selinux.20 on x86 - problems

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

selinux.20 on x86 - problems

Christophe Choumert
Hello,

I have converted a setup from hardened to selinux+hardened. I am using :
- kernel 2.6.15-rc5 (/ and /home on ext3)
- glibc 2.3.5-r2
- libselinux, policycoreutils 1.28
- libsepol 1.10
- udev-077
making it version 20 for the kernel, the libraries and the tools. If
this a bad idea from the start, you can tell me so and stop reading :)
Here come my problems...

1) When trying to "make load" :
:::
 * Compiling and installing policy.20
/usr/bin/checkpolicy:  loading policy configuration
from /etc/security/selinux/src/policy.conf
domains/staff.te:4:ERROR 'unknown type xdm_t' at token ';' on line
29328:
allow staff_mount_t xdm_t:fd use;
#line 4
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
:::
So I pulled the two relevant lines around macros/user_macros.te:231
inside the "ifdef('xdm.te'" that followed and the error disappeared.
(there a 2 pairs of 2 lines there that look really similar ?).
There is no xdm_t with gentoo's policy : doesn't there exists one ? or
is it not mature enough ?

2) When I try again to "make load", it errors out with
:::
 * Building file_contexts
Usage: /usr/sbin/genhomedircon.old [ -d selinuxdir ] [-n | --nopasswd]
[-t selinuxtype ]
make: *** [file_contexts/file_contexts] Erreur 1
:::

Executing it a second time :
:::
* Installing file_contexts
* Loading policy.20
:::

I saw a changelog entry mentioning something related to a change in
genhomedir so maybe this is not a big deal (?).

However, even though "sestatus -v" output looks pretty good  (see at the
end), I don't think the labels are right for a lot of files :
:::
-# ls -Z /
drwxr-xr-x  root     root     system_u:object_r:tmpfs_t        dev/
drwxr-xr-x  root     root     system_u:object_r:home_root_t    home/
drwx------  root     root     system_u:object_r:user_home_dir_t root/
-# ls -Z /home
drwx------  krys     users    system_u:object_r:user_home_dir_t krys/
drwx------  root     root     system_u:object_r:user_home_dir_t root/
:::
where the user krys is actually "staff_t". From what I read in the
documentation, the home should be labeled "staff_home_dir_t". And
root's home directory labeling seems strange too.
/root is a bind mount of /home/root (/home is a local mount) - maybe
this isn't supported and causes trouble ?
Also, /dev is shown as device_t, not tmpfs_t in
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=4&chap=1 .
I have of course tried to "make relabel" but it stays the same.

3) Moreover,
- the processes I start myself as krys are "system_u:system_r:sysadm_t"
- amavisd has "system_u:system_r:crond_t"
- the processes launched by kdm and other kde applications are
"system_u:system_r:init_t"
I don't know a lot about selinux, but enough to know this is wrong...

sestatus output, with an error on the 4th line, but I have no clue what
it means - the rest conforms to the "standard" output proposed in the
documentation.
:::
-# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          error (No such file or directory)
Policy version:                 20
Policy from config file:        security

Process contexts:
Current context:                system_u:system_r:sysadm_t
Init context:                   system_u:system_r:init_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd                  system_u:system_r:sysadm_sudo_t

File contexts:
Controlling term:               system_u:object_r:sysadm_devpts_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/bash                       system_u:object_r:shell_exec_t
/bin/login                      system_u:object_r:login_exec_t
/bin/sh                         system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/sbin/init                      system_u:object_r:init_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t ->
system_u:object_r:shlib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t ->
system_u:object_r:ld_so_t
:::

Any help appreciated. Thanks,
Christophe Choumert
--
[hidden email] mailing list

Reply | Threaded
Open this post in threaded view
|

Re: selinux.20 on x86 - problems

Chris PeBenito
On Sun, 2005-12-11 at 00:04 -0800, Christophe Choumert wrote:
> I have converted a setup from hardened to selinux+hardened. I am using :
> - kernel 2.6.15-rc5 (/ and /home on ext3)
> - glibc 2.3.5-r2
> - libselinux, policycoreutils 1.28
> - libsepol 1.10
> - udev-077
> making it version 20 for the kernel, the libraries and the tools. If
> this a bad idea from the start, you can tell me so and stop reading :)
> Here come my problems...

Did you use the portage ebuilds to get these versions of SELinux utils,
or did you install them by hand?  There is evidence below which seems to
point to you installing it by hand, in which case you should use the
ebuilds, as I can't reproduce your problems.

> 1) When trying to "make load" :
> :::
>  * Compiling and installing policy.20
> /usr/bin/checkpolicy:  loading policy configuration
> from /etc/security/selinux/src/policy.conf
> domains/staff.te:4:ERROR 'unknown type xdm_t' at token ';' on line
> 29328:
> allow staff_mount_t xdm_t:fd use;
> #line 4
> /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
>
> So I pulled the two relevant lines around macros/user_macros.te:231
> inside the "ifdef('xdm.te'" that followed and the error disappeared.
> (there a 2 pairs of 2 lines there that look really similar ?).
> There is no xdm_t with gentoo's policy : doesn't there exists one ? or
> is it not mature enough ?
There is an XDM policy, but not supported by Gentoo.  We are not
supporting desktops with the strict policy.  Support for desktops is on
the horizon, with the targeted policy.  Since the rules you removed was
in an ifdef(`xdm.te', this leads me to believe you have an xdm.te file,
which means you had to have added it.

> 2) When I try again to "make load", it errors out with
> :::
>  * Building file_contexts
> Usage: /usr/sbin/genhomedircon.old [ -d selinuxdir ] [-n | --nopasswd]
> [-t selinuxtype ]
> make: *** [file_contexts/file_contexts] Erreur 1
> :::

Can't reproduce this.

> Executing it a second time :
> :::
> * Installing file_contexts
> * Loading policy.20
> :::
>
> I saw a changelog entry mentioning something related to a change in
> genhomedir so maybe this is not a big deal (?).
>
> However, even though "sestatus -v" output looks pretty good  (see at the
> end), I don't think the labels are right for a lot of files :
> :::
> -# ls -Z /
> drwxr-xr-x  root     root     system_u:object_r:tmpfs_t        dev/
> drwxr-xr-x  root     root     system_u:object_r:home_root_t    home/
> drwx------  root     root     system_u:object_r:user_home_dir_t root/
> -# ls -Z /home
> drwx------  krys     users    system_u:object_r:user_home_dir_t krys/
> drwx------  root     root     system_u:object_r:user_home_dir_t root/
> :::
> where the user krys is actually "staff_t". From what I read in the
> documentation, the home should be labeled "staff_home_dir_t". And
> root's home directory labeling seems strange too.
> /root is a bind mount of /home/root (/home is a local mount) - maybe
> this isn't supported and causes trouble ?
When labeling, the bind mounts are ignored.  Only the "real" files are
labeled.  So your real /root is in /home, so its labeled as it
was /home/root.  Since your home dir is most likely set for /root, the
directory gets mislabeled.  You should either set root's home dir
to /home/root, or don't use a bind mount.

> Also, /dev is shown as device_t, not tmpfs_t in
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=4&chap=1 .
> I have of course tried to "make relabel" but it stays the same.

This is wrong, try remerging init and udev to make sure /dev is set up
right on boot.  Make relabel won't do anything to /dev since its
filesystem isn't persistent (ext[23], etc).  Use 'restorecon /dev'.

> 3) Moreover,
> - the processes I start myself as krys are "system_u:system_r:sysadm_t"
> - amavisd has "system_u:system_r:crond_t"
> - the processes launched by kdm and other kde applications are
> "system_u:system_r:init_t"

Again, desktops not currently supported.  Your X server isn't
transitioning into a reasonable domain, so once that happens everything
else that you run from X won't transition right.

> I don't know a lot about selinux, but enough to know this is wrong...
>
> sestatus output, with an error on the 4th line, but I have no clue what
> it means - the rest conforms to the "standard" output proposed in the
> documentation.
> :::
> -# sestatus -v
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          error (No such file or directory)
> Policy version:                 20
> Policy from config file:        security
Here is more evidence that you installed the SELinux userland stuff by
hand, our sestatus does not have the "config file" lines.

--
Chris PeBenito
<[hidden email]>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: selinux.20 on x86 - problems

Christophe Choumert
On Sunday 11 December 2005 13:06, Chris PeBenito wrote:
> Did you use the portage ebuilds to get these versions of SELinux utils,
> or did you install them by hand?  There is evidence below which seems to
> point to you installing it by hand, in which case you should use the
> ebuilds, as I can't reproduce your problems.

I had all the packages emerged.

> > 1) When trying to "make load" :
> >
> >  * Compiling and installing policy.20
> > /usr/bin/checkpolicy:  loading policy configuration
> > from /etc/security/selinux/src/policy.conf
> > domains/staff.te:4:ERROR 'unknown type xdm_t' at token ';' on line
> > 29328:
> > allow staff_mount_t xdm_t:fd use;
> > #line 4
> > /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
> >
> > So I pulled the two relevant lines around macros/user_macros.te:231
> > inside the "ifdef('xdm.te'" that followed and the error disappeared.
> > (there a 2 pairs of 2 lines there that look really similar ?).
> > There is no xdm_t with gentoo's policy : doesn't there exists one ? or
> > is it not mature enough ?
>
> There is an XDM policy, but not supported by Gentoo.  We are not
> supporting desktops with the strict policy.  Support for desktops is on
> the horizon, with the targeted policy.  Since the rules you removed was
> in an ifdef(`xdm.te', this leads me to believe you have an xdm.te file,
> which means you had to have added it.

It was gentoo's package, so no xdm.te. I probably wasn't clear enough the
first time.
This problem is still there; the relevant lines in macros/user_macros are
(starting at l.219) :
:::
ifdef(`user_can_mount', `
<snip>
allow $1_mount_t xdm_t:fd use;
allow $1_mount_t xdm_t:fifo_file write;
ifdef(`xdm.te', `
allow $1_mount_t xdm_t:fd use;
allow $1_mount_t xdm_t:fifo_file { read write };
<snip>
:::
So the problem only appears when the corresponding tunable "user_can_mount" is
set to true. I believe this is a bug ? The first two xdm_t lines should still
be enclosed in a "ifdef('xdm.te',...".

> > 2) When I try again to "make load", it errors out with
> >
> >  * Building file_contexts
> > Usage: /usr/sbin/genhomedircon.old [ -d selinuxdir ] [-n | --nopasswd]
> > [-t selinuxtype ]
> > make: *** [file_contexts/file_contexts] Erreur 1
>
> Can't reproduce this.

Strange... I reemerged all the libraries, the policycoreutils and the
base-policy and now it's gone ?? So I can't reproduce it either :(

> > Executing it a second time :
<snip>
>
> When labeling, the bind mounts are ignored.  Only the "real" files are
> labeled.  So your real /root is in /home, so its labeled as it
> was /home/root.  Since your home dir is most likely set for /root, the
> directory gets mislabeled.  You should either set root's home dir
> to /home/root, or don't use a bind mount.

That explains it, thanks.

> > Also, /dev is shown as device_t, not tmpfs_t in
> > http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?p
> >art=4&chap=1 . I have of course tried to "make relabel" but it stays the
> > same.
>
> This is wrong, try remerging init and udev to make sure /dev is set up
> right on boot.  Make relabel won't do anything to /dev since its
> filesystem isn't persistent (ext[23], etc).  Use 'restorecon /dev'.

Now, after a restorecon, dev is correctly labeled.

> > 3) Moreover,
> > - the processes I start myself as krys are "system_u:system_r:sysadm_t"
> > - amavisd has "system_u:system_r:crond_t"
> > - the processes launched by kdm and other kde applications are
> > "system_u:system_r:init_t"
>
> Again, desktops not currently supported.  Your X server isn't
> transitioning into a reasonable domain, so once that happens everything
> else that you run from X won't transition right.

Ok. Which lists should I follow to test things ?

> > -# sestatus -v
> > SELinux status:                 enabled
> > SELinuxfs mount:                /selinux
> > Current mode:                   permissive
> > Mode from config file:          error (No such file or directory)
>
> Here is more evidence that you installed the SELinux userland stuff by
> hand, our sestatus does not have the "config file" lines.

And now my sestatus doesn't have this line ?! Well, that's for the better.

Thanks for your help,
Christophe Choumert
--
[hidden email] mailing list