| 1 |
On Sun, 2005-12-11 at 00:04 -0800, Christophe Choumert wrote: |
| 2 |
> I have converted a setup from hardened to selinux+hardened. I am using : |
| 3 |
> - kernel 2.6.15-rc5 (/ and /home on ext3) |
| 4 |
> - glibc 2.3.5-r2 |
| 5 |
> - libselinux, policycoreutils 1.28 |
| 6 |
> - libsepol 1.10 |
| 7 |
> - udev-077 |
| 8 |
> making it version 20 for the kernel, the libraries and the tools. If |
| 9 |
> this a bad idea from the start, you can tell me so and stop reading :) |
| 10 |
> Here come my problems... |
| 11 |
|
| 12 |
Did you use the portage ebuilds to get these versions of SELinux utils, |
| 13 |
or did you install them by hand? There is evidence below which seems to |
| 14 |
point to you installing it by hand, in which case you should use the |
| 15 |
ebuilds, as I can't reproduce your problems. |
| 16 |
|
| 17 |
> 1) When trying to "make load" : |
| 18 |
> ::: |
| 19 |
> * Compiling and installing policy.20 |
| 20 |
> /usr/bin/checkpolicy: loading policy configuration |
| 21 |
> from /etc/security/selinux/src/policy.conf |
| 22 |
> domains/staff.te:4:ERROR 'unknown type xdm_t' at token ';' on line |
| 23 |
> 29328: |
| 24 |
> allow staff_mount_t xdm_t:fd use; |
| 25 |
> #line 4 |
| 26 |
> /usr/bin/checkpolicy: error(s) encountered while parsing configuration |
| 27 |
> |
| 28 |
> So I pulled the two relevant lines around macros/user_macros.te:231 |
| 29 |
> inside the "ifdef('xdm.te'" that followed and the error disappeared. |
| 30 |
> (there a 2 pairs of 2 lines there that look really similar ?). |
| 31 |
> There is no xdm_t with gentoo's policy : doesn't there exists one ? or |
| 32 |
> is it not mature enough ? |
| 33 |
|
| 34 |
There is an XDM policy, but not supported by Gentoo. We are not |
| 35 |
supporting desktops with the strict policy. Support for desktops is on |
| 36 |
the horizon, with the targeted policy. Since the rules you removed was |
| 37 |
in an ifdef(`xdm.te', this leads me to believe you have an xdm.te file, |
| 38 |
which means you had to have added it. |
| 39 |
|
| 40 |
> 2) When I try again to "make load", it errors out with |
| 41 |
> ::: |
| 42 |
> * Building file_contexts |
| 43 |
> Usage: /usr/sbin/genhomedircon.old [ -d selinuxdir ] [-n | --nopasswd] |
| 44 |
> [-t selinuxtype ] |
| 45 |
> make: *** [file_contexts/file_contexts] Erreur 1 |
| 46 |
> ::: |
| 47 |
|
| 48 |
Can't reproduce this. |
| 49 |
|
| 50 |
> Executing it a second time : |
| 51 |
> ::: |
| 52 |
> * Installing file_contexts |
| 53 |
> * Loading policy.20 |
| 54 |
> ::: |
| 55 |
> |
| 56 |
> I saw a changelog entry mentioning something related to a change in |
| 57 |
> genhomedir so maybe this is not a big deal (?). |
| 58 |
> |
| 59 |
> However, even though "sestatus -v" output looks pretty good (see at the |
| 60 |
> end), I don't think the labels are right for a lot of files : |
| 61 |
> ::: |
| 62 |
> -# ls -Z / |
| 63 |
> drwxr-xr-x root root system_u:object_r:tmpfs_t dev/ |
| 64 |
> drwxr-xr-x root root system_u:object_r:home_root_t home/ |
| 65 |
> drwx------ root root system_u:object_r:user_home_dir_t root/ |
| 66 |
> -# ls -Z /home |
| 67 |
> drwx------ krys users system_u:object_r:user_home_dir_t krys/ |
| 68 |
> drwx------ root root system_u:object_r:user_home_dir_t root/ |
| 69 |
> ::: |
| 70 |
> where the user krys is actually "staff_t". From what I read in the |
| 71 |
> documentation, the home should be labeled "staff_home_dir_t". And |
| 72 |
> root's home directory labeling seems strange too. |
| 73 |
> /root is a bind mount of /home/root (/home is a local mount) - maybe |
| 74 |
> this isn't supported and causes trouble ? |
| 75 |
|
| 76 |
When labeling, the bind mounts are ignored. Only the "real" files are |
| 77 |
labeled. So your real /root is in /home, so its labeled as it |
| 78 |
was /home/root. Since your home dir is most likely set for /root, the |
| 79 |
directory gets mislabeled. You should either set root's home dir |
| 80 |
to /home/root, or don't use a bind mount. |
| 81 |
|
| 82 |
> Also, /dev is shown as device_t, not tmpfs_t in |
| 83 |
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=4&chap=1 . |
| 84 |
> I have of course tried to "make relabel" but it stays the same. |
| 85 |
|
| 86 |
This is wrong, try remerging init and udev to make sure /dev is set up |
| 87 |
right on boot. Make relabel won't do anything to /dev since its |
| 88 |
filesystem isn't persistent (ext[23], etc). Use 'restorecon /dev'. |
| 89 |
|
| 90 |
> 3) Moreover, |
| 91 |
> - the processes I start myself as krys are "system_u:system_r:sysadm_t" |
| 92 |
> - amavisd has "system_u:system_r:crond_t" |
| 93 |
> - the processes launched by kdm and other kde applications are |
| 94 |
> "system_u:system_r:init_t" |
| 95 |
|
| 96 |
Again, desktops not currently supported. Your X server isn't |
| 97 |
transitioning into a reasonable domain, so once that happens everything |
| 98 |
else that you run from X won't transition right. |
| 99 |
|
| 100 |
> I don't know a lot about selinux, but enough to know this is wrong... |
| 101 |
> |
| 102 |
> sestatus output, with an error on the 4th line, but I have no clue what |
| 103 |
> it means - the rest conforms to the "standard" output proposed in the |
| 104 |
> documentation. |
| 105 |
> ::: |
| 106 |
> -# sestatus -v |
| 107 |
> SELinux status: enabled |
| 108 |
> SELinuxfs mount: /selinux |
| 109 |
> Current mode: permissive |
| 110 |
> Mode from config file: error (No such file or directory) |
| 111 |
> Policy version: 20 |
| 112 |
> Policy from config file: security |
| 113 |
|
| 114 |
Here is more evidence that you installed the SELinux userland stuff by |
| 115 |
hand, our sestatus does not have the "config file" lines. |
| 116 |
|
| 117 |
-- |
| 118 |
Chris PeBenito |
| 119 |
<pebenito@g.o> |
| 120 |
Developer, |
| 121 |
Hardened Gentoo Linux |
| 122 |
Embedded Gentoo Linux |
| 123 |
|
| 124 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 125 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives