7:37 p.m.
I also had some issues in the newest selinux-policy installs from the
development tree.
First, I had to remove setools to remove a yum/rpm conflict.
After successfully yum'ing selinux-policy-strict-sources (which also
installed selinux-policy-strict and removed policy and policy-sources),
I rebooted in single user mode, where I did the usual 'fixfiles
relabel'. I then rebooted to multiuser mode, where I determined that
the 'mode' was set to 'disabled' (i.e.,
'getenforce->disabled').
Rooting around uncovered that there was no /etc/selinux/config
installed, nor was /etc/sysconfig/selinux updated with the
'SELINUXTYPE=strict' line. Since the thread on this was confusing to
me, I also added a line 'POLICYTYPE=strict').
I modified /etc/syconfig/selinux copied it to /etc/selinux/config and
rebooted. Still came up with selinux in 'disabled' mode.
Checking /var/log/messages showed 'SELinux disabled at boot'. So, I
rebooted adding 'selinux=1' to the boot line. This time, the boot failed
with 'can't read /etc/fstab' and brought me up in 'filesystem repair'
mode. There I determined that /etc/fstab had no security context
assigned to it (Did it get rewritten during a 'disabled' boot?)
I rebooted without the 'selinux=1' but in single-user mode, where I
adjusted the context of /etc/fstab, /etc/sysconfig/selinux and
/etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up
in permissive mode.
Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'.
Rebooting with 'selinux=1' into permissive/multi-user worked. I changed
/etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting
single-user (i.e., with 'selinux=1 single') worked.
Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It
got jammed setting up X.org log files. Seems that
/var/log/Xorg.0.log.old had no security context so the attempt to move
/var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a
leftover from a 'disabled' boot.)
I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed
/tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.
So here's the condensed version;
1. installing selinux-policy-strict-sources (and selinux-policy-strict)
did not setup /etc/selinux/config, nor did it modify
/etc/sysconfig/selinux. (I must admit that I was confused by the
message thread. Did I need to remove /etc/sysconfig/selinux before doing
the 'yum install selinux-policy-strict-sources'? I thought the install
would add the 'SELINUXTYPE=strict' line to an existing file, but I may
have read this wrong.)
2. My system was 'setup' to boot by default into 'disabled' mode. This
caused a lot of problems with unlabeled files, directories, etc.
Accidently forgetting to add 'selinux=1' to the boot line may cause this.
3. I had to 'yum remove setools'. Did this cause my booting or other
problems?
4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to
/etc/sysconfig/selinux and to /etc/selinux/config. Are both
needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does
that provide the correct info/format?
System is up and running in strict/enforcing mode. I will later try to
install selinux-policy-targeted*.
tom
12:38 a.m.
New subject: Installing the new policy - bravo
Great, your receipe worked pretty well - (but I'm not quite up at enforcing=1)
It is good to make the changes to /etc/security/selinux first.
I made mine with the active lines:
SELINUX=enforcing
SELINUXTYPE=strict
POLICYTYPE=strict
Then I copied it over to /etc/selinux/config
[root@hoho2 user1]# cd /etc/selinux
[root@hoho2 selinux]# ls -l
total 20
-rw-r--r-- 1 root root 332 May 29 23:47 config
drwxr-xr-x 5 root root 4096 May 29 12:05 strict
drwxr-xr-x 5 root root 4096 May 29 12:06 targeted
[root@hoho2 selinux]#
Adding the word 'single' to the grub.conf kernel line was a timesaver, and
potentially avoided more problems.
I think I was running for awhile with the kernel boot param 'selinux=0' -
doing a few yum updates during this time too. Many of the files that were
listed in the 'fixfiles relabel' run seemed as though they may have
appeared during yum updates when 'selinux=0' or when selinux was disabled
(by the /etc/sysconfig/selinux file settings). Boot params override this
file.
For the next few boots, I ran with 'selinux=1 enforcing=0'
Just as a test, I ran 'fixfiles relabel' twice. The second time, there were
no diagnostic output lines - leaving me with a good feeling.
I booted up again and looked in the /var/log/messages file - no audit
messages. Either something is working well, or not at all.
---
Then I tried to boot with the boot param 'enforcing=1'
In the RedHat nash phase (or maybe just after), I got the message:
Enforcing mode requested, but no policy loaded. Halting now.
Kernel panic: Attempted to kill init!
-----
After a power cycle, I set the boot param back to 'enforcing=0'
I remembered seeing a Makefile with the targets: ...,..., reload
I believe this Makefile was in /etc/sysconfig/selinux/src/policy, but I
noticed that /etc/sysconfig/selinux was now a file - in fact it was the
file that I edited a few minutes before.
Having seen a policy directory under /etc/syslinux/strict, I went there
[root@hoho2 policy]# pwd
/etc/selinux/strict/src/policy
[root@hoho2 policy]# ls -lt | head
total 11708
-rw-r--r-- 1 root root 97 May 29 23:57 reload.out
drwxr-xr-x 2 root root 4096 May 29 23:57 tmp
drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts
-rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf
drwx------ 2 root root 4096 May 29 12:05 flask
drwx------ 3 root root 4096 May 29 12:05 macros
drwx------ 2 root root 4096 May 29 12:05 types
drwx------ 2 root root 4096 May 29 12:05 appconfig
drwx------ 4 root root 4096 May 29 12:05 domains
This is after I did a 'make reload 2>&1 | tee reload.out` twice. The first
time I got a lot of diagnostic lines, 'inode ...'. The second time I got:
[root@hoho2 policy]# cat reload.out
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat
/selinux/policyvers
`
touch tmp/load
This looked pretty good, so I tried to go into enforcing mode by doing
[root@hoho2 policy]# setenforce 1
Immediately, I got:
su[2804]: Error!
Unable to set executable context (null).
login (pam_unix)[2534]: session closed for user1
INIT: cannot execute "/sbin/mngetty"
INIT: cannot execute "/sbin/mngetty"
INIT: cannot execute "/sbin/mngetty"
...
INIT: Id "1" respawing too fast, disabled for 5 minutes
-----
Another power cycle, and I am ready for bed.
Hopefully there are some clues in the above for selinux gurus.
BobG
on Sat, 29 May 2004 17:37:04 -0700, Tom London wrote:
I also had some issues in the newest selinux-policy installs from the
development tree.
First, I had to remove setools to remove a yum/rpm conflict.
After successfully yum'ing selinux-policy-strict-sources (which also
installed selinux-policy-strict and removed policy and policy-sources),
I rebooted in single user mode, where I did the usual 'fixfiles
relabel'. I then rebooted to multiuser mode, where I determined that
the 'mode' was set to 'disabled' (i.e.,
'getenforce->disabled').
Rooting around uncovered that there was no /etc/selinux/config
installed, nor was /etc/sysconfig/selinux updated with the
'SELINUXTYPE=strict' line. Since the thread on this was confusing to
me, I also added a line 'POLICYTYPE=strict').
I modified /etc/syconfig/selinux copied it to /etc/selinux/config and
rebooted. Still came up with selinux in 'disabled' mode.
Checking /var/log/messages showed 'SELinux disabled at boot'. So, I
rebooted adding 'selinux=1' to the boot line. This time, the boot failed
with 'can't read /etc/fstab' and brought me up in 'filesystem repair'
mode. There I determined that /etc/fstab had no security context
assigned to it (Did it get rewritten during a 'disabled' boot?)
I rebooted without the 'selinux=1' but in single-user mode, where I
adjusted the context of /etc/fstab, /etc/sysconfig/selinux and
/etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up
in permissive mode.
Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'.
Rebooting with 'selinux=1' into permissive/multi-user worked. I changed
/etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting
single-user (i.e., with 'selinux=1 single') worked.
Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It
got jammed setting up X.org log files. Seems that
/var/log/Xorg.0.log.old had no security context so the attempt to move
/var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a
leftover from a 'disabled' boot.)
I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed
/tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.
So here's the condensed version;
1. installing selinux-policy-strict-sources (and selinux-policy-strict)
did not setup /etc/selinux/config, nor did it modify
/etc/sysconfig/selinux. (I must admit that I was confused by the
message thread. Did I need to remove /etc/sysconfig/selinux before doing
the 'yum install selinux-policy-strict-sources'? I thought the install
would add the 'SELINUXTYPE=strict' line to an existing file, but I may
have read this wrong.)
2. My system was 'setup' to boot by default into 'disabled' mode. This
caused a lot of problems with unlabeled files, directories, etc.
Accidently forgetting to add 'selinux=1' to the boot line may cause this.
3. I had to 'yum remove setools'. Did this cause my booting or other
problems?
4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to
/etc/sysconfig/selinux and to /etc/selinux/config. Are both
needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does
that provide the correct info/format?
System is up and running in strict/enforcing mode. I will later try to
install selinux-policy-targeted*.
tom
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
11:56 a.m.
New subject: Installing the new policy
On Sat, 2004-05-29 at 20:37, Tom London wrote:
So here's the condensed version;
1. installing selinux-policy-strict-sources (and selinux-policy-strict)
did not setup /etc/selinux/config, nor did it modify
/etc/sysconfig/selinux. (I must admit that I was confused by the
message thread. Did I need to remove /etc/sysconfig/selinux before doing
the 'yum install selinux-policy-strict-sources'? I thought the install
would add the 'SELINUXTYPE=strict' line to an existing file, but I may
have read this wrong.)
I don't think that Dan has set up the spec file to do this yet in
%post. So you have to manually create /etc/selinux/config at present.
/etc/sysconfig/selinux is obsolete with the newer libselinux and
SysVinit. /usr/bin/selinuxconfig will show what libselinux thinks are
the active policy paths.
2. My system was 'setup' to boot by default into
'disabled' mode. This
caused a lot of problems with unlabeled files, directories, etc.
I think that this will eventually be covered by changing the spec file
to create /etc/selinux/config if it does not already exist. Dan?
3. I had to 'yum remove setools'. Did this cause my booting
or other
problems?
No, I don't think it created any of the problems you experienced. But
setools will need to be updated to use the new libselinux functions, and
rebuilt.
4. I added both 'SELINUXTYPE=' and 'POLICYTYPE='
lines to
/etc/sysconfig/selinux and to /etc/selinux/config. Are both
needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
SELINUXTYPE is correct. There was a bug in the spec file that was using
POLICYTYPE; that should be changed if it hasn't already.
5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux.
Does
that provide the correct info/format?
Yes, except that you need to add a SELINUXTYPE=strict (or targeted) to
it, and it is named /etc/selinux/config.
You also need to relabel after updating the policy to get /etc/selinux
into the right types. Odds of successfully making this transition in
enforcing mode are slim, I suspect.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
7268
days inactive
7271
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Bob Gustafson -
Stephen Smalley -
Tom London