installing new policies
by Richard Hally
for what it's worth, I just tried installing the new
selinux-policy-strict and -targeted and there is a dependency between
setools and the old policy (and policy-source).
It seems that we need updated rpms for setools and setools-gui.
Richard Hally
19 years, 6 months
Re: Enabling SELinux (was Re: How to make SELinux in Fedora work?)
by Tom London
OK. I tracked things down a bit.
The swap problem is spurious (i.e. not related to SELinux). (My swap
space got trashed a few days ago and I didn't notice.) Sorry to confuse
matters.....
I'm tracking down 'vestigial' files that were not assigned contexts by
fixfiles. There were some in /var/tmp (kdecache-tbl, e.g.), etc.
tom
------------------------------------------------------------------------
* /From/: Stephen Smalley <sds epoch ncsc mil>
* /To/: "Fedora SELinux support list for users & developers."
<fedora-selinux-list redhat com>
* /Subject/: Re: Enabling SELinux (was Re: How to make SELinux in
Fedora work?)
* /Date/: Thu, 27 May 2004 14:18:08 -0400
------------------------------------------------------------------------
On Thu, 2004-05-27 at 14:07, Tom London wrote:
> I see nothing in /var/log/messages about this...
Did you try enabling all auditing? See
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id33...
> Any thoughts on what happened to swap? Something I did?
I have no idea.
--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency
19 years, 6 months
Re: Enabling SELinux (was Re: How to make SELinux in Fedora work?)
by Tom London
Sort of interesting.....
I enabled all auditing as described, but still see no avc messages.
I've localized it a bit: seems that play, aplay (alsa) works, but
esdplay does not. I can't seem to start the esd daemon:
ALSA lib pcm_hw.c:1056:(snd_pcm_hw_open) open /dev/snd/pcmC0D0p
failed: Device or resource busy.
I can work around this. (not certain this is an SELinux issue.....)
Will SELinux 'conversions' like this be supported for FC3? If so, it
will require a lot of testing....
tom
------------------------------------------------------------------------
* /From/: Stephen Smalley <sds epoch ncsc mil>
* /To/: "Fedora SELinux support list for users & developers."
<fedora-selinux-list redhat com>
* /Subject/: Re: Enabling SELinux (was Re: How to make SELinux in
Fedora work?)
* /Date/: Thu, 27 May 2004 14:18:08 -0400
------------------------------------------------------------------------
On Thu, 2004-05-27 at 14:07, Tom London wrote:
> I see nothing in /var/log/messages about this...
Did you try enabling all auditing? See
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id33...
> Any thoughts on what happened to swap? Something I did?
I have no idea.
--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency
19 years, 6 months
crond and /usr/bin/run-parts
by Fritz Elfert
Hi,
On FC2, the system housekeeping is executed as root via a shell script
/usr/bin/run-parts which in turn executes scripts in
/etc/cron.{hourly,daily,monthly}. This does not work in enforcing mode.
Instead i get the following error:
audit(1085671860.593:0): avc: denied { transition } for pid=17894
exe=/usr/sbin/crond path=/bin/bash dev=hda2 ino=883049
scontext=root:system_r:crond_t tcontext=user_u:sysadm_r:sysadm_t
tclass=process
If i interpret this correctly, crond is unable to change the execution
context to root when trying to run /usr/bin/run-parts. I already submitted
a bug-report for that
(http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124533) but until it
is fixed, i wanted to make my own workaround. I tried the following:
In /etc/security/selinux/src/policy/file_contexts/misc/local.fc i have:
/usr/bin/run-parts -- system_u:object_r:runparts_exec_t
In /etc/security/selinux/src/policy/domains/misc/local.te i have:
type runparts_exec_t, file_type, sysadmfile, exec_type;
domain_trans(crond_t, shell_exec_t, sysadm_t)
domain_trans(crond_t, runparts_exec_t, sysadm_t)
I tried also adding:
system_crond_entry(runparts_exec_t, sysadm_t)
After relabeling and make reload, i still get this error. At least the
script seems to be labeled ok:
-rwxr-xr-x+ root root system_u:object_r:runparts_exec_t /usr/bin/run-parts
What am i doing wrong?
Thanks
-Fritz
--
Fritz Elfert <fritz.elfert(a)millenux.com> Millenux GmbH
Lilienthalstr. 2 Phone: +49 711 88770 400
70825 Stuttgart FAX: +49 711 88770 449
--------------------------------------------------------------------------
19 years, 6 months
Enabling SELinux (was Re: How to make SELinux in Fedora work?)
by Tom London
I decided to give this a try on a FC2 machine that was installed with
'everything' but without enabling 'selinux' on the install. It had
policy-1.11.3-3 (and policy-sources) installed.
Following the attached advice, here's what I did:
1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive'
2. Rebooted single-user and ran 'fixfiles relabel'
3. Rebooted multi-user
The machine booted up in permissive mode fine, with only a few 'avc'
messages to examine.
There were a couple of quickly noticed issues:
1. The 'swapon' command in the boot sequence failed:
swapon: /dev/hda3: Invalid argument
(entry from /var/log/messages: May 27 10:15:54 fedora kernel:
Unable to find swap-space signature)
I ran 'mkswap /dev/hda3; swapon -a' and all worked:
May 27 10:17:47 fedora kernel: Adding 1502068k swap on
/dev/hda3. Priority:-1 extents:1
2. Sound no longer worked, but I could find no obvious avc or other
messages.
(No sound from gain, xine, ...)
I ran 'System Settings->Soundcard Detection', clicked OK in the
popup, but nothing appeared to happen (also, no messages in
/var/log/messages).
BUT, sound started working, at least I can now hear music from
'xine'.
After fixing the above, I set 'setenforce 1' and all appeared working well.
I then edited /etc/sysconfig/selinux, changing 'SELINUX=permissive' to
'SELINUX=enforcing', and rebooted. Swap now got added correctly, and
the system came up as expected. Even mozilla, including the added
plugins worked! (This is quite impressive!!!!!)
Sound didn't work again. I tried as normal user:
1. cd /usr/share/sounds
aplay warning.wav
Playing WAVE 'warning.wav' : Signed 16 bit Little Endian,
Rate 44100 Hz, Mono
But no sound.
2. play warning.wav
Got sound!
3. aplay warning.wav
Playing WAVE 'warning.wav' : Signed 16 bit Little Endian, Rate
44100 Hz, Mono
Got Sound!
I see nothing in /var/log/messages about this...
Anyway, this exercise got me to convert this machine to
SELinux/enforcing ( :-D )
Any thoughts on what happened to swap? Something I did?
tom
------------------------------------------------------------------------
* /From/: Stephen Smalley <sds epoch ncsc mil>
* /To/: "Fedora SELinux support list for users & developers."
<fedora-selinux-list redhat com>
* /Subject/: Re: How to make SELinux in Fedora work?
* /Date/: Thu, 27 May 2004 08:16:03 -0400
------------------------------------------------------------------------
On Thu, 2004-05-27 at 02:44, park lee wrote:
> I've downloaded Fedora Core 2 from http://fedora.redhat.com/download/,
> and have installed it successfully.
As noted in the release notes for FC2
(http://fedora.redhat.com/docs/release-notes/), you have to pass
"selinux" to the installer to enable SELinux at install time.
> Then , I want to ask how to run SELinux which is integrated into
> Fedora Core? Is there some resources about what to do and how to do ?
If you didn't enable SELinux at install time, then you'll need to
install a policy (yum install policy policy-sources), create or edit
/etc/sysconfig/selinux and set SELINUX=permissive in it, and relabel
your filesystems (via fixfiles relabel). Once you get your filesystems
labeled and have verified that you can boot without avc denials in your
logs, you can set SELINUX=enforcing in /etc/sysconfig/selinux.
> And Is there any differences between it and the SELinux from
> http://www.nsa.gov/selinux/code/download5.cfm. As i know ,when we want
> to run the SELinux from
> ttp://www.nsa.gov/selinux/code/download5.cfm.we should first recompile
> the kernel with certain options, then install some applications (such
> as checkpolicy, libselinux) from the SELinux Full Userland Archive to
> the system. Then , if we want to run the SELinux that is integrated
> into Fedora Core, should we do the same steps?
Fedora Core 2 already includes the SELinux code in the kernel and
applications, so you don't have to recompile anything. You just need to
enable the SELinux support that is already there.
--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency
19 years, 6 months
How to make SELinux in Fedora work?
by Park Lee
Hi,
I've downloaded Fedora Core 2 from http://fedora.redhat.com/download/, and have installed it successfully.
When I type the command: ls -Z.
The command failed, and FC2 send me a message on screen that this command can only be run on SELinux core.
Then , I want to ask how to run SELinux which is integrated into Fedora Core? Is there some resources about what to do and how to do ?
And Is there any differences between it and the SELinux from http://www.nsa.gov/selinux/code/download5.cfm. As i know ,when we want to run the SELinux from ttp://www.nsa.gov/selinux/code/download5.cfm.we should first recompile the kernel with certain options, then install some applications (such as checkpolicy, libselinux) from the SELinux Full Userland Archive to the system. Then , if we want to run the SELinux that is integrated into Fedora Core, should we do the same steps?
Thank you very much for your help!
Yours,
Park Lee
2004-05-27
---------------------------------
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger
19 years, 6 months
Security contexts for the contexts directory?
by Daniel J Walsh
With the new design of the policy tree, we have moved the "contexts"
files into
/etc/selinux/*/contexts/
These files include default_contexts, file_contexts, default_type,
failsafe_contexts ...
as well as contexts for individual users like users/root. Currently the
security contexts for these files is etc_t. Should we change them so
something else? default_contexts_t? Should file_contexts be marked
differently then the others?
Also since policy is determined by /etc/sysconfig/selinux, should we set
a special security context on it? If we do should we move it to a
directory where it would be easier to maintain the security context?
Maybe rename it to /etc/selinux/config?
Dan
19 years, 6 months
Difficulty compiling setools-1.3-2
by Bob Gustafson
I downloaded 'setools-1.3-2.src.rpm'
Using 'rpmbuild -bi', tried to build.
This is near the bottom of the build output
...
gcc -c replcon.c -DSUPPORTED_FILESYSTEMS='"ext2 ext3"' -Wall -O2 -I/usr/share
-DDEFAULT_POLICY='"/etc/security/selinux/src/policy/policy.conf"'
-DSEINFO_VERSION_NUM='"1.1"' -DSESEARCH_VERSION_NUM='"1.0"'
-DREPLCON_VERSION_NUM='"1.0"' -DFINDCON_VERSION_NUM='"1.0"' -I..
-I../libapol
replcon.c:16:29: selinux/selinux.h: No such file or directory
replcon.c:17:29: selinux/context.h: No such file or directory
replcon.c:299: error: syntax error before "get_security_context"
replcon.c:300: warning: return type defaults to `int'
replcon.c: In function `get_security_context':
replcon.c:301: error: `security_context_t' undeclared (first use in this
function)
replcon.c:301: error: (Each undeclared identifier is reported only once
replcon.c:301: error: for each function it appears in.)
replcon.c:301: error: syntax error before "sec_con"
replcon.c:304: error: `sec_con' undeclared (first use in this function)
-
...
Checking for the first missing file 'selinux.h'
[root@hoho2 user1]# find / -name selinux.h -print
/lib/modules/2.6.6-1.381smp/build/include/config/security/selinux.h
/lib/modules/2.6.6-1.381/build/include/config/security/selinux.h
/lib/modules/2.6.6-1.383/build/include/config/security/selinux.h
/lib/modules/2.6.6-1.376/build/include/config/security/selinux.h
/lib/modules/2.6.6-1.377/build/include/config/security/selinux.h
/lib/modules/2.6.6-1.376smp/build/include/config/security/selinux.h
/lib/modules/2.6.5-1.358smp/build/include/config/security/selinux.h
/lib/modules/2.6.6-1.377smp/build/include/config/security/selinux.h
/lib/modules/2.6.5-1.358/build/include/config/security/selinux.h
/usr/src/linux-2.6.5-1.358/include/config/security/selinux.h
[root@hoho2 user1]#
(I need to trash some of those old kernels..)
Don't see any selinux/selinux.h
Also
[root@hoho2 user1]# find / -name context.h -print
/usr/src/linux-2.6.5-1.358/security/selinux/ss/context.h
/old/usr/local/src/OO/OpenOffice.org1.1_SDK/include/bridges/remote/context.h
[root@hoho2 user1]#
Don't see any selinux/context.h either
-----
The binary of that package is installed
[root@hoho2 sel]# rpm -q setools
setools-1.3-2
[root@hoho2 sel]#
But many of the setools pieces are not in that binary package (apol, awish,..)
Maybe they never got built?
[root@hoho2 sel]# cd /var/cache/yum
[root@hoho2 yum]# ls
base development updates-released updates-testing
[root@hoho2 yum]# find . -name setools\*.rpm -print
./base/packages/setools-1.3-2.i386.rpm
[root@hoho2 yum]# rpm -q -l -p base/packages/setools-1.3-2.i386.rpm
/usr/bin/seinfo
/usr/bin/sepcut
/usr/bin/sesearch
/usr/bin/seuser
/usr/bin/seuseradd
/usr/bin/seuserdel
/usr/bin/seusermod
/usr/share/doc/setools-1.3/KNOWN-BUGS
/usr/share/doc/setools-1.3/README
/usr/share/doc/setools-1.3/apol_help.txt
/usr/share/doc/setools-1.3/apol_perm_mapping_ver12
/usr/share/doc/setools-1.3/apol_perm_mapping_ver15
/usr/share/doc/setools-1.3/apol_perm_mapping_ver16
/usr/share/doc/setools-1.3/apol_perm_mapping_ver17
/usr/share/doc/setools-1.3/dta_help.txt
/usr/share/doc/setools-1.3/iflow_help.txt
/usr/share/doc/setools-1.3/obj_perms_help.txt
/usr/share/doc/setools-1.3/seaudit_help.txt
/usr/share/doc/setools-1.3/sepcut_help.txt
/usr/share/doc/setools-1.3/seuser_help.txt
/usr/share/setools/apol.tcl
/usr/share/setools/apol_help.txt
/usr/share/setools/apol_perm_mapping
/usr/share/setools/apol_perm_mapping_ver12
/usr/share/setools/apol_perm_mapping_ver15
/usr/share/setools/apol_perm_mapping_ver16
/usr/share/setools/apol_perm_mapping_ver17
/usr/share/setools/customize_filter_window.glade
/usr/share/setools/dot_seaudit
/usr/share/setools/dta_help.txt
/usr/share/setools/filter_window.glade
/usr/share/setools/iflow_help.txt
/usr/share/setools/multifilter_window.glade
/usr/share/setools/obj_perms_help.txt
/usr/share/setools/prefer_window.glade
/usr/share/setools/query_window.glade
/usr/share/setools/se_user.tcl
/usr/share/setools/seaudit.glade
/usr/share/setools/seaudit_help.txt
/usr/share/setools/sepcut_help.txt
/usr/share/setools/seuser.conf
/usr/share/setools/seuser_help.txt
[root@hoho2 yum]#
19 years, 6 months
relabeling of libjava plugin (j2sdk_1_5_0)
by Tom London
I've installed j2sdk_1_5_0 following the usual Fedora instruction. The
only adder is that the mozilla plugin needs its context 'fixed'. Here's
what I do:
cd /usr/lib/mozilla/plugins
chcon --reference moz* libjava*
chcon -h --reference moz* libjava* (not sure this is needed)
(/usr/lib/mozilla/plugins/libjava* is a symbolic link to
/usr/java/j2sdk1.5.0/jre/plugin/i386/ns7/libjavaplugin_oji.so).
That seems to make the plugin work.
After yum updating some packages, I ran 'fixfiles relabel' and found
that it undid the context change above. Here are the log entries:
/usr/sbin/setfiles: relabeling
/usr/lib/mozilla/plugins/libjavaplugin_oji.so from
system_u:object_r:shlib_t to system_u:object_r:lib_t
/usr/sbin/setfiles: relabeling
/usr/java/j2sdk1.5.0/jre/plugin/i386/ns7/libjavaplugin_oji.so from
system_u:object_r:shlib_t to system_u:object_r:usr_t
After this, the java-vm plugin stops working (that is, web pages with
x-java-vm items no longer work). I run the chcon's again and all works.
Does src/policy/file_contexts/types.fc need a line for it?
(e.g., /usr/java/j2sdk.*/jre/plugin/i386(/.*)?/lib.*\.so.* --
system_u:object_r:shlib_t)
thanks,
tom
19 years, 6 months
New design for policy on disk allowing multiple policy rpms to be simultaniously installed.
by Daniel J Walsh
As I have been trying to build a new policy we kept on coming up with
problems in replacing the current policy file with either strict or
targeted policy. In the next version of Fedora Core we will be shipping
a targeted policy on the iso images. We will continue to make the
strict policy available separately. The problem comes in that these
policy files conflict and we continued to work on how we could allow
them both to be installed and have the user fairly easily switch
between policies. With this new design, I could envision other policies
being added in the future and test machines able to switch between the
policies.
1. We are breaking the policy file out into two separate policy packages
selinux-policy-strict (-source also)
- Containing pretty much the current policy
selinux-policy-targeted (-source also)
- Containing a policy where most processed run in unconfined_t
and only specific services run under a different security context.
2. Both packages obsolete the current policy rpm.
3. We want both policy files to be installable and not conflict with
each other.
4. Policy files will be installed in the /etc/selinux/(strict|targeted)
directory.
Under this tree there will be at least three additional directiories
policy/
Containing the compiled policy file
contexts/
Containing all the contexts files
file_contexts, default_contexts, default_type
users/
Containing user specific default context files. root in
particular.
src/
Containing the policy src directory.
5. Tools and libraries (fixfiles, libselinux, init, and setools) will be
modified to use the /etc/sysconfig/selinux file to determine which
policy to currently use on the system and where the policy files are
located.
6. If during the install /etc/sysconfig/selinux does not exist or does
not contain an entry for the type of policy, the first one installed
will set the context to itself.
cat /etc/sysconfig/selinux
#
# Change the following line to enforcing, permissive or disabled.
# On the next boot the machine will come up in one the selected mode
#
SELINUX=enforcing
#
# Select the type of policy that you are running current values are
# strict and targeted
#
SELINUXTYPE=strict
So if nothing is in the /etc/sysconfig/selinux file and you install
strict, strict will be added
to config file. If there is an entry then it will be left there.
This will allow the installation of both the Strict and Targeted policy
and the user can change the choice via this file and can then relabel
7. We will not use symbolic links. Use of symbolic links complicates
policy and requires a user to modify them if he wanted to change the
security context that he wants to run as. Also you end up with
conflicts in the post install scripts which need to replace the old
symbolic link with a new one.
Comments?
Dan
19 years, 6 months
