1 |
On Sun, 2005-12-11 at 00:04 -0800, Christophe Choumert wrote: |
2 |
> I have converted a setup from hardened to selinux+hardened. I am using : |
3 |
> - kernel 2.6.15-rc5 (/ and /home on ext3) |
4 |
> - glibc 2.3.5-r2 |
5 |
> - libselinux, policycoreutils 1.28 |
6 |
> - libsepol 1.10 |
7 |
> - udev-077 |
8 |
> making it version 20 for the kernel, the libraries and the tools. If |
9 |
> this a bad idea from the start, you can tell me so and stop reading :) |
10 |
> Here come my problems... |
11 |
|
12 |
Did you use the portage ebuilds to get these versions of SELinux utils, |
13 |
or did you install them by hand? There is evidence below which seems to |
14 |
point to you installing it by hand, in which case you should use the |
15 |
ebuilds, as I can't reproduce your problems. |
16 |
|
17 |
> 1) When trying to "make load" : |
18 |
> ::: |
19 |
> * Compiling and installing policy.20 |
20 |
> /usr/bin/checkpolicy: loading policy configuration |
21 |
> from /etc/security/selinux/src/policy.conf |
22 |
> domains/staff.te:4:ERROR 'unknown type xdm_t' at token ';' on line |
23 |
> 29328: |
24 |
> allow staff_mount_t xdm_t:fd use; |
25 |
> #line 4 |
26 |
> /usr/bin/checkpolicy: error(s) encountered while parsing configuration |
27 |
> |
28 |
> So I pulled the two relevant lines around macros/user_macros.te:231 |
29 |
> inside the "ifdef('xdm.te'" that followed and the error disappeared. |
30 |
> (there a 2 pairs of 2 lines there that look really similar ?). |
31 |
> There is no xdm_t with gentoo's policy : doesn't there exists one ? or |
32 |
> is it not mature enough ? |
33 |
|
34 |
There is an XDM policy, but not supported by Gentoo. We are not |
35 |
supporting desktops with the strict policy. Support for desktops is on |
36 |
the horizon, with the targeted policy. Since the rules you removed was |
37 |
in an ifdef(`xdm.te', this leads me to believe you have an xdm.te file, |
38 |
which means you had to have added it. |
39 |
|
40 |
> 2) When I try again to "make load", it errors out with |
41 |
> ::: |
42 |
> * Building file_contexts |
43 |
> Usage: /usr/sbin/genhomedircon.old [ -d selinuxdir ] [-n | --nopasswd] |
44 |
> [-t selinuxtype ] |
45 |
> make: *** [file_contexts/file_contexts] Erreur 1 |
46 |
> ::: |
47 |
|
48 |
Can't reproduce this. |
49 |
|
50 |
> Executing it a second time : |
51 |
> ::: |
52 |
> * Installing file_contexts |
53 |
> * Loading policy.20 |
54 |
> ::: |
55 |
> |
56 |
> I saw a changelog entry mentioning something related to a change in |
57 |
> genhomedir so maybe this is not a big deal (?). |
58 |
> |
59 |
> However, even though "sestatus -v" output looks pretty good (see at the |
60 |
> end), I don't think the labels are right for a lot of files : |
61 |
> ::: |
62 |
> -# ls -Z / |
63 |
> drwxr-xr-x root root system_u:object_r:tmpfs_t dev/ |
64 |
> drwxr-xr-x root root system_u:object_r:home_root_t home/ |
65 |
> drwx------ root root system_u:object_r:user_home_dir_t root/ |
66 |
> -# ls -Z /home |
67 |
> drwx------ krys users system_u:object_r:user_home_dir_t krys/ |
68 |
> drwx------ root root system_u:object_r:user_home_dir_t root/ |
69 |
> ::: |
70 |
> where the user krys is actually "staff_t". From what I read in the |
71 |
> documentation, the home should be labeled "staff_home_dir_t". And |
72 |
> root's home directory labeling seems strange too. |
73 |
> /root is a bind mount of /home/root (/home is a local mount) - maybe |
74 |
> this isn't supported and causes trouble ? |
75 |
|
76 |
When labeling, the bind mounts are ignored. Only the "real" files are |
77 |
labeled. So your real /root is in /home, so its labeled as it |
78 |
was /home/root. Since your home dir is most likely set for /root, the |
79 |
directory gets mislabeled. You should either set root's home dir |
80 |
to /home/root, or don't use a bind mount. |
81 |
|
82 |
> Also, /dev is shown as device_t, not tmpfs_t in |
83 |
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=4&chap=1 . |
84 |
> I have of course tried to "make relabel" but it stays the same. |
85 |
|
86 |
This is wrong, try remerging init and udev to make sure /dev is set up |
87 |
right on boot. Make relabel won't do anything to /dev since its |
88 |
filesystem isn't persistent (ext[23], etc). Use 'restorecon /dev'. |
89 |
|
90 |
> 3) Moreover, |
91 |
> - the processes I start myself as krys are "system_u:system_r:sysadm_t" |
92 |
> - amavisd has "system_u:system_r:crond_t" |
93 |
> - the processes launched by kdm and other kde applications are |
94 |
> "system_u:system_r:init_t" |
95 |
|
96 |
Again, desktops not currently supported. Your X server isn't |
97 |
transitioning into a reasonable domain, so once that happens everything |
98 |
else that you run from X won't transition right. |
99 |
|
100 |
> I don't know a lot about selinux, but enough to know this is wrong... |
101 |
> |
102 |
> sestatus output, with an error on the 4th line, but I have no clue what |
103 |
> it means - the rest conforms to the "standard" output proposed in the |
104 |
> documentation. |
105 |
> ::: |
106 |
> -# sestatus -v |
107 |
> SELinux status: enabled |
108 |
> SELinuxfs mount: /selinux |
109 |
> Current mode: permissive |
110 |
> Mode from config file: error (No such file or directory) |
111 |
> Policy version: 20 |
112 |
> Policy from config file: security |
113 |
|
114 |
Here is more evidence that you installed the SELinux userland stuff by |
115 |
hand, our sestatus does not have the "config file" lines. |
116 |
|
117 |
-- |
118 |
Chris PeBenito |
119 |
<pebenito@g.o> |
120 |
Developer, |
121 |
Hardened Gentoo Linux |
122 |
Embedded Gentoo Linux |
123 |
|
124 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
125 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |