1 |
On Wed, 2004-05-26 at 10:33, Emre wrote: |
2 |
> 1. After I su to root and try /etc/init.d/xxx restart, I get: |
3 |
> |
4 |
> cannot find your entry in the passwd file. |
5 |
> authentication failed. |
6 |
> |
7 |
> But if I login from console, then it works ok. I made sure I installed selinux |
8 |
> version of required packages. |
9 |
|
10 |
You probably aren't using a selinux-enabled display manager, so when you |
11 |
log in to X, your identity is not set. GDM is the only one for sure |
12 |
thats in portage. KDM supposedly works with pam_selinux, and XDM and |
13 |
WDM might have upstream support, but I'm not sure. |
14 |
|
15 |
> 2. I had moved several portage directories to some other partitions. Because |
16 |
> of that this happens: |
17 |
> |
18 |
> euse -i selinux |
19 |
|
20 |
I've never used euse. It may not work right with stacked profiles. |
21 |
|
22 |
> 3. Several times I had to go and modify /etc/make.profile/virtuals. Default |
23 |
> virtuals only has: |
24 |
[cut] |
25 |
> I have the latest portage 2.0.50-r6. |
26 |
|
27 |
Unfortunately that version has broken stacked profile support :( It |
28 |
looks like portage-2.0.51_pre9 has been marked stable. Merge that, and |
29 |
it should all work again. |
30 |
|
31 |
> 4. Is there a graphical tool to create custom .fc, .te? Any pointer to sample |
32 |
> policy creation? I will go ahead try to vi some, but it would be nice to have |
33 |
> one guide. Any directions to posting new custom security policies, or |
34 |
> obtaining test-versions from a pool would also help. |
35 |
|
36 |
The only graphical SELinux tools in portage are app-admin/setools, but |
37 |
the policy editor that package has (sepcut), is at it's heart, just a |
38 |
text editor. If you're looking for policy thats not in portage, you can |
39 |
check out the NSA example policy or the Russell Coker's debian policy. |
40 |
You can submit policies for inclusion in portage, see our project page |
41 |
for details. There really isn't any documentation on policy creation |
42 |
beyond the very dry NSA policy whitepaper. |
43 |
|
44 |
http://www.nsa.gov/selinux/code/download5.cfm |
45 |
http://www.coker.com.au/selinux/policy.tgz |
46 |
|
47 |
> 5. How much overhead labeling create on a filesystem with millions of files ? |
48 |
> If I ever want to remove those xattrs from a filesystem, how can I unlabel |
49 |
> those millions of files, if there is any way to reclaim space those extended |
50 |
> atrributes sits on? |
51 |
|
52 |
On ext[23], xattrs are stored in a block. So each label takes a block. |
53 |
However, for space savings, the xattr blocks that have the same label |
54 |
are shared. So if you have 1 million files with the same label, it will |
55 |
have a 1 block overhead. Basically, there is an overhead of 1 block per |
56 |
different label, per fs. |
57 |
|
58 |
On XFS, the inode size should be increased to 512 (from 256), so that |
59 |
the label can fit in the inode. Then there is no overhead, though |
60 |
inodes will be a little larger. If the inode size is not increased, |
61 |
then there will be a 1 block per file overhead (i.e. huge waste) because |
62 |
the label will not fit in the inode, and a performance hit. |
63 |
|
64 |
As long as you are in a kernel with selinux enabled, you will not be |
65 |
able to unlabel a file. It will be denied regardless of |
66 |
permissive/enforcing. If you wanted to remove selinux, you could use |
67 |
rmfilecon (in a non-selinux kernel), which I will be adding in |
68 |
policycoreutils. Time permitting I will put a chapter in the quickstart |
69 |
guide for removing selinux. |
70 |
|
71 |
-- |
72 |
Chris PeBenito |
73 |
<pebenito@g.o> |
74 |
Developer, |
75 |
Hardened Gentoo Linux |
76 |
Embedded Gentoo Linux |
77 |
|
78 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
79 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |