1 |
Hello everyone, |
2 |
|
3 |
I am trying to get my xen-domU (/etc/make.profile -> |
4 |
/usr/portage/profiles/selinux/x86/2006.1) to work with SeLinux. After |
5 |
some experiments using the strict policy I thought that the targeted |
6 |
policy might hold less Access-Denials (just to have something to build |
7 |
on. After all, this is a server and I want it to run under 'strict'). |
8 |
|
9 |
Using targeted, I get the following from audit2allow -d (booting in |
10 |
enforcing mode): |
11 |
|
12 |
allow httpd_t var_run_t:sock_file unlink; |
13 |
|
14 |
DHCP did not work, though. So, "seteforce 0", "dhcpcd -n eth0" and - it |
15 |
works. |
16 |
|
17 |
Output from audit2allow: |
18 |
|
19 |
# audit2allow -d |
20 |
allow dhcpc_t self:netlink_route_socket nlmsg_write; |
21 |
allow httpd_t var_run_t:sock_file unlink; |
22 |
|
23 |
|
24 |
My results of 'upgrading' the dhcp-policy to unstable follow below. |
25 |
|
26 |
|
27 |
Still using the stable policy: |
28 |
|
29 |
Another vexing thing is that "seinfo" fails: |
30 |
# seinfo |
31 |
Could not open policy /etc/selinux/targeted/policy/policy.21! |
32 |
|
33 |
Although a policy.20 file exists. To get around that I |
34 |
switched from policy-version = 20 to |
35 |
policy-version = 21 |
36 |
in semanage.conf and called semodule -B, semodule -R to build and load |
37 |
the policy.21 file. seinfo now gives no error, but no output too. |
38 |
|
39 |
# seinfo /etc/selinux/targeted/policy/policy.21 |
40 |
# |
41 |
|
42 |
compared to |
43 |
|
44 |
# seinfo /etc/selinux/targeted/policy/policy.20 |
45 |
|
46 |
Statistics for policy file: /etc/selinux/targeted/policy/policy.20 |
47 |
Policy Version & Type: v.20 (binary, non-MLS) |
48 |
... |
49 |
|
50 |
|
51 |
|
52 |
|
53 |
|
54 |
Booting and calling audit2allow -d gives me a much longer list: |
55 |
allow dhcpc_t self:netlink_route_socket nlmsg_write; |
56 |
allow getty_t urandom_device_t:chr_file read; |
57 |
allow gssd_t etc_t:file write; |
58 |
allow hostname_t urandom_device_t:chr_file read; |
59 |
allow iptables_t urandom_device_t:chr_file read; |
60 |
allow mount_t urandom_device_t:chr_file read; |
61 |
allow mysqld_t urandom_device_t:chr_file read; |
62 |
allow nfsd_t selinux_config_t:dir getattr; |
63 |
allow portmap_t urandom_device_t:chr_file read; |
64 |
allow restorecon_t urandom_device_t:chr_file read; |
65 |
allow syslogd_t urandom_device_t:chr_file read; |
66 |
|
67 |
I checked, if the modules are loaded: |
68 |
# semodule -l |
69 |
apache 1.4.1 |
70 |
dhcp 1.2.0 |
71 |
ftp 1.3.0 |
72 |
logrotate 1.3.1 |
73 |
mysql 1.3.0 |
74 |
portmap 1.3.0 |
75 |
rpc 1.3.1 |
76 |
screen 1.1.0 |
77 |
|
78 |
seems ok to me. |
79 |
|
80 |
|
81 |
That was the point where I tried to switch to unstable (after all it is |
82 |
not a productive system): |
83 |
|
84 |
|
85 |
|
86 |
I then switched to the unstable policies ("~x86") but they gave me even |
87 |
stranger errors (see below). I did not find any bug in bugzilla |
88 |
(dccp_recv) so I thought posting it on the list might be more appropriate. |
89 |
|
90 |
(add all sec-policy/* to /etc/portage/package.keywords) |
91 |
|
92 |
emerge sec-policy/selinux-base-policy -1 -pv |
93 |
|
94 |
Will emerge sec-policy/selinux-base-policy-20070329 which will fail at |
95 |
installation time with |
96 |
|
97 |
... |
98 |
* Inserting base module into targeted module store. |
99 |
libsepol.print_missing_requirements: apache's global requirements were |
100 |
not met: bool httpd_enable_ftp_server |
101 |
libsemanage.semanage_link_sandbox: Link packages failed |
102 |
semodule: Failed! |
103 |
>>> sec-policy/selinux-base-policy-20070329 merged. |
104 |
|
105 |
|
106 |
Trying to emerge the apache-policy (sec-policy/selinux-apache-20070329) |
107 |
gets me an error |
108 |
* Inserting the following modules into the targeted module store: apache |
109 |
libsepol.permission_copy_callback: Module apache depends on permission |
110 |
dccp_recv in class node, not satisfied |
111 |
libsemanage.semanage_link_sandbox: Link packages failed |
112 |
semodule: Failed! |
113 |
>>> sec-policy/selinux-apache-20070329 merged. |
114 |
|
115 |
Emerging the DHCP-policy is just the same as the apache policy. |
116 |
|
117 |
Googeling for the "dccp_recv" permission I found that Chris committed |
118 |
this new permission into the Tresys Reference Policy. I checked out the |
119 |
latest version of the ref-policy, compiled and installed it but got more |
120 |
Access-vector denials than before (I reverted that change too). |
121 |
|
122 |
I am more than willing to experiment (SeLinux seems 'right') and |
123 |
understand but now I need some 'external insights' :-) |
124 |
|
125 |
|
126 |
Btw: I am using a custom build (fedora-sources) Kernel 2.6.19. |
127 |
|
128 |
|
129 |
Jens |
130 |
-- |
131 |
gentoo-hardened@g.o mailing list |