Re: How to make SELinux in Fedora work?
by Park Lee
Dear sir,
Thank you,
I still want to ask:"can I use 'rpm -Uvh' to install the policy-sources
package instead of using the command of 'yum install policy-sources'"?
Respectfully yours,
Park Lee
2004-06-03
---------------------------------
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger
19 years, 11 months
New policies installed. Minor problem & change(?)
by Tom London
I've installed the latest selinux-policy-strict-1.13.2-4 stuff (along
with -sources, libselinux*, etc. dependencies via 'yum update') with
system running selinux-policy-strict-1.13.2-2/enforcing.
A few 'minor' items noted:
1). The install produced protection/access messages when attempting to
write/create /etc/selinux/strict/policy/policy.17 (the usual 'creating
in .rpmnew' thing). Did this once for selinux-policy-strict and once
for selinux-policy-strict-sources.
(I had just completed a 'fixfiles relabel' with
selinux-policy-strict-1.13.2-2, so I'm confident that the /etc/selinux
directory was properly labeled.)
I then did a manual 'mv policy.17 policy.17.rpmsave; mv policy.17.rpmnew
policy.17', rebooted single-user, and did a 'fixfiles relabel', and then
rebooted multi-user.
('fixfiles relabel/check' now fails if run in enforcing mode
('Permission denied' for file_contexts). Works if you 'setenforce 0'
first. Did I miss a change?)
2). Also, there now is a complete absence of 'avc' messages in
/var/log/messages. Is this expected?
3). I checked the scripts on the policy rpms and it looks like the
reference to 'POLICYTYPE' is gone (replaced with 'SELINUXTYPE'). Is it
safe to remove the 'POLICYTYPE=strict' line from /etc/sysconfig/selinux
and from /etc/selinux/config? Can I safely remove one file?
Thanks for the updates!
tom
19 years, 11 months
Re: How to make SELinux in Fedora work?
by Park Lee
On Thu, 27 May 2004 08:16:03 Stephen Smalley wrote:
>If you didn't enable SELinux at install time,
>then you'll need to install a policy
>(yum install policy policy-sources), create or edit
>/etc/sysconfig/selinux and set SELINUX=permissive in it,
> and relabel your filesystems (via fixfiles relabel).
>Once you get your filesystems labeled and have verified
>that you can boot without avc denials in your logs,
>you can set SELINUX=enforcing in /etc/sysconfig/selinux.
I really didn't enable SELinux at install time. Then, I had a try to enable
SELinx on my FC2 according to what you said. On my FC2,there was no policy-sources RPM package installed by default. Then I wanted to install the package. but there was something wrong when I using 'yum
install policy-sources'.
Below is what came on my screen:
[root@localhost RPMS]# yum install policy-sources
Gathering header information file(s) from server(s)
Server: Fedora Core 2 - i386 - Base
retrygrab() failed for:
http://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/headers...
.info
Executing failover method
failover: out of servers to try
Error getting file
http://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/headers...
.info
[Errno 4] IOError: <urlopen error >
I wonder what's wrong? and here can I use 'rpm -Uvh' to install the package instead of using 'yum install policy-sources'.
And there is another question:
In 'Fedora Core 2 SELinux FAQ', it said:
Q:. How do I temporarily turn off enforcing mode without having to reboot?
A:. This situation usually arises when you can't perform an action that is being prevented by policy. Run the command setenforce 0 to turn off enforcing mode in real time. When you are finished, run setenforce 1 to turn enforcing back on
Then, my question is: "can we still run 'echo 1 > /selinux/enforce' program to switch into enforcing mode. and switch back to permissive mode with 'echo 0 > /selinux/enforce'.
Thank you very much!
Sincerely yours,
Park Lee
2004-06-03
---------------------------------
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger
19 years, 11 months
Kernel 2.4 on fc2 with selinux?
by maillist@wolke7.net
Hi,
because lacks of sys_call_table in kernel 2.6 and other
I must "downgrade" kernel on fc2 from 2.6 to 2.4,
but selinux should works furtheron.
Are there steps of particular importance to be taken?
Should I prefer the clean kernel from kernel.org,
or one from fc1 ( which one? src.rpm's ?) ?
Is the nsa patch and the clean kernel enough
(http://www.nsa.gov/selinux/code/download3.cfm),
or any|all of the fc1 patches must be apply to works properly?
TIA
Marco
--
+++ Jetzt WLAN-Router f�r alle DSL-Einsteiger und Wechsler +++
GMX DSL-Powertarife zudem 3 Monate gratis* http://www.gmx.net/dsl
19 years, 11 months
Guidance using pam_passwdqc module and Army Regulation 25-2
by William Brower
Can anyone provide guidance concerning how to integrate the pam_passwdqc
module with FC1 or FC2 ? I'll admit to not being a PAM expert, but I
have RTFM, but still no luck. Some details:
1) pam_passwdqc can be found here: http://www.openwall.com/passwdqc/
I downloaded and installed the module - things went cleanly and the
module was installed in /lib/security/pam_passwdqc.so
2) I tried modifying /etc/pam.d/system-auth to look like this
(I know there is a warning about file autogeneration, but frankly, the
/etc/pam.d/passwd file seems to direct all real action to this file -
should I just modify the /etc/pam.d/passwd file instead??)
OLD:
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
NEW:
#password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password required /lib/security/$ISA/pam_passwdqc.so
password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass
md5 shadow
password required /lib/security/$ISA/pam_deny.so
Please ignore possible line-wrap on "md5 shadow" lines above.
The above fails with:
[testuser@sloth testuser]$ passwd
Changing password for user testuser.
passwd: Authentication token manipulation error
Here is my goal. Maybe I can reach it another way entirely:
I'm trying to see if I can't make FCx automatically compliant with a new
Army regulation (AR25-2) which provides specific password guidance,
including the number of required characters from each character set
(lower case, upper-case, numbers, punctuation), password length, etc.
The regulation can be found here (see section 4-12: Password control):
XML: http://docs.usapa.belvoir.army.mil/jw2/xmldemo/r25_2/cover.asp
PDF: http://www.usapa.army.mil/pdffiles/r25_2.pdf
In a nutshell, the relevant parts are:
>e. Generate passwords as follows —
>
>(1) The minimum requirement is a 10-character case-sensitive password.
>Passwords or phrases longer than 10 characters are recommended when
>supported by the IS. Password expiration will be not more than 150 >days.
>
>(2) The password will be a mix of uppercase letters, lowercase
letters, >numbers, and special characters, including at least two of
each of the >four types of characters (for example, x$TloTBn2!) and can
be user >generated.
>
>(3) Enforce password policy through implementation or enhancement of
>native security mechanisms.
>
>(4) Passwords will not include such references as social security
>numbers (SSNs), birthdays, USERIDs, names, slang, military acronyms,
>call signs, dictionary words, consecutive or repetitive characters,
>system identification, or names; neither will they be easy to guess
>(for example, mypassword, abcde12345).
>
>(5) Password history configurations will prevent reutilization of the
>last 10 passwords when technically possible.
>
Any help you can offer would be appreciated.
Finally, would FC consider adding this module? I think a few distros
have done this. Having an out-of-box AR25-2 compliant system would be
pretty great from the Army's point of view!
Thanks!
Bill
--
William Brower
MIT Lincoln Laboratory
Reagan Test Site, Kwajalein, Marshall Islands
p: 805.355.1310
f: 805.355.1701
19 years, 11 months
[ANNOUNCE] Setools version 1.4 released
by Karl MacMillan
Tresys Setools version 1.4 has been released. It is available from the
SELinux sourceforge cvs repository and the Tresys webpage:
http://www.tresys.com/selinux/
This release includes several new features including:
- Support for binary policies in addition to source policies in libapol.
This allows almost all of the tools, including Apol, Seaudit, sesearch, and
seinfo, to work with a binary policy. This is especially important as more
SELinux systems are deployed without a full policy source tree.
- GUI updates to Apol and Seaudit to correctly support binary policies.
- Seaudit, sesearch, and seinfo will now load a binary policy by default if
no source policy is found.
- Numerous bug fixes and policy updates for Seuser allowing it to run
correctly under Fedora Core 2.
- The installation of policy and labeling of files has been removed from the
'make install' target in order to support systems with policies that are
significantly different from the default NSA policy. The new target 'make
install-policy' will install the Setools policy files and label the
applications and configuration files.
- Seinfo now supports conditional policies.
- The results tabs in Apol can now be renamed by the user to make them
easier to distinguish when many tabs are open simultaneously.
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134
19 years, 11 months
Re: Installing the new policy
by Tom London
I also had some issues in the newest selinux-policy installs from the
development tree.
First, I had to remove setools to remove a yum/rpm conflict.
After successfully yum'ing selinux-policy-strict-sources (which also
installed selinux-policy-strict and removed policy and policy-sources),
I rebooted in single user mode, where I did the usual 'fixfiles
relabel'. I then rebooted to multiuser mode, where I determined that
the 'mode' was set to 'disabled' (i.e., 'getenforce->disabled').
Rooting around uncovered that there was no /etc/selinux/config
installed, nor was /etc/sysconfig/selinux updated with the
'SELINUXTYPE=strict' line. Since the thread on this was confusing to
me, I also added a line 'POLICYTYPE=strict').
I modified /etc/syconfig/selinux copied it to /etc/selinux/config and
rebooted. Still came up with selinux in 'disabled' mode.
Checking /var/log/messages showed 'SELinux disabled at boot'. So, I
rebooted adding 'selinux=1' to the boot line. This time, the boot failed
with 'can't read /etc/fstab' and brought me up in 'filesystem repair'
mode. There I determined that /etc/fstab had no security context
assigned to it (Did it get rewritten during a 'disabled' boot?)
I rebooted without the 'selinux=1' but in single-user mode, where I
adjusted the context of /etc/fstab, /etc/sysconfig/selinux and
/etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up
in permissive mode.
Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'.
Rebooting with 'selinux=1' into permissive/multi-user worked. I changed
/etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting
single-user (i.e., with 'selinux=1 single') worked.
Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It
got jammed setting up X.org log files. Seems that
/var/log/Xorg.0.log.old had no security context so the attempt to move
/var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a
leftover from a 'disabled' boot.)
I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed
/tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.
So here's the condensed version;
1. installing selinux-policy-strict-sources (and selinux-policy-strict)
did not setup /etc/selinux/config, nor did it modify
/etc/sysconfig/selinux. (I must admit that I was confused by the
message thread. Did I need to remove /etc/sysconfig/selinux before doing
the 'yum install selinux-policy-strict-sources'? I thought the install
would add the 'SELINUXTYPE=strict' line to an existing file, but I may
have read this wrong.)
2. My system was 'setup' to boot by default into 'disabled' mode. This
caused a lot of problems with unlabeled files, directories, etc.
Accidently forgetting to add 'selinux=1' to the boot line may cause this.
3. I had to 'yum remove setools'. Did this cause my booting or other
problems?
4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to
/etc/sysconfig/selinux and to /etc/selinux/config. Are both
needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does
that provide the correct info/format?
System is up and running in strict/enforcing mode. I will later try to
install selinux-policy-targeted*.
tom
19 years, 11 months
Simplistic X11 logins not working.. (newbie questions)
by Erik Fichtner
So. I've got vanilla FC2 with SELinux loaded and the standard
policy sources loaded on my laptop. For various reasons (low memory
and a general dislike for all things GNOME; primarily), I'm trying to
make good old xdm work and start boring old twm. This requires a
little bit of manhandling within /etc/X11/xdm/Xsession and /etc/inittab.
No big deal here.
As packaged, the policy sets up xdm running as system_u:system_r:xdm_t.
This starts a copy of X which is transitioned into
system_u:system_r:xdm_xserver_t. Then there's a display ":0" sitting
around on a third pid running as system_u:system_r:xdm_t. Fine.
Logging in as my user (which results in a nice clean emf:user_r:user_t
on the console) launches a twm as system_u:system_r:xdm_t, and then
when I attempt to run an Xterm; i get the following avc denies:
avc: denied { read write } for pid=3793 exe=/usr/bin/xterm name=ptmx dev=hda2 ino=134859 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:ptmx_t tclass=chr_file
avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir
avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir
and xterm promptly exits since it can't get a pty, and everything is
still running as system_r:xdm_t; the real issue here.
/etc/security/default_contexts does have an entry for:
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
I even tried changing that to read:
system_r:xdm_t user_r:user_t
At this point, I started flailing around a little bit and created an
Xwm.{te|fc} pair:
type Xwm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(xdm_t,Xwm_exec_t,user_t)
/usr/X11R6/bin/twm system_u:object_r:Xwm_exec_t
reloaded the policy, and relabelled twm. Alles gut, ya? Nein!
Now, when xdm->Xsession fires off twm, i get this:
security_compute_sid: invalid context system_u:system_r:user_t for scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:Xwm_exec_t tclass=process
and twm exits. Clearly, that wasn't the answer.
So..... Questions are:
1) why doesn't default_contexts appear to have any influence upon xdm?
1a) is there a way to force it?
2) what am I supposed to do to get my window manager and its children
into user_r:user_t ?
Thanks in advance...
--
Erik Fichtner; Unix Ronin
19 years, 11 months
fedora 2 - ls -Z for proc
by Pratik Mehta
Hi,
When i run on Fedora 2 ls --context or ls -Z for /proc i get:
[root@localhost proc]# ls --context
dr-xr-xr-x root root (null) 1
dr-xr-xr-x root root (null) 10
dr-xr-xr-x root root (null) 11
dr-xr-xr-x root root (null) 116
But as faye says in his documentation:
Running ls --context /proc shows the following listing for the init
process (with a process id of 1):
dr-xr-xr-x root root system_u:system_r:init_t 1
Why is this so ?????
- Pratik
19 years, 11 months
Dumb question - where does policy.17 go when it is 'loaded'?
by Bob Gustafson
When a policy is reloaded
(i.e., cd /etc/selinux/strict/src/policy; make reload),
where does it go?
Here we have a local make of the policy:
[root@hoho2 policy]# make policy 2>&1 | tee policy.out
/usr/bin/checkpolicy -o policy.17 policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
security: 5 users, 7 roles, 1248 types, 1 bools
security: 42 classes, 306567 rules
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 17) to policy.17
[root@hoho2 policy]# date
Tue Jun 1 01:15:00 CDT 2004
[root@hoho2 policy]# ls -lt | head
total 11712
-rw------- 1 root root 7465378 Jun 1 01:14 policy.17
-rw-r--r-- 1 root root 330 Jun 1 01:14 policy.out
-rw-r--r-- 1 root root 97 May 29 23:57 reload.out
drwxr-xr-x 2 root root 4096 May 29 23:57 tmp
drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts
-rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf
drwx------ 2 root root 4096 May 29 12:05 flask
drwx------ 3 root root 4096 May 29 12:05 macros
drwx------ 2 root root 4096 May 29 12:05 types
OK, policy.17 is dropped into this directory.
[root@hoho2 policy]# ls -l ../../policy
total 7308
-rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17
And, the policy.17 in this strict tree - has not been updated
Now, zap the local policy.17
[root@hoho2 policy]# rm policy.17
rm: remove regular file `policy.17'? y
And now just do a make reload
[root@hoho2 policy]# make reload 2>&1 | tee policy.out
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat
/selinux/policyvers`
touch tmp/load
Now, check where it went..
[root@hoho2 policy]# ls -l ../../policy
total 7308
-rw-r--r-- 1 root root 7465378 May 29 12:06 policy.17
Does not seem to have updated policy in the same (strict) tree
Look around for it
[root@hoho2 policy]# find / -name policy.17 -print
/etc/security/selinux/policy.17
/etc/security/selinux/src/policy/policy.17
/etc/selinux/targeted/src/policy/policy.17
/etc/selinux/targeted/policy/policy.17
/etc/selinux/strict/policy/policy.17
Lots of policies - now check dates
[root@hoho2 policy]# ls -l /etc/security/selinux/policy.17
-rw-r--r-- 1 root root 7410154 May 29 12:13 /etc/security/selinux/policy.17
[root@hoho2 policy]# ls -l /etc/security/selinux/src/policy/policy.17
-rw------- 1 root root 7385824 May 7 10:24
/etc/security/selinux/src/policy/policy.17
[root@hoho2 policy]# ls -l /etc/selinux/strict/policy/policy.17
-rw-r--r-- 1 root root 7465378 May 29 12:06
/etc/selinux/strict/policy/policy.17
[root@hoho2 policy]# ls -l /etc/selinux/targeted/policy/policy.17
-rw-r--r-- 1 root root 97919 May 29 12:06
/etc/selinux/targeted/policy/policy.17
[root@hoho2 policy]# ls -l /etc/selinux/targeted/src/policy/policy.17
-rw------- 1 root root 97919 May 28 13:38
/etc/selinux/targeted/src/policy/policy.17
None of the dates have been touched. Where did it go?
-----
Now, if policy is 'loaded', why do I now get these errors?
[root@hoho2 user1]# rpm -i policycoreutils-1.13-3.src.rpm
/etc/security/selinux/file_contexts: invalid context
system_u:object_r:at_exec_t on line number 710
/etc/security/selinux/file_contexts: invalid context
system_u:object_r:seuser_exec_t on line number 1550
/etc/security/selinux/file_contexts: invalid context
system_u:object_r:seuser_conf_t on line number 1551
[root@hoho2 user1]#
Also - hmm, I think I have security 'loaded' because I cannot 'su' into
root now - unless I know what my role and type and ... are !! - may have to
reboot.
My guess at this point is that the policy is loaded into memory somewhere -
maybe the kernel patches will tell where?? But why is there no disk
version?
19 years, 11 months