errors installing policy
by Richard Hally
Below is a copy of the output from attempting to install the SELinux
packages. Should I bugzilla this
or are the right people already aware of this?
thanks for you help,
Richard Hally
[root@localhost security]# yum install checkpolicy libselinux
policycoreutils policy policy-sources selinux-doc setools
Gathering header information file(s) from server(s)
Server: Fedora Core 1.91 - i386 - Rawhide
Finding updated packages
Downloading needed headers
perl-suidperl-3-5.8.3-17. 100% |=========================| 5.3 kB 00:00
yum-0-2.0.7-0.20040403.no 100% |=========================| 3.8 kB 00:00
rpmdb-fedora-1-1.91-0.200 100% |=========================| 2.0 kB 00:00
perl-3-5.8.3-17.i386.hdr 100% |=========================| 73 kB 00:00
setools-gui-0-1.2.1-4.i38 100% |=========================| 7.3 kB 00:00
setools-devel-0-1.2.1-4.i 100% |=========================| 2.1 kB 00:00
setools-0-1.2.1-4.i386.hd 100% |=========================| 3.2 kB 00:00
libselinux is installed and is the latest version.
selinux-doc is installed and is the latest version.
Resolving dependencies
Dependencies resolved
I will do the following:
[install: policy 1.9.2-9.noarch]
[install: policycoreutils 1.9.2-1.i386]
[install: policy-sources 1.9.2-9.noarch]
[install: checkpolicy 1.8-1.i386]
[install: setools 1.2.1-4.i386]
Is this ok [y/N]: y
Downloading Packages
Getting policy-1.9.2-9.noarch.rpm
policy-1.9.2-9.noarch.rpm 100% |=========================| 954 kB 00:08
Getting policycoreutils-1.9.2-1.i386.rpm
policycoreutils-1.9.2-1.i 100% |=========================| 35 kB 00:00
Getting policy-sources-1.9.2-9.noarch.rpm
policy-sources-1.9.2-9.no 100% |=========================| 1.8 MB 00:22
Getting checkpolicy-1.8-1.i386.rpm
checkpolicy-1.8-1.i386.rp 100% |=========================| 53 kB 00:00
Getting setools-1.2.1-4.i386.rpm
setools-1.2.1-4.i386.rpm 100% |=========================| 292 kB 00:02
Running test transaction:
/etc/security/selinux/file_contexts: No such file or directory
Test transaction complete, Success!
/etc/security/selinux/file_contexts: No such file or directory
checkpolicy 100 % done 1/5
policycoreutils 100 % done 2/5
policy 100 % done 3/5
Can't open '/etc/security/selinux/policy.16': No such file or directory
error: %post(policy-1.9.2-9) scriptlet failed, exit status 2
policy-sources 100 % done 4/5
cat: /selinux/policyvers: No such file or directory
cat: /selinux/policyvers: No such file or directory
make: Entering directory `/etc/security/selinux/src/policy'
/usr/sbin/load_policy /etc/security/selinux/policy.
/usr/sbin/load_policy: security_load_policy failed
make: *** [tmp/load] Error 3
make: Leaving directory `/etc/security/selinux/src/policy'
error: %post(policy-sources-1.9.2-9) scriptlet failed, exit status 2
setools 100 % done 5/5
Installed: policy 1.9.2-9.noarch policycoreutils 1.9.2-1.i386
policy-sources 1.9.2-9.noarch checkpolicy 1.8-1.i386 setools 1.2.1-4.i386
Transaction(s) Complete
[root@localhost security]#
19 years, 5 months
FC2T2, Selinux, and VMware
by Gene Czarcinski
I noticed that there are lots of "vmware" references in the SELinux policy
files. Anyone have some tips or other perls of wisdon to say about running
FC2T2 as a vmware guest or running vmware on a FC2T2 host?
Gene
19 years, 5 months
Is there a way to uninstall the SElinux?
by Axel Jerabek
I installed the fedora core 2 and i am not really happy with the SElinux
behaviour.
since i ported our video software to the 2.6 kernel i used the fedora core 2
release.
but unhappily i installed it with the SElinux option. Is there a way to get
rid of the SElinux
without having to reinstall the buddy again?
thnx for help, axel.
19 years, 5 months
Is there a way to uninstall the SE-extensions?
by Imperator
I installed the fedora core 2 and i am not really happy with the SElinux
behaviour.
since i ported our video software to the 2.6 kernel i used the fedora core 2
release.
but unhappily i installed it with the SElinux option. Is there a way to get
rid of the SElinux
without having to reinstall the buddy again?
thnx for help, axel.
19 years, 5 months
httpd cannot read httpd-manual
by Karl DeBisschop
Here's the audit from /var/log/messages:
Apr 2 04:09:33 xxxxx kernel: audit(1080896972.999:0): avc: denied {
getattr } for pid=1156 exe=/usr/sbin/httpd
path=/var/www/manual/index.html dev=md0 ino=1473314
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_t
tclass=file
System is FC2 devel in enforcing mode, the only change I have made to
policies is to add myself as an adminstrative user.
--
Karl DeBisschop (kdebisschop(a)infoplease.com)
Pearson Education/Infoplease (http://www.infoplease.com)
19 years, 5 months
Naming convention flames
by murphy pope
I've been struggling to understand some of this SELinux stuff so I can
explain it to other users. But I have my stupid-hat on these days.
Why does SELinux use a separate user database? Why doesn't SELinux read
the /etc/passwd database instead of maintaining its own? Has anybody
ever said "hey, we've already got one database, things will get a whole
lot clearer if we invent another one instead"?
There seems to be some difference between a domain and a type, although
given the lack of documentation, I'm not convinced of that. If they are
different, who's idea was it to use the same naming convention for
both? Why not user_t and user_d? Use _t to indicate a type and _d to
indicate a domain. Or do they have to be from the same namespace? Does
a type named user_t always exactly correspond to a domain named user_t?
If so, what's the difference between a domain and a type?
Why do we need useradd and seuseradd? Shouldn't useradd give me the
option to create an identity? Or better yet, shouldn't useradd create an
identity by default and give me the option to create a generic user
instead?
Sorry to sound so negative, but this stuff is not ready for prime-time
and without some documentation, it never will be. Without good
documentation, you're gonna have to revert this whole project. When
something goes wrong, I don't know if it's a bug, or if it's my error,
or if it's working right and I just don't know what I'm doing.
-- Murphy
19 years, 5 months
Re: Naming convention flames
by murphy pope
>SELinux has an independent user identity model, which provides for more
rigorous identity based access control than standard Unix. e.g. you can
change Unix user id, but not SELinux user id.
And that's a feature is it?
>The reason there are separate databases is that there is not a direct
>mapping between Unix users and SELinux users.
That's not a justification, it's a consequence of the fact that you are
maintaining a separate database. In other words, that's a bad thing,
not a good thing.
>Many users in /etc/passwd can be mapped to a single SELinux user for
access control purposes (e.g. system_u).
Sounds like /etc/group to me.
>There also needs to be a way to map the user to a set of roles, so a
separate database is needed anyway.
Yes, a separate database is required here to extend the data stored in
/etc/passwd. But it should be analogous to /etc/shadow (which also
extends the data stored in /etc/passwd). The important difference is
that the "primary key" in /etc/shadow refers to the "primary key" in
/etc/passwd. Of course, without an RDBMS, referential integrity is not
enforced, but violations are meaningless - an orphan record in
/etc/shadow is simply ignored.
SELinux keeps two separate databases with no relationship between
primary keys.
And by the way, Russell mentioned that we have to consider NIS, LDAP,
and other storage mechanisms. Those storage mechanisms are storage
mechanisms, not separate databases, meaning that if you maintain a user
database in NIS and duplicate the information in an LDAP directory,
you're simply storing the same data in two places.
The arrangement that SELinux uses is like keeping two different customer
files and assigning two different customer ID numbers to the same
customer - that's trouble.
-- Murphy
19 years, 5 months
Another dumb question...
by murphy pope
Everything that I've read says that the 'su' command will change my
Linux user ID but not my identity. Here's what I see:
# id -Z
root:staff_r:staff_t
# su fred
Your default context is fred:sysadm_r:sysadm_t.
Do you want to choose a different one? [n]n
$ id -Z
fred:sysadm_r:sysadm_t
My identity changed from 'root' to 'fred'. Bug? That seems a pretty
fundamental flaw considering that every document that I've read uses
'su' to explain the difference between a user ID and an identity.
By the way, I see the same result whether I use 'su' or 'su -'. I see
the same result (a change in identity) whether I su from root to fred or
from fred to root.
So which one is right? The documentation or the code?
-- Murphy
19 years, 5 months
Re: Naming convention flames
by murphy pope
> As James says, there is no difference, this is why they both end in
_t. I agree that it can be confusing at the start, but it's not going
to get changed at this time.
Ok, but section 2.2.5 from Faye's document starts with:
> There is a very important distinction which needs to be made here,
between a domain and a type, as it tends to cause a little confusion
later on if you don't understand it from the start.
There is no difference, but we need to make a very important
distinction?
You're writing for programmers - write for users! How would you explain
SELinux to your mother?
-- Murphy
19 years, 5 months
