gch981213 has quit [Read error: Connection reset by peer]
gch9812130 has joined #openwrt-devel
<dangole>
Grommish: suricata doesn't have a host-build defined, hence HOST_BUILD_DEPENDS doesn't have any effect there. what you probably meant to do is adding PKG_BUILD_DEPENDS:=rust/host python3/host luajit/host
<dangole>
grift: config restore after sysupgrade still fails (mv complains about "permission denied" moving file from /boot to /sysupgrade.tgz). and yes, we are using /boot on block-storage based systems to stash config to be restored after sysupgrade.
<dangole>
grift: as firewall.user can be pretty much anything it's hard to contain. usually people do custom calls to ip{,6}tables and some put ebtables calls there (though not covered or flushed by fw3, hence not needed to be there), but in the wild, well, probably also tc, ip, ...
mwarning has joined #openwrt-devel
dangole has quit [Remote host closed the connection]
Net147 has quit [Quit: Quit]
Net147 has joined #openwrt-devel
Nick_Lowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<aparcar[m]>
mangix: ping
<Grommish>
dangole: I really REALLY hope your right.. :D Thanks! I'll check that
mattsm has quit [Ping timeout: 265 seconds]
mwarning has quit [Ping timeout: 258 seconds]
dorf_ has quit [Remote host closed the connection]
mattsm has joined #openwrt-devel
dorf_ has joined #openwrt-devel
<mangix>
aparcar[m]: pojg
<mangix>
*pong
black_ant has quit [Ping timeout: 256 seconds]
<mangix>
patchwork seems down
<mangix>
oh well
adrianschmutzler has quit [Quit: ~ Trillian - www.trillian.im ~]
danitool has quit [Quit: Cubum autem in duos cubos, aut quadratoquadratum in duos quadratoquadratos]
swex has joined #openwrt-devel
<stintel>
m4t: looks like it's fixed after make dirclean, but not after make clean, maybe toolchain somehow had to be rebuilt after https://git.openwrt.org/0eb2fa39
swex_ has quit [Ping timeout: 256 seconds]
Darkmatter66 has quit [Ping timeout: 256 seconds]
gch9812132 has joined #openwrt-devel
<m4t>
fun
gch981213 has quit [Ping timeout: 256 seconds]
gch9812132 is now known as gch981213
slh64 has joined #openwrt-devel
gch9812139 has joined #openwrt-devel
gch981213 has quit [Read error: Connection reset by peer]
gch9812139 is now known as gch981213
<mangix>
aparcar[m]: probably needs to be a separate workflow
valku has quit [Quit: valku]
<mangix>
aparcar[m]: I've build openwrt on an mvebu platform. AMA.
<mangix>
*built
KOLANICH has joined #openwrt-devel
KOLANICH has left #openwrt-devel [#openwrt-devel]
muhaha has joined #openwrt-devel
Ycarus has joined #openwrt-devel
gch981213 has quit [Read error: Connection reset by peer]
gch981213 has joined #openwrt-devel
gch981213 has quit [Read error: Connection reset by peer]
gch9812135 has joined #openwrt-devel
dorf_ has quit [Remote host closed the connection]
dedeckeh has joined #openwrt-devel
dorf_ has joined #openwrt-devel
SergioCabral has joined #openwrt-devel
Borromini has joined #openwrt-devel
gch981213 has joined #openwrt-devel
gch9812135 has quit [Read error: Connection reset by peer]
<Borromini>
jow: FYI, I replaced my edge router and the PPPoE wan / firewall interplay issue isn't popping up anymore (was a planned replacement)
ivanich has joined #openwrt-devel
<Borromini>
i will post your instructions in the thread i linked to earlier though, hopefully the other guy can get some meaningful info then to fix it.
Misanthropos has quit [Ping timeout: 258 seconds]
goliath has joined #openwrt-devel
Misanthropos has joined #openwrt-devel
black_ant has joined #openwrt-devel
black_ant has quit [Changing host]
black_ant has joined #openwrt-devel
goliath has quit [Quit: SIGSEGV]
black_ant has quit [Ping timeout: 256 seconds]
Borromini has quit [Ping timeout: 256 seconds]
Ivan__83 has quit [Ping timeout: 272 seconds]
ivanich has quit [Quit: Konversation terminated!]
Ivan__83 has joined #openwrt-devel
black_ant has joined #openwrt-devel
black_ant has quit [Changing host]
black_ant has joined #openwrt-devel
goliath has joined #openwrt-devel
gch9812136 has joined #openwrt-devel
gch981213 has quit [Read error: Connection reset by peer]
gch9812136 is now known as gch981213
CrazyLemon has quit [Read error: Connection reset by peer]
CrazyLemon has joined #openwrt-devel
black_an- has joined #openwrt-devel
black_ant has quit [Ping timeout: 272 seconds]
Ivan__83 has quit [Ping timeout: 272 seconds]
victhor has joined #openwrt-devel
mwarning has joined #openwrt-devel
Ivan__83 has joined #openwrt-devel
Borromini has joined #openwrt-devel
dorf_ has quit [Remote host closed the connection]
dorf_ has joined #openwrt-devel
Borromin1 has joined #openwrt-devel
Borromini has quit [Ping timeout: 260 seconds]
dangole has joined #openwrt-devel
black_an- has quit [Quit: simplicity does not kill]
Nick_Lowe has joined #openwrt-devel
black_ant has joined #openwrt-devel
black_ant has quit [Changing host]
black_ant has joined #openwrt-devel
Nick_Lowe has quit [Client Quit]
Nick_Lowe has joined #openwrt-devel
Nick_Lowe has quit [Client Quit]
dangole has quit [Remote host closed the connection]
Nick_Lowe has joined #openwrt-devel
dangole has joined #openwrt-devel
dorf_ has quit [Remote host closed the connection]
dorf_ has joined #openwrt-devel
dangole has quit [Remote host closed the connection]
dangole has joined #openwrt-devel
Nick_Lowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
Nick_Lowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
Nick_Lowe has joined #openwrt-devel
<grift>
dangole, that is interesting. something does not add up here
<grift>
when a file is moved the context of the file is moved with it
Nick_Lowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<grift>
if the filesystem that the file is moved to does not support labeling then the relabeling fails
<grift>
with that in mind, the sysupgrade.tgz file is moved from /boot to /?
<grift>
then what kind of filesystem is mounted on / at that time?
<grift>
also have you determined that it really fails (not just printing a permission denied message)
<grift>
one possible workaround would be to copy the file instead of moving it in this scenario because in this scenario a fat file system is mounted on /boot (fat doesnt support labels) but i would suspect that a different filesystem is mounted on /
<grift>
so in that case a move wouldnt make much sense anyway as it crossed filesystems and i guess ends up copying regardless
<grift>
but i am overlooking something here. it seems that the filesystem that the sysupgrade.tgz is moved to doesnt support labels ... so where is it copied to (is it reall /?) and what type of file system is mounted on there at that time?
Nick_Lowe has joined #openwrt-devel
<dangole>
grift: / is the newly created overlayfs (sitting on top of either f2fs or ext4 lowerdir)
<grift>
dangole: so why move the file?
<grift>
its coming from a fat filesystem
<grift>
but regardless that still doesnt add up because the target filesystem supports labels ... so the move should have succeeded in that case
muhaha has quit [Quit: Connection closed]
<grift>
also i took that for granted but youre saying that 1. it fails in enforcing mode but works in permissive mode 2. if fails in enforcing mode but there are no events in dmesg?
<grift>
i guess i am jumping the gun a little here. its best to follow procedure instead of jumping to all kinds conclusions
Nick_Lowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
Nick_Lowe has joined #openwrt-devel
<dangole>
grift: exactly. it fails only when enforcing, and there is nothing in dmesg
<dangole>
grift: we could copy and subsequently delete the source file (kinda the same as mv accross filesystems)
<grift>
hmm if it only fails in enforcing mode then that suggests that selinux is blocking and not an issue with the code in mv
<grift>
weird and unlikely but a possibility that the policy blocks something that is needed silently
<grift>
one way to make selinux verbose is to add the -D open to secilc call inthe Makefile
adrianschmutzler has joined #openwrt-devel
<grift>
probably easiest to see if copying instead of moving addresses the issue
<grift>
if that doesnt help then i guess the next option is to build selinux-policy with -D and see if that prints applicable avc denials
<grift>
even though the fact that "it works in permissive mode" does not back it up, my gut feeling tells me it might be related to (old) selinux code in busybox
<grift>
it busybox's mv that is being used isnt it?
<dangole>
grift: yes, it's busybox mv. I replaced it by cp && rm to see if that fixes things
<grift>
there are (very few) rules in the policy that tell selinux to silently block specified events. although highly unlikely it could be that such an event is hit
<grift>
the policy can be built without any of these "dontaudit" rules by passing -D to secilc
<grift>
also when i looked at your paste, it was (i think) moving the sysupgrade.tgz file to a loop device
<grift>
not sure how that relates to all this
<grift>
if i recall correctly its mountroot that does this stuff right?
<dangole>
it's preinit, see here: https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/x86/base-files/lib/preinit/79_move_config;h=444cd75e44f7bffc546630cd657a35a8ff3eacdf;hb=HEAD
<dangole>
grift: replacing the 'mv' by 'cp && rm' did the trick
<grift>
interesting ...
<dangole>
grift: sysntpd still isn't allowed to read /etc/capabilities/*.json apparently
<grift>
can you show avc denial?
Nick_Lowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<grift>
but yes not everything adds up with the mv versus cp .. but if i would have to guess then i would guess that its not a policy issue
<grift>
yes , personally i would probably start by updating busybox selinux code (although it might turn out to be unrelated)
<grift>
anyhow
<grift>
if it turns out that you didnt have the new selinux-policy patch, as your pastebin suggests then it may be that you didnt have the fix for that mv issue either
<dangole>
grift: i kinda see that as expected behaviour: mv keeps the label of the file, which happens to come from fatfs...
<grift>
but my sources confirm that atleast this event is allowed: avc: denied { search } for pid=3322 comm="sh" name="capabilities" dev="overlay" ino=4294967367 scontext=u:r:rcsysntpd.subj tcontext=u:r:capabilities.conffile tclass=dir permissive=0
<dangole>
grift: trying to rebuild now, did make package/selinux-policy/clean before, so now it should for sure include the most recent additions (I'm using git-src)
<grift>
yes the mv behavior in general is expected
dorf_ has quit [Remote host closed the connection]
<grift>
but not everything always handles failures well
<grift>
ie i would argue that a relabeling failure shouldnt cause the command to exit with a failure
<grift>
we have the same issue with pythons shutil.copy2()
<grift>
thats essentially a cp -a
<grift>
which copies over the extended attributes as well
<grift>
but if you copy to a filesystem that doesnt support extended attributes then shutil.copy2() will fail hard
<grift>
so basically that makes shutil.copy2() useless
<grift>
fortunately shutil.copy() doesnt have that issue
<grift>
but yes all the events in that pastebin are addressed in git ...
<grift>
so i suspect that somehow the policy wasnt updated and that then also explains (in a less far fetched way) why mv still fails
<grift>
also as for the /etc/firewall.user and fw3 issue, yes i know that its broadly used but fw3 is targeted because its a dependency
<grift>
so thats why i want to ensure that adding a rule to /etc/firewall.user and then running service firewall restart works
<grift>
because /etc/firewall.user gets interpretted by fw3 running iptables
Nick_Lowe has joined #openwrt-devel
<jow>
keep in mind that /etc/firewall.user location is configurable in 7etc/config/firewall
<jow>
there also may be multiple includes
<grift>
so need to make sure that fw3 can use iptables fd
Nick_Lowe has quit [Client Quit]
<grift>
yes well if someone wants to relocate it then he should also use chcon to address labels
<grift>
or use cp -a /etc/firewall.user /etc/firewall1.user
<jow>
It is most likely packages registering new includes and creating new snipped files
<jow>
*snippet
<jow>
e.g. miniupnpd
<grift>
how about a /etc/firewall.user.d then?
<jow>
maybe
<grift>
have to try to maintain/encourage atleast some order
<grift>
because else murphies law will apply
<jow>
looking at https://git.defensec.nl/?p=selinux-policy.git;a=blob;f=src/net/netport/reservednetport/httpreservednetport.cil;h=34efd9770aebce1ca790f042be95ce6d8c2a1467;hb=HEAD - how are users expected to act when changing the listen_http(s) port in /etc/config/uhttpd ?
<grift>
yes thats food for thought ... we could address that in several way's i guess. i did add something (admittely not very solid) for sshd
<grift>
you can make dropbead listen on 2222 instead of 22 but its hard coded
<grift>
we can also just say, to hell with using selinux to control network access
<grift>
and just grant blanket net work access and rely on users using netfilter instead
<grift>
but yes currently uhttpd is only supported on tcp:443 and 80 ...
Night-Shade has joined #openwrt-devel
<jow>
ok
<grift>
its a work in progress
<grift>
integrity and "one size fits all" doesnt quite go well together
Night-Shade has quit [Client Quit]
<grift>
i guess i could atleast add a build time option, so that policy can be build with access control over binding sockets to ports and connecting to ports or without
Night-Shade has joined #openwrt-devel
<dangole>
grift: i was indeed testing an outdated version of your policy. with recent snapshot now, it works when replacing 'mv' with 'cp && rm'.
<dangole>
grift: sadly it's done slightly different in the 13 copies of 79_move_config among the different targets using block device to boot...
linzst has joined #openwrt-devel
dorf_ has joined #openwrt-devel
<grift>
so it still doesnt work with mv and with my latest policy?
<grift>
if mv doesnt work still, then are therese any avc denials this time?
<grift>
things are getting confusing now, its best to follow procedure and to not assume
<grift>
because now in hindsight i can imagine why you said earlier: "it works in permisssive mode but not enforcing"
<grift>
now tht part makes sense, because you werent using the fix
<grift>
so now we just need to do that whole procdure again because the scenario changed
nast has joined #openwrt-devel
<grift>
jow, implementing the desired access control is a matter of minutes, but deciding what to implement is subjective and that needs sme thought
<grift>
initiall i created this policy to scratch an itch
<grift>
and so it is a bit tailored to my requirements
<grift>
but almost anything is possible
<grift>
som of these things do need some consideration though
<dangole>
grift: yes, it works now even when using 'mv' with your updated policy
<grift>
LOL
<dangole>
grift: sorry for the confusion. was me forgetting to `make clean`...
<grift>
fine
<grift>
it happens
<dangole>
grift: ready to tag and bump the selinux-policy package, i'd say
<grift>
did you add a rule to /etc/firewall.user and then run service firewall restart (and check to see if the rule was added to the table)?
<grift>
add some random iptables command in there, then just run service firewall restart and check dmesg
<grift>
for example some log rule or whatever
<dangole>
no, still: avc: denied { getattr } for pid=3294 comm="fw3" path="/etc/firewall.user" dev="overlay" ino=40 scontext=u:r:fw3.subj tcontext=u:r:file.conffile tclass=file
<dangole>
grift: maybe because the firewall.user file was part of the restored config files in sysupgrade.tgz?
Huntereb has joined #openwrt-devel
<dangole>
grift: (ignore the lines about hostapd, mkdir and stuff, that's my unfinished efforts to run hostapd non-root)
<grift>
o right ....
<grift>
well no ..
<dangole>
?
<grift>
hmm does restorecon -v /etc/firewall.user reset it?
<grift>
can you check the label of some other file that was restored from backup?
<grift>
i guess for example /etc/passwd (is that backed up?)
<dangole>
all the files in /etc/config are correctly labeled u:r:uci.conffile despite comming from the backup
<grift>
weird ...
<grift>
how did you edit that firewall.user file? with vi?
<grift>
some editors create scratch files and then mv them to their final destination ...
<grift>
which then can cause issues (but for now thats speculation)
<dangole>
grift: yes, i edited it with vi, but before it got tar'ed (supposedly without labels) into sysupgrade.tgz and restored on the new installation
<grift>
anyhow i got the info i need
<dangole>
grift: good :)
<grift>
yes but thats just extracting the tgz (ie just a cp)
<grift>
and that wouldnt have caused the labeling isssue afact
<grift>
dangole i pushed v0.4
<grift>
but that labeling issue is weird, but since i can't produce it will table that for now
<grift>
o i see the bug ...
<grift>
damn just after i tagged
<grift>
i guess i ll do a v0.4.1
<dangole>
grift: oh no. just pushed the package update.
<grift>
ok well theres going to be bugs anyway
<grift>
so i guess that fix will have to wait for a new release
jas4711 has quit [Remote host closed the connection]
ivanich has joined #openwrt-devel
dorf has quit [Remote host closed the connection]
dorf has joined #openwrt-devel
Night-Shade has joined #openwrt-devel
gch9812137 has quit [Read error: Connection reset by peer]
gch9812137 has joined #openwrt-devel
blb4393 has joined #openwrt-devel
gch9812137 has quit [Quit: Ping timeout (120 seconds)]
gch9812137 has joined #openwrt-devel
<mangix>
undefined reference to `__fn_local_printf_frexpl'
<mangix>
I have no idea what this is
blb4393 has quit [Quit: ChatZilla 0.9.93 [Waterfox 56.3/MOZ_BUILDID]]
junland has quit [Ping timeout: 240 seconds]
junland has joined #openwrt-devel
noltari_ has joined #openwrt-devel
noltari has quit [Ping timeout: 240 seconds]
nast has quit [Read error: Connection reset by peer]
<jow>
mangix: gnutls?
nucleo has joined #openwrt-devel
<jow>
mangix: "__fn_local_" seems to be a mips16 specific gcc function name mangling prefix while printf_frexpl if a GnuTLS function for ptintf'ing doubles or long doubles
<jow>
mangix: so... whatver is broken, maybe PKG_USE_MIPS16:=0 cures it?
<Grommish>
dangole: ping
<Grommish>
dangole: That did, in fact, fix it :) Takes forever to build now, but that'll come down once I start dividing up rust-lang and that it'll not have to rebuild that toolchain each time
Nick_Lowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
jas4711 has joined #openwrt-devel
<mangix>
jow: glib2 issue. I worked around it
Nick_Lowe has joined #openwrt-devel
<mangix>
hmmm I can't figure out how to properly do this
eigma has joined #openwrt-devel
blb4393 has quit [Quit: ChatZilla 0.9.93 [Waterfox 56.3/MOZ_BUILDID]]
mwarning has quit [Quit: Leaving.]
<ynezz>
jow: do you plan to use luci-theme-openwrt2020 default for 20.12 release?
<Borromini>
is 20.12 decided upon then? :^)
<ynezz>
somehow, yes
dorf has quit [Remote host closed the connection]
dorf has joined #openwrt-devel
<Borromini>
hehe. that's great :)
dorf has quit [Remote host closed the connection]
dorf has joined #openwrt-devel
<stintel>
oh I remember 21.01 :P
ivanich has quit [Quit: Konversation terminated!]
ivanich has joined #openwrt-devel
<ynezz>
IIRC we've branched 19.07 in July 2019 and released in January 2020 :p
<ynezz>
so we can still branch 20.12 on 31.12.2020 and relase in June :)
<ynezz>
let's see how this pans out
Nick_Lowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<Borromini>
:P
Nick_Lowe has joined #openwrt-devel
<Borromini>
:P
<Borromini>
i like your optimism though.
<Borromini>
i'm not pining as much for an actual release as i am for a release branch. less things in flux than plain master.
Darkmatter66 has joined #openwrt-devel
<jow>
ynezz: good question
<jow>
ynezz: I don't see why not, but I also do know that people dislike ui changes on principle, so not sure
<jow>
due to the use of that design specific webfont it is also somewhat larger
<jow>
on the other hand it works way better with mobile devices
Huntereb has quit [Read error: Connection reset by peer]
victhor has quit [Remote host closed the connection]
Immanuel has quit [Quit: Connection reset by reptilians]
Immanuel has joined #openwrt-devel
Ycarus has quit [Quit: Ycarus]
ivanich has quit [Quit: Konversation terminated!]
dorf has quit [Remote host closed the connection]
jas4711 has quit [Remote host closed the connection]
dorf has joined #openwrt-devel
Borromini has quit [Quit: leaving]
<Nick_Lowe>
Just troubleshooted an issue where a legacy non-RSN capable (non-WPA2 capable) client could not connect to OpenWRT - had to manually set the EAPOL version to v1 instead of v2
<Nick_Lowe>
This makes sense as 802.11i (RSN) for WPA2 came in 2004, and 802.1X-2004 (EAPOLv2) came at the same time