SELinux and LFS

SELinux and LFS

[Vincenzo Ciaglia]

Hi, after some weeks i decided to come back at work on SELinux. 
I'm still writing you about SELinux support problem on an LFS-based
distribution.

So, here is what i have done so far:

1) Kernel Configuration

I built the kernel with these options:

# CONFIG_KEYS is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set

Of course with Ext[23] extended attributes, NET && INET, NETWORK_SECMARK
and AUDIT support.

2) I have built and installed the SELinux userland packages
(checkpolicy,libselinux, policycoreutils, policy) from:

svn co
https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0/

3) I unpacked the latest refpolicy according to:
http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy

4) I still haven't patched packages like coreutils and sons.

5) I have created the /selinux mountpoint directory and added the
following lines in fstab:

none                   /selinux  selinuxfs defaults         0    0

6) So i added this line to my "lilo.conf":

        append="enforcing=0"

7) Finally i tried to boot with the new kernel (2.6.20) and after the
reboot the result is:

# sestatus 
SELinux status:                 disabled
# 
#############################

Of course i can't go ahead from the point 5 to 11 of the official README
in "selinux-doc".

I don't know if i really forgot something or if i skip something while
i'm configuring SELinux because this is my really first experience with
selinux configuration. What am i missing? 

Any help would be appreciated.

Thanks in advance for your help!

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Christopher J. PeBenito]

On Wed, 2007-02-14 at 18:38 +0100, Vincenzo Ciaglia wrote:
> Hi, after some weeks i decided to come back at work on SELinux. 
> I'm still writing you about SELinux support problem on an LFS-based
> distribution.

I think your problem is here:

> 4) I still haven't patched packages like coreutils and sons.

You need a patched init to load the policy.  If no policy is loaded,
SELinux is disabled:

> # sestatus 
> SELinux status:                 disabled

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Christopher J. PeBenito]

On Wed, 2007-02-14 at 18:08 +0000, Christopher J. PeBenito wrote:
> You need a patched init to load the policy.

To be clearer, init does the initial policy load when the system boots.
It doesn't load the policy at any other time.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Karl MacMillan]

Christopher J. PeBenito wrote:
> On Wed, 2007-02-14 at 18:08 +0000, Christopher J. PeBenito wrote:
>> You need a patched init to load the policy.
> 
> To be clearer, init does the initial policy load when the system boots.
> It doesn't load the policy at any other time.
> 

It is also possible to do the policy load from an initial ramdisk. The 
key is that init needs to somehow end up with the correct context.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno mer, 14/02/2007 alle 18.08 +0000, Christopher J. PeBenito ha
scritto:

> > 4) I still haven't patched packages like coreutils and sons.
> 
> You need a patched init to load the policy.  If no policy is loaded,
> SELinux is disabled:

Hi, i tried to re-configure sysvinit with this patch (the fedora's one):
http://www.netwosix.org/selinux/sysvinit-selinux.patch (is the only one
needed?)

But i get these outputs:

# patch -Np1 -i sysvinit-selinux.patch 
patching file src/init.c
Hunk #1 succeeded at 42 (offset -6 lines).
Hunk #2 succeeded at 2607 (offset 92 lines).
Hunk #3 succeeded at 2573 (offset -6 lines).
patching file src/Makefile
Hunk #1 succeeded at 57 with fuzz 1 (offset 25 lines).
Hunk #2 FAILED at 75.
1 out of 2 hunks FAILED -- saving rejects to file src/Makefile.rej
patching file src/sulogin.c
Hunk #1 FAILED at 28.
Hunk #2 succeeded at 338 (offset 3 lines).
1 out of 2 hunks FAILED -- saving rejects to file src/sulogin.c.rej

# make -C src
make: Entering directory `/home/vciaglia/sysvinit-2.86/src'
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE   -c -o mountpoint.o
mountpoint.c
gcc -s -o mountpoint mountpoint.o
gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE init.c
init.c: In function 're_exec':
init.c:1889: warning: missing sentinel in function call
gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DINIT_MAIN utmp.c
-o init_utmp.o
gcc -s  -o init init.o init_utmp.o -lsepol -lselinux
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE   -c -o halt.o halt.c
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE   -c -o ifdown.o
ifdown.c
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE   -c -o hddown.o
hddown.c
gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE utmp.c
gcc -s -o halt halt.o ifdown.o hddown.o utmp.o
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE   -c -o dowall.o
dowall.c
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE   -c -o shutdown.o
shutdown.c
gcc -s -o shutdown dowall.o shutdown.o utmp.o
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE   -c -o runlevel.o
runlevel.c
gcc -s -o runlevel runlevel.o
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE  -s  killall5.c   -o
killall5
gcc -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE   -c -o sulogin.o
sulogin.c
sulogin.c: In function 'sushell':
sulogin.c:338: error: 'is_selinux_enabled' undeclared (first use in this
function)
sulogin.c:338: error: (Each undeclared identifier is reported only once
sulogin.c:338: error: for each function it appears in.)
sulogin.c:339: error: 'security_context_t' undeclared (first use in this
function)
sulogin.c:339: error: expected ';' before 'scon'
sulogin.c:342: warning: implicit declaration of function
'getseuserbyname'
sulogin.c:343: warning: implicit declaration of function
'get_default_context_with_level'
sulogin.c:343: error: 'scon' undeclared (first use in this function)
sulogin.c:344: warning: implicit declaration of function 'setexeccon'
sulogin.c:346: warning: implicit declaration of function 'freecon'
make: *** [sulogin.o] Error 1
make: Leaving directory `/home/vciaglia/sysvinit-2.86/src'
# 

What is going wrong ? Maybe i'm missing something? I get the same
"errors" when i try to patch the coreutils.

Thank you a lot,

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno mer, 14/02/2007 alle 18.08 +0000, Christopher J. PeBenito ha
scritto:

> You need a patched init to load the policy.  If no policy is loaded,
> SELinux is disabled:

I finally patched everything with fedora's patch
(pam,coreutils,sysvinit,openssh) for selinux-support and everything
seems to be ok. 

Coreutils-6.7 now are selinux-ready:
# ls -Z
-rw-r--r--  root root unlabeled                        System.map
drwxr-xr-x  root root unlabeled                        bin

So i tried to reboot my kernel.

I still can't get selinux enabled. I think that is still a sysvinit
problem. Init still can't perform the /selinux mount.

Here the package patched and selinux-ready that i built:
http://www.netwosix.org/selinux/sysvinit-2.85-selinux.tar.gz

I compiled it with the standard options: 

#  make -C src        
#  make -C src install

I also created a script in the /etc/rc but nothing happened. Until init
can't mount /selinux i can't use /selinux/enforce.

So i still have problems. Any suggestions? Am i missing something ?

Thank you in advance!

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Thu, 2007-02-15 at 14:55 +0100, Vincenzo Ciaglia wrote:
> Il giorno mer, 14/02/2007 alle 18.08 +0000, Christopher J. PeBenito ha
> scritto:
> 
> > You need a patched init to load the policy.  If no policy is loaded,
> > SELinux is disabled:
> 
> I finally patched everything with fedora's patch
> (pam,coreutils,sysvinit,openssh) for selinux-support and everything
> seems to be ok. 
> 
> Coreutils-6.7 now are selinux-ready:
> # ls -Z
> -rw-r--r--  root root unlabeled                        System.map
> drwxr-xr-x  root root unlabeled                        bin
> 
> So i tried to reboot my kernel.
> 
> I still can't get selinux enabled. I think that is still a sysvinit
> problem. Init still can't perform the /selinux mount.
> 
> Here the package patched and selinux-ready that i built:
> http://www.netwosix.org/selinux/sysvinit-2.85-selinux.tar.gz
> 
> I compiled it with the standard options: 
> 
> #  make -C src        
> #  make -C src install
> 
> I also created a script in the /etc/rc but nothing happened. Until init
> can't mount /selinux i can't use /selinux/enforce.
> 
> So i still have problems. Any suggestions? Am i missing something ?

If you boot your kernel with init=/bin/bash and try to manually mount
selinuxfs on /selinux, does it work?

Also, be warned that it is presently very difficult to find all of the
selinux-related bits in Fedora and apply them elsewhere; there may be
multiple patches in a single package that are selinux-related, they can
be relative to non-selinux patches in the same package, and they have
become increasingly intertwined with audit patches.  Which is why people
familiar with that code need to do some work to extract them, unify
them, clean them up, and re-base them to an upstream (if one exists).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno gio, 15/02/2007 alle 13.41 -0500, Stephen Smalley ha scritto:

> If you boot your kernel with init=/bin/bash and try to manually mount
> selinuxfs on /selinux, does it work?

I don't know i still haven't tried but i think isn't a good idea to
manually mount the selinuxfs. Like i said it will be a public-use
gnu/linux distribution for networking and security related works. Even
if could be used from expert and skilled users i think that this
solution is really too uncomfortable, don't you?

However i also tried to add this line to my "/etc/rc" script:

/bin/mount -t selinuxfs /selinux

But nothing happened.


-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Thu, 2007-02-15 at 20:35 +0100, Vincenzo Ciaglia wrote:
> Il giorno gio, 15/02/2007 alle 13.41 -0500, Stephen Smalley ha scritto:
> 
> > If you boot your kernel with init=/bin/bash and try to manually mount
> > selinuxfs on /selinux, does it work?
> 
> I don't know i still haven't tried but i think isn't a good idea to
> manually mount the selinuxfs. Like i said it will be a public-use
> gnu/linux distribution for networking and security related works. Even
> if could be used from expert and skilled users i think that this
> solution is really too uncomfortable, don't you?

I'm not suggesting it for production use, just to independently check on
your ability to mount selinuxfs, since you said that init seems to be
failing at that point.

> However i also tried to add this line to my "/etc/rc" script:
> 
> /bin/mount -t selinuxfs /selinux
> 
> But nothing happened.

Should be:
	mount -t selinuxfs none /selinux

But doing it from init=/bin/bash will be closer to what init experiences
than from your rc scripts.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno mer, 14/02/2007 alle 18.08 +0000, Christopher J. PeBenito ha
scritto:

> You need a patched init to load the policy.  If no policy is loaded,
> SELinux is disabled:

In addition here the pre-compiled tar.gz derived from the latest debian
selinux-patched sysvinit.

http://www.netwosix.org/selinux/sysvinit-2.86-5-selinux.tar.gz

But again:

# sestatus 
SELinux status:                 disabled
#

So i'm thinking that the problem isn't init anymore.

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Wed, 2007-02-14 at 18:38 +0100, Vincenzo Ciaglia wrote:
> Hi, after some weeks i decided to come back at work on SELinux. 
> I'm still writing you about SELinux support problem on an LFS-based
> distribution.
> 
> So, here is what i have done so far:
> 
> 1) Kernel Configuration
> 
> I built the kernel with these options:
> 
> # CONFIG_KEYS is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITY_NETWORK=y
> # CONFIG_SECURITY_NETWORK_XFRM is not set
> CONFIG_SECURITY_CAPABILITIES=y
> # CONFIG_SECURITY_ROOTPLUG is not set
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
> CONFIG_SECURITY_SELINUX_DISABLE=y
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set
> # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
> 
> Of course with Ext[23] extended attributes,

And CONFIG_EXT3_FS_SECURITY=y too, I assume (i.e. not just the base
xattr support, but also the security xattr handler).

> 3) I unpacked the latest refpolicy according to:
> http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy

And built it and installed it?  And created an /etc/selinux/config file?
With what contents?

> 7) Finally i tried to boot with the new kernel (2.6.20) and after the
> reboot the result is:
> 
> # sestatus 
> SELinux status:                 disabled

With what kernel messages from SELinux?  e.g.
$ dmesg | grep SELinux
SELinux:  Initializing.
SELinux:  Starting in permissive mode
SELinux:  Registering netfilter hooks
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
...

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno gio, 15/02/2007 alle 14.12 -0500, Stephen Smalley ha scritto:

> > Of course with Ext[23] extended attributes,
> 
> And CONFIG_EXT3_FS_SECURITY=y too, I assume (i.e. not just the base
> xattr support, but also the security xattr handler).

Done, of course.

#
# File systems
#
CONFIG_EXT2_FS=y
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT2_FS_XIP=y
CONFIG_FS_XIP=y
CONFIG_EXT3_FS=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT3_FS_SECURITY=y

> > 3) I unpacked the latest refpolicy according to:
> > http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy
> 
> And built it and installed it?  

Yes, like it said in that page.

> And created an /etc/selinux/config file?

Yes.

> With what contents?

# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
# 

> With what kernel messages from SELinux?  

# dmesg | grep SELinux
SELinux:  Initializing.
SELinux:  Starting in permissive mode
# 

Thank you!

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Thu, 2007-02-15 at 20:23 +0100, Vincenzo Ciaglia wrote:
> > With what contents?
> 
> # cat /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #       enforcing - SELinux security policy is enforced.
> #       permissive - SELinux prints warnings instead of enforcing.
> #       disabled - SELinux is fully disabled.
> SELINUX=permissive
> # SELINUXTYPE= type of policy in use. Possible values are:
> #       targeted - Only targeted network daemons are protected.
> #       strict - Full SELinux protection.
> SELINUXTYPE=targeted

And your policy is installed
under /etc/selinux/targeted/policy/policy.xx?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno gio, 15/02/2007 alle 14.31 -0500, Stephen Smalley ha scritto:
> SELINUXTYPE=targeted
> 
> And your policy is installed
> under /etc/selinux/targeted/policy/policy.xx?

Ops...hh no. Here my error. My policy is under
/etc/selinux/netwosix/policy/policy.21

So i rebooted and:

# dmesg | grep selinux
selinux_register_security:  Registering secondary module capability
SELinux: initialized (dev selinuxfs, type selinuxfs), uses
genfs_contexts
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        netwosix

Finally it works! Thank you very much! :)

Now i can start working on policies.

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Thu, 2007-02-15 at 20:58 +0100, Vincenzo Ciaglia wrote:
> Il giorno gio, 15/02/2007 alle 14.31 -0500, Stephen Smalley ha scritto:
> > SELINUXTYPE=targeted
> > 
> > And your policy is installed
> > under /etc/selinux/targeted/policy/policy.xx?
> 
> Ops...hh no. Here my error. My policy is under
> /etc/selinux/netwosix/policy/policy.21

Ok.  SELINUXTYPE= is just the name where your policy is located; it
doesn't have to mean anything about the actual kind of policy (although
conventionally we use "targeted", "strict", "mls", etc to indicate the
kind of policy too.)

> So i rebooted and:
> 
> # dmesg | grep selinux
> selinux_register_security:  Registering secondary module capability
> SELinux: initialized (dev selinuxfs, type selinuxfs), uses
> genfs_contexts

You actually wanted to grep for "SELinux" (capitalization) or grep -i,
but that's ok.  Although I thought Eric was going to kill or at least
silence by default many of those messages.

> # sestatus 
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 21
> Policy from config file:        netwosix
> 
> Finally it works! Thank you very much! :)

Good.  Of course, since it is permissive, it isn't enforcing anything
yet, just logging what would be denied.  Did you label your filesystems
yet?

> Now i can start working on policies.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno gio, 15/02/2007 alle 15.03 -0500, Stephen Smalley ha scritto:

> You actually wanted to grep for "SELinux" (capitalization) or grep -i,
> but that's ok.  Although I thought Eric was going to kill or at least
> silence by default many of those messages.

Here we are:

# dmesg | grep -i selinux
SELinux:  Initializing.
SELinux:  Starting in permissive mode
selinux_register_security:  Registering secondary module capability
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev hda1, type ext3), uses xattr
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses
genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses
genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses
genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev hdb1, type ext3), uses xattr

> Good.  Of course, since it is permissive, it isn't enforcing anything
> yet, just logging what would be denied.  Did you label your filesystems
> yet?

Yes:

# cd /etc/selinux/refpolicy/src/policy/
# make relabel
Relabeling filesystem types: ext2 ext3 xfs jfs
/sbin/setfiles /etc/selinux/netwosix/contexts/files/file_contexts / /usr
/sbin/setfiles:  labeling files under /
matchpathcon_filespec_eval:  hash table stats: 2571 elements, 2559/65536
buckets used, longest chain length 2
/sbin/setfiles:  labeling files under /usr
matchpathcon_filespec_eval:  hash table stats: 81537 elements,
20107/65536 buckets used, longest chain length 10
/sbin/setfiles:  Done.
#

So i rebooted and when i try to "sysadm_r" i get this:
# newrole -r sysadm_r
Couldn't get default type.
# 

But i still haven't read anything about this. Now i'm too happy that
selinux is enabled and it's working ... after many weeks of patch+patch
+hack+hack on the new netwosix system :)

Thank you,

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Thu, 2007-02-15 at 21:23 +0100, Vincenzo Ciaglia wrote:
> Il giorno gio, 15/02/2007 alle 15.03 -0500, Stephen Smalley ha scritto:
> 
> > You actually wanted to grep for "SELinux" (capitalization) or grep -i,
> > but that's ok.  Although I thought Eric was going to kill or at least
> > silence by default many of those messages.
> 
> Here we are:
> 
> # dmesg | grep -i selinux
> SELinux:  Initializing.
> SELinux:  Starting in permissive mode
> selinux_register_security:  Registering secondary module capability
> SELinux:  Completing initialization.
> SELinux:  Setting up existing superblocks.
> SELinux: initialized (dev hda1, type ext3), uses xattr
> SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
> SELinux: initialized (dev selinuxfs, type selinuxfs), uses
> genfs_contexts
> SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
> SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses
> genfs_contexts
> SELinux: initialized (dev devpts, type devpts), uses transition SIDs
> SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs
> SELinux: initialized (dev inotifyfs, type inotifyfs), uses
> genfs_contexts
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
> SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
> SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
> SELinux: initialized (dev proc, type proc), uses genfs_contexts
> SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
> SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> SELinux: initialized (dev hdb1, type ext3), uses xattr
> 
> > Good.  Of course, since it is permissive, it isn't enforcing anything
> > yet, just logging what would be denied.  Did you label your filesystems
> > yet?
> 
> Yes:
> 
> # cd /etc/selinux/refpolicy/src/policy/
> # make relabel
> Relabeling filesystem types: ext2 ext3 xfs jfs
> /sbin/setfiles /etc/selinux/netwosix/contexts/files/file_contexts / /usr
> /sbin/setfiles:  labeling files under /
> matchpathcon_filespec_eval:  hash table stats: 2571 elements, 2559/65536
> buckets used, longest chain length 2
> /sbin/setfiles:  labeling files under /usr
> matchpathcon_filespec_eval:  hash table stats: 81537 elements,
> 20107/65536 buckets used, longest chain length 10
> /sbin/setfiles:  Done.
> #
> 
> So i rebooted and when i try to "sysadm_r" i get this:
> # newrole -r sysadm_r
> Couldn't get default type.
> # 

Targeted policy doesn't support user roles; it only confines specific
programs, primarily focused on system services.  Strict policy is what
you want if you need user roles.  In the future, we hope to reduce the
divergence between them so that you can have a targeted system with some
limited user roles.

> But i still haven't read anything about this. Now i'm too happy that
> selinux is enabled and it's working ... after many weeks of patch+patch
> +hack+hack on the new netwosix system :)
> 
> Thank you,
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno gio, 15/02/2007 alle 15.34 -0500, Stephen Smalley ha scritto:

> Targeted policy doesn't support user roles; it only confines specific
> programs, primarily focused on system services.  Strict policy is what
> you want if you need user roles.  In the future, we hope to reduce the
> divergence between them so that you can have a targeted system with some
> limited user roles.

Of course Netwosix will use "strict" policies. So i'm going to start
working on it.

I'll keep you updated.

Thank you,

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Eric Paris]

On Thu, 2007-02-15 at 21:42 +0100, Vincenzo Ciaglia wrote:
> Il giorno gio, 15/02/2007 alle 15.34 -0500, Stephen Smalley ha scritto:
> 
> > Targeted policy doesn't support user roles; it only confines specific
> > programs, primarily focused on system services.  Strict policy is what
> > you want if you need user roles.  In the future, we hope to reduce the
> > divergence between them so that you can have a targeted system with some
> > limited user roles.
> 
> Of course Netwosix will use "strict" policies. So i'm going to start
> working on it.
> 
> I'll keep you updated.
> 
> Thank you,
> 
Taking a look at your post at netwosix.org I think you should know that
you most likely still have some serious filesystem labeling problems.

Yours:
# ls -Z
drwxr-xr-x  root root system_u:object_r:file_t         bin
drwxr-xr-x  root root system_u:object_r:file_t         boot
drwxr-xr-x  root root system_u:object_r:file_t         cdrom
drwxr-xr-x  root root system_u:object_r:tmpfs_t        dev

Mine:
#ls -Z
drwxr-xr-x  root root system_u:object_r:bin_t          bin
drwxr-xr-x  root root system_u:object_r:boot_t         boot
drwxr-xr-x  root root system_u:object_r:device_t       dev

Maybe someone else can chime in with the best way to try this again
since it doesn't look to me like the make relabel really got everything
you needed (and I have no idea if you rc.sysinit is patched to pay
attention to /.autorelabel)

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Thu, 2007-02-15 at 15:56 -0500, Eric Paris wrote:
> On Thu, 2007-02-15 at 21:42 +0100, Vincenzo Ciaglia wrote:
> > Il giorno gio, 15/02/2007 alle 15.34 -0500, Stephen Smalley ha scritto:
> > 
> > > Targeted policy doesn't support user roles; it only confines specific
> > > programs, primarily focused on system services.  Strict policy is what
> > > you want if you need user roles.  In the future, we hope to reduce the
> > > divergence between them so that you can have a targeted system with some
> > > limited user roles.
> > 
> > Of course Netwosix will use "strict" policies. So i'm going to start
> > working on it.
> > 
> > I'll keep you updated.
> > 
> > Thank you,
> > 
> Taking a look at your post at netwosix.org I think you should know that
> you most likely still have some serious filesystem labeling problems.
> 
> Yours:
> # ls -Z
> drwxr-xr-x  root root system_u:object_r:file_t         bin
> drwxr-xr-x  root root system_u:object_r:file_t         boot
> drwxr-xr-x  root root system_u:object_r:file_t         cdrom
> drwxr-xr-x  root root system_u:object_r:tmpfs_t        dev
> 
> Mine:
> #ls -Z
> drwxr-xr-x  root root system_u:object_r:bin_t          bin
> drwxr-xr-x  root root system_u:object_r:boot_t         boot
> drwxr-xr-x  root root system_u:object_r:device_t       dev
> 
> Maybe someone else can chime in with the best way to try this again
> since it doesn't look to me like the make relabel really got everything
> you needed (and I have no idea if you rc.sysinit is patched to pay
> attention to /.autorelabel)

Don't know about the /bin and /boot issues, but for /dev, I'd suggest
checking that your udev is built with selinux support enabled.  And also
you should do a restorecon -R /dev from rc.sysinit or similar, as there
will be some nodes created before selinux policy gets loaded.


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

[-- Attachment #1: Type: text/plain, Size: 510 bytes --]

Il giorno gio, 15/02/2007 alle 15.59 -0500, Stephen Smalley ha scritto:

> Don't know about the /bin and /boot issues, but for /dev, I'd suggest
> checking that your udev is built with selinux support enabled.  And also
> you should do a restorecon -R /dev from rc.sysinit or similar, as there
> will be some nodes created before selinux policy gets loaded.

Ops. In the attach the /etc/rc. It's really late here guys.

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>

[-- Attachment #2: selinux-netwosix.txt --]
[-- Type: text/plain, Size: 1049 bytes --]

ELinux on Netwosix

/sbin/restorecon -R /dev

SELINUX=
if [ -r /selinux/enforce ] ; then
                SELINUX= 'cat /selinux/enforce'
else
        SELINUX=1
fi

# Other SELINUX stuff

        disable_selinux() {
                echo $"*** Warning -- SELinux is active"
                echo $"*** Disabling security enforcement for system recovery."
                echo $"*** Run 'setenforce 1' to reenable."

                echo "0" > /selinux/enforce

                }


   relabel_selinux() {
                echo
                echo $"*** Warning -- SELinux policy relabel is required. "
                echo $"*** Disabling security enforcement."
                echo $"*** Relabeling could take a very long time,"
                echo $"*** depending on file system size."

                echo "0" > /selinux/enforce
                /sbin/fixfiles -f -F relabel > /dev/null 2>&1
                rm -f /.autorelabel
                echo "*** Enabling security enforcement.        ***"
                echo $SELINUX > /selinux/enforce
}

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno gio, 15/02/2007 alle 15.56 -0500, Eric Paris ha scritto:

> Maybe someone else can chime in with the best way to try this again
> since it doesn't look to me like the make relabel really got everything
> you needed (and I have no idea if you rc.sysinit is patched to pay
> attention to /.autorelabel)

Yes, i'm just taking a look to the "ls -Z" of my Fedora's system and
you're right. I'll pay attention later.

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno gio, 15/02/2007 alle 15.56 -0500, Eric Paris ha scritto:

> Maybe someone else can chime in with the best way to try this again
> since it doesn't look to me like the make relabel really got everything
> you needed (and I have no idea if you rc.sysinit is patched to pay
> attention to /.autorelabel)

Ok, fixed!
In the attach the SELINUX portion of my /etc/rc. I think it's ok but
actually it's just working.

Here the result:
# ls -Z
-rw-r--r--  root root system_u:object_r:default_t      System.map
drwxr-xr-x  root root system_u:object_r:bin_t          bin
drwxr-xr-x  root root system_u:object_r:boot_t         boot
drwxr-xr-x  root root system_u:object_r:default_t      cdrom
drwxr-xr-x  root root system_u:object_r:device_t       dev
drwxr-xr-x  root root system_u:object_r:etc_t          etc
drwxr-xr-x  root root system_u:object_r:home_root_t    home
drwxr-xr-x  root root system_u:object_r:default_t      include
drwxr-xr-x  root root system_u:object_r:default_t      info
drwxr-xr-x  root root system_u:object_r:lib_t          lib
drwxr-xr-x  root root system_u:object_r:default_t      libexec
drwx------  root root system_u:object_r:lost_found_t   lost+found
drwxr-xr-x  root root system_u:object_r:default_t      man
drwxr-xr-x  root root system_u:object_r:mnt_t          mnt
drwxr-xr-x  root root system_u:object_r:usr_t          opt
dr-xr-xr-x  root root system_u:object_r:proc_t         proc
drwxr-x---  root root root:object_r:user_home_dir_t    root
drwxr-xr-x  root root system_u:object_r:sbin_t         sbin
drwxr-xr-x  root root system_u:object_r:security_t     selinux
drwxr-xr-x  root root system_u:object_r:default_t      share
drwxr-xr-x  root root system_u:object_r:sysfs_t        sys
drwxrwxrwt  root root system_u:object_r:tmp_t          tmp
drwxr-xr-x  root root system_u:object_r:usr_t          usr
drwxr-xr-x  root root system_u:object_r:var_t          var
-rw-r--r--  root root system_u:object_r:default_t      vmlinuz

However i rebuilt the refpolicy with "strict" options and now i get
this:

# newrole -r sysadm_r
Authenticating root.
newrole: incorrect password for root
#

I'm working no stop from almost 9 hours, so i'm in crash and
unfortunately i have to stop.

Tomorrow i'll restart working on and maybe i'll fix this. 

Of course if you want to save my time any help would be appreciated.

Thank you.

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno gio, 15/02/2007 alle 22.47 +0100, Vincenzo Ciaglia ha
scritto: 
> # newrole -r sysadm_r
> Authenticating root.
> newrole: incorrect password for root
> #

Regarding to this problem i thought was a PAM problem. So i re-build the
package with all the latest fedora's patch and i have created this,
ready to "./configure --with-selinux":
http://www.netwosix.org/selinux/Linux-PAM-selinux-0.99.6.2.tar.gz

Here the patch applied and pre-build in that package:
http://www.netwosix.org/selinux/pam-0.99.2.1-selinux-nofail.patch
http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-drop-multiple.patch
http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-keycreate.patch
http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-select-context.patch
http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-use-current-range.patch

Moreover i adjusted some configurations in /etc/pam.d to try to do the
trick. Here they are: http://www.netwosix.org/selinux/pam-seconf.tar.gz
Here the /etc/security ones:
http://www.netwosix.org/selinux/security-etc.tar.gz
And here my /lib/security/ :
http://www.netwosix.org/selinux/securitypam-selinux.tar.gz

Everything is ok but when i reboot i get this:

[vciaglia@desk ~]$  ssh -l root 192.168.0.4
root@192.168.0.4's password: 
# id -Z
root:sysadm_r:sysadm_t
# newrole -r sysadm_r        
Authenticating root.
newrole: incorrect password for root
# useradd -m test
useradd: PAM authentication failed
# 

Is it still a PAM problem or i have some misconfigurations ?

Thank you in advance!

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Fri, 2007-02-16 at 13:16 +0100, Vincenzo Ciaglia wrote:
> Il giorno gio, 15/02/2007 alle 22.47 +0100, Vincenzo Ciaglia ha
> scritto: 
> > # newrole -r sysadm_r
> > Authenticating root.
> > newrole: incorrect password for root
> > #
> 
> Regarding to this problem i thought was a PAM problem.

Yes, IIRC, typically this indicates that your pam_unix doesn't fall back
cleanly to the chkpwd helper when it cannot directly read /etc/shadow,
and just fails.  The original pam_unix logic was to only perform such a
fallback if the caller was not uid 0, but that had to be changed for
selinux since even a uid 0 process might not be allowed to directly
read /etc/shadow under selinux.

>  So i re-build the
> package with all the latest fedora's patch and i have created this,
> ready to "./configure --with-selinux":
> http://www.netwosix.org/selinux/Linux-PAM-selinux-0.99.6.2.tar.gz
> 
> Here the patch applied and pre-build in that package:
> http://www.netwosix.org/selinux/pam-0.99.2.1-selinux-nofail.patch
> http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-drop-multiple.patch
> http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-keycreate.patch
> http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-select-context.patch
> http://www.netwosix.org/selinux/pam-0.99.6.2-selinux-use-current-range.patch
> 
> Moreover i adjusted some configurations in /etc/pam.d to try to do the
> trick. Here they are: http://www.netwosix.org/selinux/pam-seconf.tar.gz
> Here the /etc/security ones:
> http://www.netwosix.org/selinux/security-etc.tar.gz
> And here my /lib/security/ :
> http://www.netwosix.org/selinux/securitypam-selinux.tar.gz
> 
> Everything is ok but when i reboot i get this:
> 
> [vciaglia@desk ~]$  ssh -l root 192.168.0.4
> root@192.168.0.4's password: 
> # id -Z
> root:sysadm_r:sysadm_t
> # newrole -r sysadm_r        
> Authenticating root.
> newrole: incorrect password for root
> # useradd -m test
> useradd: PAM authentication failed
> # 
> 
> Is it still a PAM problem or i have some misconfigurations ?

Likely an issue with your pam, but I haven't looked at your packages
yet.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno ven, 16/02/2007 alle 10.13 -0500, Stephen Smalley ha scritto:

> Likely an issue with your pam, but I haven't looked at your packages
> yet.

Could be a policycoreutils problem too?

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Fri, 2007-02-16 at 17:44 +0100, Vincenzo Ciaglia wrote:
> Il giorno ven, 16/02/2007 alle 10.13 -0500, Stephen Smalley ha scritto:
> 
> > Likely an issue with your pam, but I haven't looked at your packages
> > yet.
> 
> Could be a policycoreutils problem too?

If it were only newrole failing, then yes.  But you showed useradd
failing too, which isn't provided or affected by policycoreutils.

Note however that you do need to build newrole on a system with
pam-devel or equivalent installed, as the Makefile looks
for /usr/include/security/pam_appl.h and disables PAM support if it
isn't present.

And if you want audit and/or namespace support, you need to build
newrole with the appropriate options.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Vincenzo Ciaglia]

Il giorno ven, 16/02/2007 alle 12.04 -0500, Stephen Smalley ha scritto:

> Note however that you do need to build newrole on a system with
> pam-devel or equivalent installed, as the Makefile looks
> for /usr/include/security/pam_appl.h and disables PAM support if it
> isn't present.

Done! I just recompiled the policycoreutils after i rebuilt shadow and
pam and:

# id -Z
root:sysadm_r:sysadm_t
# newrole -r sysadm_r
Authenticating root.
Password: 
# id -Z
root:sysadm_r:sysadm_t

Can i assign to the user "root" the staff_r:staff_t, so i can force him
to "newrole -r sysadm_r" to make something on the system? Do i have to
edit the "$policy/users/local.users" ?

Unfortunately i still have to solve some problem with pam here:

# useradd -m test
useradd: PAM authentication failed

Just going crazy, today :)

Thank you!

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Stephen Smalley]

On Fri, 2007-02-16 at 18:52 +0100, Vincenzo Ciaglia wrote:
> Il giorno ven, 16/02/2007 alle 12.04 -0500, Stephen Smalley ha scritto:
> 
> > Note however that you do need to build newrole on a system with
> > pam-devel or equivalent installed, as the Makefile looks
> > for /usr/include/security/pam_appl.h and disables PAM support if it
> > isn't present.
> 
> Done! I just recompiled the policycoreutils after i rebuilt shadow and
> pam and:
> 
> # id -Z
> root:sysadm_r:sysadm_t
> # newrole -r sysadm_r
> Authenticating root.
> Password: 
> # id -Z
> root:sysadm_r:sysadm_t

Not too exciting since you were already in sysadm_r to start with.

> Can i assign to the user "root" the staff_r:staff_t, so i can force him
> to "newrole -r sysadm_r" to make something on the system? Do i have to
> edit the "$policy/users/local.users" ?

If in enforcing mode and the ssh_sysadm_login boolean is off, this
should already be the case for ssh logins.  You can also adjust the
ordering in $policy/contexts/users/root (root-specific) or
$policy/contexts/default_contexts (system-wide defaults).  First field
of each line is the context of the daemon process (e.g. sshd), remainder
of the line is a list of partial contexts in the preferred ordering of
selection.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

SELinux and LFS

[Nick Gray]

All,

I introduced myself several months back. I work on a MLS project for the
ONI. We have been evaluating SELinux for awhile. A couple of months ago
I raise a question, within our group, about the viability of using
RedHat as a base for a secure system. I believe that certification of a
system based on a (almost any) distribution would be rather difficult to
achieve. This coupled with the fact that a Redhat server that was under
scrutiny here at the lab, continued to contact Redhat via HTTPS despite
my efforts to remove the software responsible. I actually found circular
dependencies in the packages.

This led me to the question, Does anyone remember when we used to build
this things from scratch. In answer to that question, I found a web site
which I have been playing with for the last couple of weeks called
appropriately enough "Linux from Scratch" so far I have been able to use
LFS as the starting point for a CDROM based Linux gateway/firewall.I
started a build of SELinux on a LFS system, but had several problems
including discovering what I believe are a couple bugs in the code.I
have put it aside for the moment to work on a couple of other things,
but I will return to this when I get the chance.

I am interested in whether anyone on the list has used this as the
starting point for SELinux and what the results where. 

In the next day or so I will post the problem I found in the makefile.
Perhaps it is either a known issue or doesn't come up on Redhat based
systems. In a separate post I will address a problem I found in string.h
(as soon as I get a chance to figure out what the problem is)

Don't get me wrong, I have nothing against Redhat. I'm just not sure
that I could keep a straight face when placing this in front of the
accreditors.

Any comments/discussion would be appreciated 

Nick Gray
Senior Network Engineer
Bruzenak Inc.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Russell Coker]

On Thu, 8 May 2003 02:02, Nick Gray wrote:
> I raise a question, within our group, about the viability of using
> RedHat as a base for a secure system. I believe that certification of a

Considered Debian?

> system based on a (almost any) distribution would be rather difficult to
> achieve. This coupled with the fact that a Redhat server that was under
> scrutiny here at the lab, continued to contact Redhat via HTTPS despite
> my efforts to remove the software responsible. I actually found circular
> dependencies in the packages.

Debian has no such "features", and is in a fairly good state with regard to 
circular dependencies.

For building a Debian system from source there are some dependency issues.  
For example you can't build packages in a regular fashion without Perl, and 
Perl needs a huge number of other things to be built before it can be built.  
Doing a cross-compile bootstrap of Debian will be painful because of this.  
But recompiling every package in a Debian system should be quite easy (on 
i486 and newer CPUs at least).

> which I have been playing with for the last couple of weeks called
> appropriately enough "Linux from Scratch" so far I have been able to use

Some people on this list have been talking about getting SE Linux going with 
Gentoo which is based on compiling everything.  I wonder how their progress 
is going.

> LFS as the starting point for a CDROM based Linux gateway/firewall.I
> started a build of SELinux on a LFS system, but had several problems
> including discovering what I believe are a couple bugs in the code.I

Which code do you suspect to contain bugs?  SE code or LFS?

> In the next day or so I will post the problem I found in the makefile.
> Perhaps it is either a known issue or doesn't come up on Redhat based
> systems. In a separate post I will address a problem I found in string.h
> (as soon as I get a chance to figure out what the problem is)

What version of libc6 was used for the headers?  Some of my programs used to 
have problems with older libc6 header files for string.h and other things.

> Don't get me wrong, I have nothing against Redhat. I'm just not sure
> that I could keep a straight face when placing this in front of the
> accreditors.

If there is anything I can do to make Debian more suitable for such things 
then please let me know.  Subject to the constraint of having almost no free 
time I'll do what I can.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[Richard Troth]

> Considered Debian?

Good point.
For my own "Linux from scratch",
Debian has proved to be a vital source depot and reference.

 ...
> > my efforts to remove the software responsible. I actually found circular
> > dependencies in the packages.
>
> Debian has no such "features", and is in a fairly good state with regard to
> circular dependencies.
>
> For building a Debian system from source there are some dependency issues.
> For example you can't build packages in a regular fashion without Perl, and
> Perl needs a huge number of other things to be built before it can be built.

Right.   For the "tool chain",  you need GCC, GLIBC, and a
smattering few other development tools.   But one or two of those
(in my experience,  not exhaustively scientific)  required Perl
for their auto config.   [sigh]   So the basic tool chain
racked up to 28 packages.   That was enough to give me a
usable 'chroot' where I could re-build the same 28 and then
build anything else.

> Doing a cross-compile bootstrap of Debian will be painful because of this.
> But recompiling every package in a Debian system should be quite easy (on
> i486 and newer CPUs at least).

[Mine is not related to SE.]
I still haven't figured out Debian's build process.
I'm trying to stick to the usual

	./configure
	make
	make install

though a good number of packages need an explicit  "--prefix=/usr".

> Some people on this list have been talking about getting SE Linux going
> with Gentoo which is based on compiling everything.  I wonder how their
> progress is going.

Yes.   Gentoo is recommended by many hard-core bootstrappers.

-- RMT



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SELinux and LFS

[Keith Bottner]

Nick,

I think this is a great idea. I am very interested in your results. I
have been thinking of doing something similar but as of yet have had no
time to pursue it. Please keep us informed of your progress.

Keith Bottner
kbottner@istation.com

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Nick Gray
Sent: Wednesday, May 07, 2003 11:03 AM
To: selinux@tycho.nsa.gov
Subject: SELinux and LFS


All,

I introduced myself several months back. I work on a MLS project for the
ONI. We have been evaluating SELinux for awhile. A couple of months ago
I raise a question, within our group, about the viability of using
RedHat as a base for a secure system. I believe that certification of a
system based on a (almost any) distribution would be rather difficult to
achieve. This coupled with the fact that a Redhat server that was under
scrutiny here at the lab, continued to contact Redhat via HTTPS despite
my efforts to remove the software responsible. I actually found circular
dependencies in the packages.

This led me to the question, Does anyone remember when we used to build
this things from scratch. In answer to that question, I found a web site
which I have been playing with for the last couple of weeks called
appropriately enough "Linux from Scratch" so far I have been able to use
LFS as the starting point for a CDROM based Linux gateway/firewall.I
started a build of SELinux on a LFS system, but had several problems
including discovering what I believe are a couple bugs in the code.I
have put it aside for the moment to work on a couple of other things,
but I will return to this when I get the chance.

I am interested in whether anyone on the list has used this as the
starting point for SELinux and what the results where. 

In the next day or so I will post the problem I found in the makefile.
Perhaps it is either a known issue or doesn't come up on Redhat based
systems. In a separate post I will address a problem I found in string.h
(as soon as I get a chance to figure out what the problem is)

Don't get me wrong, I have nothing against Redhat. I'm just not sure
that I could keep a straight face when placing this in front of the
accreditors.

Any comments/discussion would be appreciated 

Nick Gray
Senior Network Engineer
Bruzenak Inc.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and LFS

[ccallen]

I have been working on the same kind of thing and wanted to ask the same
question. My goal has been to create a minimal dist (like the linux router
project) that has just whats needed (http & smtp for now), and boots from a
cd (like a rescue / boot disk). If my system does get hacked or out of wack,
It can just be rebooted. Selinux would be used to protect the system in
memory (on a ram disk), and protect any working files on disk (logs,
databases, etc).

For a gui I want to use motif. The gui is not for a production dist but for
configuring and building the dist. However it could be on the production
machine (ran from the hard drive, not on a ram disk). I built some motif
configuration management tools that would work for this project. Although I
have them on an HP DAT tape and dont have a tape drive, so I cant read the
data :( Is there anyone in the Bellevue / Redmond area who has one of these
drives I could use to read the source code off with?

I started with the boot disk howto and Linux Router Project, and eventually
stumbled across the LFS project. The LFS looks to have a bunch of LFS
specific unix utilities, I wasnt sure if they would be compatible with
selinux. All I wanted was a list of esential files and steps to build and
configure a minimal linux system. Then I could pull these files from redhat
so it would be compatible with selinux.

The author of the boot-disk how created a tool, Yard, that looks like it
does what I have in mind. http://www.croftj.net/~fawcett/yard/index.html
I decided to start with yard and build on that.

There are many other boot disk tools like yard,  but Yard looks like it's as
good as any. If your interested I can track down some of the links I came
across.

Conan


----- Original Message -----
From: "Nick Gray" <nagray@austin.rr.com>
To: <selinux@tycho.nsa.gov>
Sent: Wednesday, May 07, 2003 9:02 AM
Subject: SELinux and LFS


All,

I introduced myself several months back. I work on a MLS project for the
ONI. We have been evaluating SELinux for awhile. A couple of months ago
I raise a question, within our group, about the viability of using
RedHat as a base for a secure system. I believe that certification of a
system based on a (almost any) distribution would be rather difficult to
achieve. This coupled with the fact that a Redhat server that was under
scrutiny here at the lab, continued to contact Redhat via HTTPS despite
my efforts to remove the software responsible. I actually found circular
dependencies in the packages.

This led me to the question, Does anyone remember when we used to build
this things from scratch. In answer to that question, I found a web site
which I have been playing with for the last couple of weeks called
appropriately enough "Linux from Scratch" so far I have been able to use
LFS as the starting point for a CDROM based Linux gateway/firewall.I
started a build of SELinux on a LFS system, but had several problems
including discovering what I believe are a couple bugs in the code.I
have put it aside for the moment to work on a couple of other things,
but I will return to this when I get the chance.

I am interested in whether anyone on the list has used this as the
starting point for SELinux and what the results where.

In the next day or so I will post the problem I found in the makefile.
Perhaps it is either a known issue or doesn't come up on Redhat based
systems. In a separate post I will address a problem I found in string.h
(as soon as I get a chance to figure out what the problem is)

Don't get me wrong, I have nothing against Redhat. I'm just not sure
that I could keep a straight face when placing this in front of the
accreditors.

Any comments/discussion would be appreciated

Nick Gray
Senior Network Engineer
Bruzenak Inc.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.