| 1 |
Hello everyone, |
| 2 |
|
| 3 |
I am trying to get my xen-domU (/etc/make.profile -> |
| 4 |
/usr/portage/profiles/selinux/x86/2006.1) to work with SeLinux. After |
| 5 |
some experiments using the strict policy I thought that the targeted |
| 6 |
policy might hold less Access-Denials (just to have something to build |
| 7 |
on. After all, this is a server and I want it to run under 'strict'). |
| 8 |
|
| 9 |
Using targeted, I get the following from audit2allow -d (booting in |
| 10 |
enforcing mode): |
| 11 |
|
| 12 |
allow httpd_t var_run_t:sock_file unlink; |
| 13 |
|
| 14 |
DHCP did not work, though. So, "seteforce 0", "dhcpcd -n eth0" and - it |
| 15 |
works. |
| 16 |
|
| 17 |
Output from audit2allow: |
| 18 |
|
| 19 |
# audit2allow -d |
| 20 |
allow dhcpc_t self:netlink_route_socket nlmsg_write; |
| 21 |
allow httpd_t var_run_t:sock_file unlink; |
| 22 |
|
| 23 |
|
| 24 |
My results of 'upgrading' the dhcp-policy to unstable follow below. |
| 25 |
|
| 26 |
|
| 27 |
Still using the stable policy: |
| 28 |
|
| 29 |
Another vexing thing is that "seinfo" fails: |
| 30 |
# seinfo |
| 31 |
Could not open policy /etc/selinux/targeted/policy/policy.21! |
| 32 |
|
| 33 |
Although a policy.20 file exists. To get around that I |
| 34 |
switched from policy-version = 20 to |
| 35 |
policy-version = 21 |
| 36 |
in semanage.conf and called semodule -B, semodule -R to build and load |
| 37 |
the policy.21 file. seinfo now gives no error, but no output too. |
| 38 |
|
| 39 |
# seinfo /etc/selinux/targeted/policy/policy.21 |
| 40 |
# |
| 41 |
|
| 42 |
compared to |
| 43 |
|
| 44 |
# seinfo /etc/selinux/targeted/policy/policy.20 |
| 45 |
|
| 46 |
Statistics for policy file: /etc/selinux/targeted/policy/policy.20 |
| 47 |
Policy Version & Type: v.20 (binary, non-MLS) |
| 48 |
... |
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
Booting and calling audit2allow -d gives me a much longer list: |
| 55 |
allow dhcpc_t self:netlink_route_socket nlmsg_write; |
| 56 |
allow getty_t urandom_device_t:chr_file read; |
| 57 |
allow gssd_t etc_t:file write; |
| 58 |
allow hostname_t urandom_device_t:chr_file read; |
| 59 |
allow iptables_t urandom_device_t:chr_file read; |
| 60 |
allow mount_t urandom_device_t:chr_file read; |
| 61 |
allow mysqld_t urandom_device_t:chr_file read; |
| 62 |
allow nfsd_t selinux_config_t:dir getattr; |
| 63 |
allow portmap_t urandom_device_t:chr_file read; |
| 64 |
allow restorecon_t urandom_device_t:chr_file read; |
| 65 |
allow syslogd_t urandom_device_t:chr_file read; |
| 66 |
|
| 67 |
I checked, if the modules are loaded: |
| 68 |
# semodule -l |
| 69 |
apache 1.4.1 |
| 70 |
dhcp 1.2.0 |
| 71 |
ftp 1.3.0 |
| 72 |
logrotate 1.3.1 |
| 73 |
mysql 1.3.0 |
| 74 |
portmap 1.3.0 |
| 75 |
rpc 1.3.1 |
| 76 |
screen 1.1.0 |
| 77 |
|
| 78 |
seems ok to me. |
| 79 |
|
| 80 |
|
| 81 |
That was the point where I tried to switch to unstable (after all it is |
| 82 |
not a productive system): |
| 83 |
|
| 84 |
|
| 85 |
|
| 86 |
I then switched to the unstable policies ("~x86") but they gave me even |
| 87 |
stranger errors (see below). I did not find any bug in bugzilla |
| 88 |
(dccp_recv) so I thought posting it on the list might be more appropriate. |
| 89 |
|
| 90 |
(add all sec-policy/* to /etc/portage/package.keywords) |
| 91 |
|
| 92 |
emerge sec-policy/selinux-base-policy -1 -pv |
| 93 |
|
| 94 |
Will emerge sec-policy/selinux-base-policy-20070329 which will fail at |
| 95 |
installation time with |
| 96 |
|
| 97 |
... |
| 98 |
* Inserting base module into targeted module store. |
| 99 |
libsepol.print_missing_requirements: apache's global requirements were |
| 100 |
not met: bool httpd_enable_ftp_server |
| 101 |
libsemanage.semanage_link_sandbox: Link packages failed |
| 102 |
semodule: Failed! |
| 103 |
>>> sec-policy/selinux-base-policy-20070329 merged. |
| 104 |
|
| 105 |
|
| 106 |
Trying to emerge the apache-policy (sec-policy/selinux-apache-20070329) |
| 107 |
gets me an error |
| 108 |
* Inserting the following modules into the targeted module store: apache |
| 109 |
libsepol.permission_copy_callback: Module apache depends on permission |
| 110 |
dccp_recv in class node, not satisfied |
| 111 |
libsemanage.semanage_link_sandbox: Link packages failed |
| 112 |
semodule: Failed! |
| 113 |
>>> sec-policy/selinux-apache-20070329 merged. |
| 114 |
|
| 115 |
Emerging the DHCP-policy is just the same as the apache policy. |
| 116 |
|
| 117 |
Googeling for the "dccp_recv" permission I found that Chris committed |
| 118 |
this new permission into the Tresys Reference Policy. I checked out the |
| 119 |
latest version of the ref-policy, compiled and installed it but got more |
| 120 |
Access-vector denials than before (I reverted that change too). |
| 121 |
|
| 122 |
I am more than willing to experiment (SeLinux seems 'right') and |
| 123 |
understand but now I need some 'external insights' :-) |
| 124 |
|
| 125 |
|
| 126 |
Btw: I am using a custom build (fedora-sources) Kernel 2.6.19. |
| 127 |
|
| 128 |
|
| 129 |
Jens |
| 130 |
-- |
| 131 |
gentoo-hardened@g.o mailing list |
Archives