| 1 |
On Sunday 11 December 2005 13:06, Chris PeBenito wrote: |
| 2 |
> Did you use the portage ebuilds to get these versions of SELinux utils, |
| 3 |
> or did you install them by hand? There is evidence below which seems to |
| 4 |
> point to you installing it by hand, in which case you should use the |
| 5 |
> ebuilds, as I can't reproduce your problems. |
| 6 |
|
| 7 |
I had all the packages emerged. |
| 8 |
|
| 9 |
> > 1) When trying to "make load" : |
| 10 |
> > |
| 11 |
> > * Compiling and installing policy.20 |
| 12 |
> > /usr/bin/checkpolicy: loading policy configuration |
| 13 |
> > from /etc/security/selinux/src/policy.conf |
| 14 |
> > domains/staff.te:4:ERROR 'unknown type xdm_t' at token ';' on line |
| 15 |
> > 29328: |
| 16 |
> > allow staff_mount_t xdm_t:fd use; |
| 17 |
> > #line 4 |
| 18 |
> > /usr/bin/checkpolicy: error(s) encountered while parsing configuration |
| 19 |
> > |
| 20 |
> > So I pulled the two relevant lines around macros/user_macros.te:231 |
| 21 |
> > inside the "ifdef('xdm.te'" that followed and the error disappeared. |
| 22 |
> > (there a 2 pairs of 2 lines there that look really similar ?). |
| 23 |
> > There is no xdm_t with gentoo's policy : doesn't there exists one ? or |
| 24 |
> > is it not mature enough ? |
| 25 |
> |
| 26 |
> There is an XDM policy, but not supported by Gentoo. We are not |
| 27 |
> supporting desktops with the strict policy. Support for desktops is on |
| 28 |
> the horizon, with the targeted policy. Since the rules you removed was |
| 29 |
> in an ifdef(`xdm.te', this leads me to believe you have an xdm.te file, |
| 30 |
> which means you had to have added it. |
| 31 |
|
| 32 |
It was gentoo's package, so no xdm.te. I probably wasn't clear enough the |
| 33 |
first time. |
| 34 |
This problem is still there; the relevant lines in macros/user_macros are |
| 35 |
(starting at l.219) : |
| 36 |
::: |
| 37 |
ifdef(`user_can_mount', ` |
| 38 |
<snip> |
| 39 |
allow $1_mount_t xdm_t:fd use; |
| 40 |
allow $1_mount_t xdm_t:fifo_file write; |
| 41 |
ifdef(`xdm.te', ` |
| 42 |
allow $1_mount_t xdm_t:fd use; |
| 43 |
allow $1_mount_t xdm_t:fifo_file { read write }; |
| 44 |
<snip> |
| 45 |
::: |
| 46 |
So the problem only appears when the corresponding tunable "user_can_mount" is |
| 47 |
set to true. I believe this is a bug ? The first two xdm_t lines should still |
| 48 |
be enclosed in a "ifdef('xdm.te',...". |
| 49 |
|
| 50 |
> > 2) When I try again to "make load", it errors out with |
| 51 |
> > |
| 52 |
> > * Building file_contexts |
| 53 |
> > Usage: /usr/sbin/genhomedircon.old [ -d selinuxdir ] [-n | --nopasswd] |
| 54 |
> > [-t selinuxtype ] |
| 55 |
> > make: *** [file_contexts/file_contexts] Erreur 1 |
| 56 |
> |
| 57 |
> Can't reproduce this. |
| 58 |
|
| 59 |
Strange... I reemerged all the libraries, the policycoreutils and the |
| 60 |
base-policy and now it's gone ?? So I can't reproduce it either :( |
| 61 |
|
| 62 |
> > Executing it a second time : |
| 63 |
<snip> |
| 64 |
> |
| 65 |
> When labeling, the bind mounts are ignored. Only the "real" files are |
| 66 |
> labeled. So your real /root is in /home, so its labeled as it |
| 67 |
> was /home/root. Since your home dir is most likely set for /root, the |
| 68 |
> directory gets mislabeled. You should either set root's home dir |
| 69 |
> to /home/root, or don't use a bind mount. |
| 70 |
|
| 71 |
That explains it, thanks. |
| 72 |
|
| 73 |
> > Also, /dev is shown as device_t, not tmpfs_t in |
| 74 |
> > http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?p |
| 75 |
> >art=4&chap=1 . I have of course tried to "make relabel" but it stays the |
| 76 |
> > same. |
| 77 |
> |
| 78 |
> This is wrong, try remerging init and udev to make sure /dev is set up |
| 79 |
> right on boot. Make relabel won't do anything to /dev since its |
| 80 |
> filesystem isn't persistent (ext[23], etc). Use 'restorecon /dev'. |
| 81 |
|
| 82 |
Now, after a restorecon, dev is correctly labeled. |
| 83 |
|
| 84 |
> > 3) Moreover, |
| 85 |
> > - the processes I start myself as krys are "system_u:system_r:sysadm_t" |
| 86 |
> > - amavisd has "system_u:system_r:crond_t" |
| 87 |
> > - the processes launched by kdm and other kde applications are |
| 88 |
> > "system_u:system_r:init_t" |
| 89 |
> |
| 90 |
> Again, desktops not currently supported. Your X server isn't |
| 91 |
> transitioning into a reasonable domain, so once that happens everything |
| 92 |
> else that you run from X won't transition right. |
| 93 |
|
| 94 |
Ok. Which lists should I follow to test things ? |
| 95 |
|
| 96 |
> > -# sestatus -v |
| 97 |
> > SELinux status: enabled |
| 98 |
> > SELinuxfs mount: /selinux |
| 99 |
> > Current mode: permissive |
| 100 |
> > Mode from config file: error (No such file or directory) |
| 101 |
> |
| 102 |
> Here is more evidence that you installed the SELinux userland stuff by |
| 103 |
> hand, our sestatus does not have the "config file" lines. |
| 104 |
|
| 105 |
And now my sestatus doesn't have this line ?! Well, that's for the better. |
| 106 |
|
| 107 |
Thanks for your help, |
| 108 |
Christophe Choumert |
| 109 |
-- |
| 110 |
gentoo-hardened@g.o mailing list |
Archives