| 1 |
On Wed, 2004-05-26 at 10:33, Emre wrote: |
| 2 |
> 1. After I su to root and try /etc/init.d/xxx restart, I get: |
| 3 |
> |
| 4 |
> cannot find your entry in the passwd file. |
| 5 |
> authentication failed. |
| 6 |
> |
| 7 |
> But if I login from console, then it works ok. I made sure I installed selinux |
| 8 |
> version of required packages. |
| 9 |
|
| 10 |
You probably aren't using a selinux-enabled display manager, so when you |
| 11 |
log in to X, your identity is not set. GDM is the only one for sure |
| 12 |
thats in portage. KDM supposedly works with pam_selinux, and XDM and |
| 13 |
WDM might have upstream support, but I'm not sure. |
| 14 |
|
| 15 |
> 2. I had moved several portage directories to some other partitions. Because |
| 16 |
> of that this happens: |
| 17 |
> |
| 18 |
> euse -i selinux |
| 19 |
|
| 20 |
I've never used euse. It may not work right with stacked profiles. |
| 21 |
|
| 22 |
> 3. Several times I had to go and modify /etc/make.profile/virtuals. Default |
| 23 |
> virtuals only has: |
| 24 |
[cut] |
| 25 |
> I have the latest portage 2.0.50-r6. |
| 26 |
|
| 27 |
Unfortunately that version has broken stacked profile support :( It |
| 28 |
looks like portage-2.0.51_pre9 has been marked stable. Merge that, and |
| 29 |
it should all work again. |
| 30 |
|
| 31 |
> 4. Is there a graphical tool to create custom .fc, .te? Any pointer to sample |
| 32 |
> policy creation? I will go ahead try to vi some, but it would be nice to have |
| 33 |
> one guide. Any directions to posting new custom security policies, or |
| 34 |
> obtaining test-versions from a pool would also help. |
| 35 |
|
| 36 |
The only graphical SELinux tools in portage are app-admin/setools, but |
| 37 |
the policy editor that package has (sepcut), is at it's heart, just a |
| 38 |
text editor. If you're looking for policy thats not in portage, you can |
| 39 |
check out the NSA example policy or the Russell Coker's debian policy. |
| 40 |
You can submit policies for inclusion in portage, see our project page |
| 41 |
for details. There really isn't any documentation on policy creation |
| 42 |
beyond the very dry NSA policy whitepaper. |
| 43 |
|
| 44 |
http://www.nsa.gov/selinux/code/download5.cfm |
| 45 |
http://www.coker.com.au/selinux/policy.tgz |
| 46 |
|
| 47 |
> 5. How much overhead labeling create on a filesystem with millions of files ? |
| 48 |
> If I ever want to remove those xattrs from a filesystem, how can I unlabel |
| 49 |
> those millions of files, if there is any way to reclaim space those extended |
| 50 |
> atrributes sits on? |
| 51 |
|
| 52 |
On ext[23], xattrs are stored in a block. So each label takes a block. |
| 53 |
However, for space savings, the xattr blocks that have the same label |
| 54 |
are shared. So if you have 1 million files with the same label, it will |
| 55 |
have a 1 block overhead. Basically, there is an overhead of 1 block per |
| 56 |
different label, per fs. |
| 57 |
|
| 58 |
On XFS, the inode size should be increased to 512 (from 256), so that |
| 59 |
the label can fit in the inode. Then there is no overhead, though |
| 60 |
inodes will be a little larger. If the inode size is not increased, |
| 61 |
then there will be a 1 block per file overhead (i.e. huge waste) because |
| 62 |
the label will not fit in the inode, and a performance hit. |
| 63 |
|
| 64 |
As long as you are in a kernel with selinux enabled, you will not be |
| 65 |
able to unlabel a file. It will be denied regardless of |
| 66 |
permissive/enforcing. If you wanted to remove selinux, you could use |
| 67 |
rmfilecon (in a non-selinux kernel), which I will be adding in |
| 68 |
policycoreutils. Time permitting I will put a chapter in the quickstart |
| 69 |
guide for removing selinux. |
| 70 |
|
| 71 |
-- |
| 72 |
Chris PeBenito |
| 73 |
<pebenito@g.o> |
| 74 |
Developer, |
| 75 |
Hardened Gentoo Linux |
| 76 |
Embedded Gentoo Linux |
| 77 |
|
| 78 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 79 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives