1 |
On Sunday 11 December 2005 13:06, Chris PeBenito wrote: |
2 |
> Did you use the portage ebuilds to get these versions of SELinux utils, |
3 |
> or did you install them by hand? There is evidence below which seems to |
4 |
> point to you installing it by hand, in which case you should use the |
5 |
> ebuilds, as I can't reproduce your problems. |
6 |
|
7 |
I had all the packages emerged. |
8 |
|
9 |
> > 1) When trying to "make load" : |
10 |
> > |
11 |
> > * Compiling and installing policy.20 |
12 |
> > /usr/bin/checkpolicy: loading policy configuration |
13 |
> > from /etc/security/selinux/src/policy.conf |
14 |
> > domains/staff.te:4:ERROR 'unknown type xdm_t' at token ';' on line |
15 |
> > 29328: |
16 |
> > allow staff_mount_t xdm_t:fd use; |
17 |
> > #line 4 |
18 |
> > /usr/bin/checkpolicy: error(s) encountered while parsing configuration |
19 |
> > |
20 |
> > So I pulled the two relevant lines around macros/user_macros.te:231 |
21 |
> > inside the "ifdef('xdm.te'" that followed and the error disappeared. |
22 |
> > (there a 2 pairs of 2 lines there that look really similar ?). |
23 |
> > There is no xdm_t with gentoo's policy : doesn't there exists one ? or |
24 |
> > is it not mature enough ? |
25 |
> |
26 |
> There is an XDM policy, but not supported by Gentoo. We are not |
27 |
> supporting desktops with the strict policy. Support for desktops is on |
28 |
> the horizon, with the targeted policy. Since the rules you removed was |
29 |
> in an ifdef(`xdm.te', this leads me to believe you have an xdm.te file, |
30 |
> which means you had to have added it. |
31 |
|
32 |
It was gentoo's package, so no xdm.te. I probably wasn't clear enough the |
33 |
first time. |
34 |
This problem is still there; the relevant lines in macros/user_macros are |
35 |
(starting at l.219) : |
36 |
::: |
37 |
ifdef(`user_can_mount', ` |
38 |
<snip> |
39 |
allow $1_mount_t xdm_t:fd use; |
40 |
allow $1_mount_t xdm_t:fifo_file write; |
41 |
ifdef(`xdm.te', ` |
42 |
allow $1_mount_t xdm_t:fd use; |
43 |
allow $1_mount_t xdm_t:fifo_file { read write }; |
44 |
<snip> |
45 |
::: |
46 |
So the problem only appears when the corresponding tunable "user_can_mount" is |
47 |
set to true. I believe this is a bug ? The first two xdm_t lines should still |
48 |
be enclosed in a "ifdef('xdm.te',...". |
49 |
|
50 |
> > 2) When I try again to "make load", it errors out with |
51 |
> > |
52 |
> > * Building file_contexts |
53 |
> > Usage: /usr/sbin/genhomedircon.old [ -d selinuxdir ] [-n | --nopasswd] |
54 |
> > [-t selinuxtype ] |
55 |
> > make: *** [file_contexts/file_contexts] Erreur 1 |
56 |
> |
57 |
> Can't reproduce this. |
58 |
|
59 |
Strange... I reemerged all the libraries, the policycoreutils and the |
60 |
base-policy and now it's gone ?? So I can't reproduce it either :( |
61 |
|
62 |
> > Executing it a second time : |
63 |
<snip> |
64 |
> |
65 |
> When labeling, the bind mounts are ignored. Only the "real" files are |
66 |
> labeled. So your real /root is in /home, so its labeled as it |
67 |
> was /home/root. Since your home dir is most likely set for /root, the |
68 |
> directory gets mislabeled. You should either set root's home dir |
69 |
> to /home/root, or don't use a bind mount. |
70 |
|
71 |
That explains it, thanks. |
72 |
|
73 |
> > Also, /dev is shown as device_t, not tmpfs_t in |
74 |
> > http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?p |
75 |
> >art=4&chap=1 . I have of course tried to "make relabel" but it stays the |
76 |
> > same. |
77 |
> |
78 |
> This is wrong, try remerging init and udev to make sure /dev is set up |
79 |
> right on boot. Make relabel won't do anything to /dev since its |
80 |
> filesystem isn't persistent (ext[23], etc). Use 'restorecon /dev'. |
81 |
|
82 |
Now, after a restorecon, dev is correctly labeled. |
83 |
|
84 |
> > 3) Moreover, |
85 |
> > - the processes I start myself as krys are "system_u:system_r:sysadm_t" |
86 |
> > - amavisd has "system_u:system_r:crond_t" |
87 |
> > - the processes launched by kdm and other kde applications are |
88 |
> > "system_u:system_r:init_t" |
89 |
> |
90 |
> Again, desktops not currently supported. Your X server isn't |
91 |
> transitioning into a reasonable domain, so once that happens everything |
92 |
> else that you run from X won't transition right. |
93 |
|
94 |
Ok. Which lists should I follow to test things ? |
95 |
|
96 |
> > -# sestatus -v |
97 |
> > SELinux status: enabled |
98 |
> > SELinuxfs mount: /selinux |
99 |
> > Current mode: permissive |
100 |
> > Mode from config file: error (No such file or directory) |
101 |
> |
102 |
> Here is more evidence that you installed the SELinux userland stuff by |
103 |
> hand, our sestatus does not have the "config file" lines. |
104 |
|
105 |
And now my sestatus doesn't have this line ?! Well, that's for the better. |
106 |
|
107 |
Thanks for your help, |
108 |
Christophe Choumert |
109 |
-- |
110 |
gentoo-hardened@g.o mailing list |