All,
I'm just learning so forgive the trivial nature of the question:
FC2, Installed VMWare workstation 4.5x, unable to run configuration script, just "yum-ed" so I'm up to date, relableled, rebooted, still cannot run configuration script... [root@host root]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t [root@host root]# /usr/bin/vmware-config.pl Can't open perl script "/usr/bin/vmware-config.pl": Permission denied [root@host root]# ls -Z /usr/bin/vmware-config.pl -r-xr-xr-x+ root root system_u:object_r:vmware_exec_t /usr/bin/vmware-config.pl
Looks like a context problem to me but I am unsure what to change... my context, that of the script itself or modify context files and relabel?
I have the docs, have been reading, but I have not been able to understand some of the genreal concepts.
Any advice will be appreciated.
Earl
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
On Fri, 2004-06-25 at 14:50, Earl wrote:
All,
I'm just learning so forgive the trivial nature of the question:
FC2, Installed VMWare workstation 4.5x, unable to run configuration script, just "yum-ed" so I'm up to date, relableled, rebooted, still cannot run configuration script... [root@host root]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t [root@host root]# /usr/bin/vmware-config.pl Can't open perl script "/usr/bin/vmware-config.pl": Permission denied [root@host root]# ls -Z /usr/bin/vmware-config.pl -r-xr-xr-x+ root root system_u:object_r:vmware_exec_t /usr/bin/vmware-config.pl
Looks like a context problem to me but I am unsure what to change... my context, that of the script itself or modify context files and relabel?
I have the docs, have been reading, but I have not been able to understand some of the genreal concepts.
Any advice will be appreciated.
audit2allow -d -l | grep vmware_t should show you the relevant missing allow statements from the policy. On FC2, you can then add them to your policy by doing the following:
yum install policy-sources cd /etc/security/selinux/src/policy audit2allow -d -l | grep vmware_t >> domains/misc/local.te make load
But I'm not clear that vmware-config.pl should be labeled vmware_exec_t at all (vs. bin_t). What is the advantage of running the configuration script in vmware_t vs. sysadm_t? There are no type transition rules for vmware_t (except for /var/run files), so it doesn't help keep the configuration in the right type.
Hello everyone, Sorry for a newbie question. I have never worked with SELinux before. I am a doctoral student in computer science, and as part of my research project I have to install SELinux. I have a FC2 (2.6.6 kernel) machine. I downloaded, compiled and installed an SELinux-patched 2.6.6 kernel from NSA, then I installed the user utilities (policycoreutils, libselinux, etc -- downloaded from NSA's website as well). Since I have FC2, I am assuming that I don't need to install patched utitilies, since they are now included into FC2. I only have root user at this point, so I didn't edit the default policy file that came with the installation. I just did a 'make relabel' and booted into the SELinux kernel. If I just log in and run, for e.g., "ls -Z" I get the error that the kernel has to support SELinux. If I then cd into /etc/security/selinux/src/policy and do a "make load", then 'ls -Z' or 'id' work properly and show me the context. Now if I reboot, it the system forgets what I just did, and I have to do a 'make load' again. Something is not starting up at boot, I would guess. I tried 'selinux=1' at boot, but that doesn't change anything.
I would really appreciate it it anyone has any suggestions.
thanks a lot, Olga Gelbart Department of Computer Science The George Washington University
Because SELinux is disabled by default in FC2, you need to change the SELinux mode to either permissive mode or enforcing mode. It sounds like you may have this set to "SELINUX=Disabled" in the configuration file, which turns enforcing off and skips loading a policy at boot. See http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id29341 53 for more information.
Don Patterson Tresys Technology www.tresys.com
-----Original Message----- From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Olga Gelbart Sent: Friday, June 25, 2004 3:26 PM To: Fedora SELinux support list for users & developers. Subject: FC2 SELinux Installation issue (Newbie)
Hello everyone, Sorry for a newbie question. I have never worked with SELinux before. I am a doctoral student in computer science, and as part of my research project I have to install SELinux. I have a FC2 (2.6.6 kernel) machine. I downloaded, compiled and installed an SELinux-patched 2.6.6 kernel from NSA, then I installed the user utilities (policycoreutils, libselinux, etc -- downloaded from NSA's website as well). Since I have FC2, I am assuming that I don't need to install patched utitilies, since they are now included into FC2. I only have root user at this point, so I didn't edit the default policy file that came with the installation. I just did a 'make relabel' and booted into the SELinux kernel. If I just log in and run, for e.g., "ls -Z" I get the error that the kernel has to support SELinux. If I then cd into /etc/security/selinux/src/policy and do a "make load", then 'ls -Z' or 'id' work properly and show me the context. Now if I reboot, it the system forgets what I just did, and I have to do a 'make load' again. Something is not starting up at boot, I would guess. I tried 'selinux=1' at boot, but that doesn't change anything.
I would really appreciate it it anyone has any suggestions.
thanks a lot, Olga Gelbart Department of Computer Science The George Washington University
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Thanks! I checked /etc/sysconfig/selinux file and set "SELinux=enforcing" (in all the documentation I read, I have never seen this file mentioned anywhere). Of course, now I have another problem. When I boot into SELinux kernel, I am asked to enter runlevel (I put either 3 or 5 and got the same results). After that I get whole bunch of "avc: denied {read} message for /bin/bash and the system just hangs. Is my policy set up wrong? Can someone point me to a sample policy I can test on my machine? I would really appreciate that! Thanks,
Olga Gelbart Department of Computer Science The George Washington University
Don Patterson wrote:
Because SELinux is disabled by default in FC2, you need to change the SELinux mode to either permissive mode or enforcing mode. It sounds like you may have this set to "SELINUX=Disabled" in the configuration file, which turns enforcing off and skips loading a policy at boot. See http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id29341 53 for more information.
Don Patterson Tresys Technology www.tresys.com
-----Original Message----- From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Olga Gelbart Sent: Friday, June 25, 2004 3:26 PM To: Fedora SELinux support list for users & developers. Subject: FC2 SELinux Installation issue (Newbie)
Hello everyone, Sorry for a newbie question. I have never worked with SELinux before. I am a doctoral student in computer science, and as part of my research project I have to install SELinux. I have a FC2 (2.6.6 kernel) machine. I downloaded, compiled and installed an SELinux-patched 2.6.6 kernel from NSA, then I installed the user utilities (policycoreutils, libselinux, etc -- downloaded from NSA's website as well). Since I have FC2, I am assuming that I don't need to install patched utitilies, since they are now included into FC2. I only have root user at this point, so I didn't edit the default policy file that came with the installation. I just did a 'make relabel' and booted into the SELinux kernel. If I just log in and run, for e.g., "ls -Z" I get the error that the kernel has to support SELinux. If I then cd into /etc/security/selinux/src/policy and do a "make load", then 'ls -Z' or 'id' work properly and show me the context. Now if I reboot, it the system forgets what I just did, and I have to do a 'make load' again. Something is not starting up at boot, I would guess. I tried 'selinux=1' at boot, but that doesn't change anything.
I would really appreciate it it anyone has any suggestions.
thanks a lot, Olga Gelbart Department of Computer Science The George Washington University
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Fri, 25 Jun 2004 17:28:50 EDT, Olga Gelbart rosa@gwu.edu said:
Thanks! I checked /etc/sysconfig/selinux file and set "SELinux=enforcing" (in all the documentation I read, I have never seen this file mentioned anywhere). Of course, now I have another problem. When I boot into SELinux kernel, I am asked to enter runlevel (I put either 3 or 5 and got the same results). After that I get whole bunch of "avc: denied {read} message for /bin/bash and the system just hangs. Is my policy set up wrong? Can someone point me to a sample policy I can test on my machine? I would really appreciate that!
Probably a botched relabel.
1) Boot with 'selinux=0' to disable it entirely. 2) Edit the selinux file and set to 'selinux=permissive'. 3) Reboot. 4) make relabel, then set 'selinux=enforcing' and reboot again.
Thank you. That worked!
Valdis.Kletnieks@vt.edu wrote:
On Fri, 25 Jun 2004 17:28:50 EDT, Olga Gelbart rosa@gwu.edu said:
Thanks! I checked /etc/sysconfig/selinux file and set "SELinux=enforcing" (in all the documentation I read, I have never seen this file mentioned anywhere). Of course, now I have another problem. When I boot into SELinux kernel, I am asked to enter runlevel (I put either 3 or 5 and got the same results). After that I get whole bunch of "avc: denied {read} message for /bin/bash and the system just hangs. Is my policy set up wrong? Can someone point me to a sample policy I can test on my machine? I would really appreciate that!
Probably a botched relabel.
- Boot with 'selinux=0' to disable it entirely.
- Edit the selinux file and set to 'selinux=permissive'.
- Reboot.
- make relabel, then set 'selinux=enforcing' and reboot again.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Fri, 2004-06-25 at 16:26, Olga Gelbart wrote:
I have a FC2 (2.6.6 kernel) machine. I downloaded, compiled and installed an SELinux-patched 2.6.6 kernel from NSA, then I installed the user utilities (policycoreutils, libselinux, etc -- downloaded from NSA's website as well). Since I have FC2, I am assuming that I don't need to install patched utitilies, since they are now included into FC2.
You don't need to download or build the kernel or userland from nsa.gov/selinux if you have installed FC2; FC2 already includes all of the SELinux code and has its own policy packages.
On Sat, 26 Jun 2004 05:42, Stephen Smalley sds@epoch.ncsc.mil wrote:
But I'm not clear that vmware-config.pl should be labeled vmware_exec_t at all (vs. bin_t). What is the advantage of running the configuration script in vmware_t vs. sysadm_t? There are no type transition rules for vmware_t (except for /var/run files), so it doesn't help keep the configuration in the right type.
Yes, vmware-config.pl should be labelled as bin_t (IE removed from vmware.fc).
But that's a small issue compared to all the other vmware issues. We want to have support for multiple domains for vmware for different user roles, and the policy should be easily configurable for one user to be able to launch vmware in different domains for NetTop type stuff.
Removed vmware-config.pl from: /etc/security/selinux/src/policy/file_contexts/program/vmware.fc and relabeled. vmware-config.pl works.
Is anyone aware of a SELinux + VMWare "cookbook" to implement something like NetTop?
Earl
--- Russell Coker russell@coker.com.au wrote:
On Sat, 26 Jun 2004 05:42, Stephen Smalley sds@epoch.ncsc.mil wrote:
But I'm not clear that vmware-config.pl should be
labeled vmware_exec_t
at all (vs. bin_t). What is the advantage of
running the configuration
script in vmware_t vs. sysadm_t? There are no
type transition rules for
vmware_t (except for /var/run files), so it
doesn't help keep the
configuration in the right type.
Yes, vmware-config.pl should be labelled as bin_t (IE removed from vmware.fc).
But that's a small issue compared to all the other vmware issues. We want to have support for multiple domains for vmware for different user roles, and the policy should be easily configurable for one user to be able to launch vmware in different domains for NetTop type stuff.
-- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
__________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
--- Stephen Smalley sds@epoch.ncsc.mil wrote:
On Fri, 2004-06-25 at 14:50, Earl wrote:
All,
I'm just learning so forgive the trivial nature of
the
question:
FC2, Installed VMWare workstation 4.5x, unable to
run
configuration script, just "yum-ed" so I'm up to
date,
relableled, rebooted, still cannot run
configuration
script... [root@host root]# id uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t [root@host root]# /usr/bin/vmware-config.pl Can't open perl script
"/usr/bin/vmware-config.pl":
Permission denied [root@host root]# ls -Z /usr/bin/vmware-config.pl -r-xr-xr-x+ root root system_u:object_r:vmware_exec_t /usr/bin/vmware-config.pl
Looks like a context problem to me but I am unsure what to change... my context, that of the script itself or modify context files and relabel?
I have the docs, have been reading, but I have not been able to understand some of the genreal
concepts.
Any advice will be appreciated.
audit2allow -d -l | grep vmware_t should show you the relevant missing allow statements from the policy. On FC2, you can then add them to your policy by doing the following:
yum install policy-sources cd /etc/security/selinux/src/policy audit2allow -d -l | grep vmware_t >> domains/misc/local.te make load
Already had policy-sources. Did the rest, no I get: # /usr/bin/vmware-config.pl Setup is unable to find the "more" program on your machine. Please make sure it is installed. Do you want to specify the location of this program by hand? [yes] What is the location of the "more" program on your machine? /bin/more The answer "/bin/more" is invalid. It must be the complete name of a binary file.
# ls -Z /bin/more -rwxr-xr-x+ root root system_u:object_r:bin_t /bin/more
But I'm not clear that vmware-config.pl should be labeled vmware_exec_t at all (vs. bin_t). What is the advantage of running the configuration script in vmware_t vs. sysadm_t? There are no type transition rules for vmware_t (except for /var/run files), so it doesn't help keep the configuration in the right type.
-- Stephen Smalley sds@epoch.ncsc.mil National Security Agency
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
selinux@lists.fedoraproject.org