On Tue, 2008-05-13 at 08:44 -0400, Stephen Smalley wrote:
On Mon, May 12, 2008 at 5:26 PM, Eric Paris <eparis(a)redhat.com>
wrote:
>
> Installing: selinux-policy ##################### [128/129]
> Installing: selinux-policy-targeted ##################### [129/129]
> libsemanage.dbase_llist_query: could not query record value
> libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined
for user guest_u
Hmm...so you are installing a policy with MLS enabled, but tried to
add a user without a MLS level. I think this is likely a
bug/limitation of semanage, where it tries to deduce whether or not to
include the MLS field based on whether the host has MLS enabled.
This has come up before on selinux list; we need a libsemanage
interface for querying whether MLS is enabled in the policy store vs.
on the host. Or you could fake a /selinux/mls node that contains "1".
I have one that has a 1\n inside the chroot, but I guess that wasn't
enough? Yes, I think its a fine idea to create such a store vs. host
check, but in either case they both 'should' have returned MLS=on....
> libsepol.sepol_user_modify: could not load (null) into policy
> libsemanage.dbase_policydb_modify: could not modify record value
> libsemanage.semanage_base_merge_components: could not merge local modifications
into policy
> /usr/sbin/semanage: Could not add SELinux user guest_u
> libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined
for user xguest_u
> libsepol.sepol_user_modify: could not load (null) into policy
> libsemanage.dbase_policydb_modify: could not modify record value
> libsemanage.semanage_base_merge_components: could not merge local modifications
into policy
> /usr/sbin/semanage: Could not add SELinux user xguest_u
>
> ERROR:dbus.proxies:Introspect error on :1.3:/org/freedesktop/Hal/Manager:
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a
reply. Possible causes include: the remote application did not send a reply, the message
bus security policy blocked the reply, the reply timeout expired, or the network
connection was broken.
> /sbin/restorecon reset / context
system_u:object_r:file_t:s0->system_u:object_r:root_t:s0
> /sbin/restorecon reset /bin context
unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0
> /sbin/restorecon reset /bin/rvi context
unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0
> /sbin/restorecon reset /bin/touch context
unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0
> /sbin/restorecon reset /bin/mountpoint context
unconfined_u:object_r:file_t:s0->system_u:object_r:mount_exec_t:s0
> /sbin/restorecon reset /bin/arch context
unconfined_u:object_r:file_t:s0->system_u:object_r:bin_t:s0
>
> and restorecon goes on like this, and on, and on, and on, and on
So no files were labeled properly by rpm? I guess we need someone to
explain how rpm decides whether or not to label files then, as I
thought it just used is_selinux_enabled() and that should return true
as long as /proc/filesystems is available even if selinuxfs is not
mounted within the chroot.
I'll get to no /selinux in a second
> other things of note, restorecond goes nuts fixing up /etc/mtab
for a
> while, must be some bad/no transition going on when we call mount?
Yes, that would make sense. Not sure what you mean by "goes nuts"
though or why restorecond would be running or looking within the
chroot.
I doubt we do any mounting inside the chroot do we? Missing transition
from livecd-creator program ->mount_t when it does its bind mounts
inside the chroot would cause this...
> I get no kernel AVC's but I do get:
>
> [root@dhcp231-25 ~]# ausearch -m AVC -m USER_AVC
> ----
> time->Mon May 12 17:19:48 2008
> type=USER_AVC msg=audit(1210627188.083:329): user pid=1849 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg }
for msgtype=method_return dest=:1.16 spid=2044 tpid=6840
scontext=system_u:system_r:hald_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_notrans_t:s0-s0:c0.c1023 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> ----
> time->Mon May 12 17:20:13 2008
> type=USER_AVC msg=audit(1210627213.086:330): user pid=1849 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg }
for msgtype=method_return dest=:1.16 spid=2044 tpid=6840
scontext=system_u:system_r:hald_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_notrans_t:s0-s0:c0.c1023 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>
> I've never seen unconfined_notrans_t until I started playing with this
> stuff. Dan, what is it?
>
> /me goes to try to build a livecd image with permissive and then with
> no /selinux inside the chroot.
>
> -Eric
>
>