsa_none.o ../crypto/rsa/rsa_oaep.o ../crypto/rsa/rsa_pk1.o ../crypto/rsa/rsa_pss.o ../crypto/rsa/rsa_ssl.o ../crypto/rsa/rsa_x931.o ../crypto/rsa/rsa_x931g.o ../crypto/sha/sha1dgst.o ../crypto/sha/sha256.o ../crypto/sha/sha512.o ../crypto/thr_id.o ../crypto/uid.o ../crypto/mem_clr.o ../crypto/bn/bn_asm.o ../crypto/aes/aes_core.o ../crypto/aes/aes_cbc.o ../crypto/des/des_enc.o ../crypto/des/fcrypt_b.o sha/fips_sha1_selftest.o hmac/fips_hmac_selftest.o rand/fips_rand.o rand/fips_rand_selftest.o rand/fips_drbg_lib.o rand/fips_drbg_hash.o rand/fips_drbg_hmac.o rand/fips_drbg_ctr.o rand/fips_drbg_ec.o rand/fips_drbg_selftest.o rand/fips_drbg_rand.o rand/fips_rand_lib.o des/fips_des_selftest.o aes/fips_aes_selftest.o dsa/fips_dsa_selftest.o dsa/fips_dsa_lib.o dsa/fips_dsa_sign.o rsa/fips_rsa_selftest.o rsa/fips_rsa_sign.o rsa/fips_rsa_lib.o dh/fips_dh_lib.o utl/fips_err.o utl/fips_md.o utl/fips_enc.o utl/fips_lck.o utl/fips_mem.o ecdsa/fips_ecdsa_lib.o ecdsa/fips_ecdsa_sign.o ecdsa/fips_ecdsa_selftest.o ecdh/fips_ecdh_selftest.o cmac/fips_cmac_selftest.o fips_end.o
./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
/bin/sh: ./fips_standalone_sha1: Permission denied
make[2]: *** [fipscanister.o] Error 126
make[2]: Leaving directory `/opt/wr-test/testcases/security/openssl-fips_toolchain/src/openssl-fips-2.0.5/fips'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/opt/wr-test/testcases/security/openssl-fips_toolchain/src/openssl-fips-2.0.5/fips'
make: *** [build_fips] Error 1
tail /var/log/audit/audit.log
type=AVC msg=audit(1397553691.552:90): avc: denied { execute } for pid=2524 comm="bash" name="config" dev="sda" ino=93419 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1397553691.552:90): arch=c000003e syscall=59 success=no exit=-13 a0=7fc7cff471e8 a1=7fc7cff47408 a2=7fc7cff17c08 a3=8 items=0 ppid=1494 pid=2524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=ttyS0 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1397553691.552:91): avc: denied { execute } for pid=2524 comm="bash" name="config" dev="sda" ino=93419 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1397553691.552:91): arch=c000003e syscall=21 success=no exit=-13 a0=7fc7cff471e8 a1=1 a2=7fff85a242a0 a3=8 items=0 ppid=1494 pid=2524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=ttyS0 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
When using SE Linux disable enforcing mode by passing "enforcing=0" to the kernel command line.
1. configure --enable-jobs=8 --enable-parallel-pkgbuilds=4 --enable-rootfs=secure-platform --enable-kernel=standard --enable-board=intel-x86-64 --with-sstate-dir=/buildarea1/build/SSTATE_CACHE/ --enable-bootimage=ext3 --with-template=feature/target-toolchain
2. make all
3. make start-target TOPTS=" -m 2000 " TARGET_VIRT_BOOT_TYPE=disk TARGET_VIRT_DISK=$PWD/export/*.ext3 TARGET_QEMU_KERNEL_OPTS='root=/dev/sda'
4. follow up the step of wrlinux-x/addons/wr-common/layers/wr-security/recipes-connectivity/openssl/openssl-fips/README