Enable selinux in SLES 11

Enable selinux in SLES 11

[imsand]

Hello Everybody

For quite a while I've been trying to enable selinux in SLES11, but
sestatus always show DISABLED.

The following steps I've already done:
  * installed all *selinux* packages from yast2
  * add the following boot parameters to the kernel: security=selinux
selinux=1 enforcing=0
  * created /etc/selinux/config file with the that content:
    SELINUX=enforcing
    SELINUXTYPE=targeted

What I've noticed is, that /selinux doesn't exit. I can't create that
mountpoint manually because selinuxfs filesystem doesn't exist.

Does anybody knows if that could be the reason? and if so, how do i get
selinux work on SLES 11.
(As far as I know SLES 11 should be prepared to use selinux as technical
preview).

Thanks in advance
Matthias



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Stephen Smalley]

On Mon, 2010-08-23 at 15:23 +0200, imsand@puzzle.ch wrote:
> Hello Everybody
> 
> For quite a while I've been trying to enable selinux in SLES11, but
> sestatus always show DISABLED.
> 
> The following steps I've already done:
>   * installed all *selinux* packages from yast2
>   * add the following boot parameters to the kernel: security=selinux
> selinux=1 enforcing=0
>   * created /etc/selinux/config file with the that content:
>     SELINUX=enforcing
>     SELINUXTYPE=targeted
> 
> What I've noticed is, that /selinux doesn't exit. I can't create that
> mountpoint manually because selinuxfs filesystem doesn't exist.
> 
> Does anybody knows if that could be the reason? and if so, how do i get
> selinux work on SLES 11.
> (As far as I know SLES 11 should be prepared to use selinux as technical
> preview).

Others have been able to enable SELinux on recent OpenSUSE releases
(11.2, 11.3), but I don't know how much if any of that work has fed back
into SLES 11 so far.

Some prior discussions of OpenSUSE SELinux support:
http://marc.info/?l=selinux&w=2&r=1&s=opensuse&q=b

A posting and blog by a Novell employee who seems to be responsible for
SELinux integration in OpenSUSE:
http://marc.info/?l=selinux&m=126641568218140&w=2
http://thetoms-random-thoughts.blogspot.com/

Some relevant bugzillas on OpenSUSE:
https://bugzilla.novell.com/show_bug.cgi?id=594041
https://bugzilla.novell.com/show_bug.cgi?id=582366
https://bugzilla.novell.com/show_bug.cgi?id=581505

You likely need to install a policy of your own, e.g. build refpolicy
and install it, as I don't think SLES provides one.  Is there anything
under /etc/selinux/targeted?

Then the next question is whether the sysvinit or initrd in SLES 11 has
been instrumented to load the policy.

To get any changes in SLES itself, you likely need to go through your
Novell rep and file bugzillas.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Justin P. Mattock]

On 08/23/2010 06:23 AM, imsand@puzzle.ch wrote:
> Hello Everybody
>
> For quite a while I've been trying to enable selinux in SLES11, but
> sestatus always show DISABLED.
>
> The following steps I've already done:
>    * installed all *selinux* packages from yast2
>    * add the following boot parameters to the kernel: security=selinux
> selinux=1 enforcing=0
>    * created /etc/selinux/config file with the that content:
>      SELINUX=enforcing
>      SELINUXTYPE=targeted
>
> What I've noticed is, that /selinux doesn't exit. I can't create that
> mountpoint manually because selinuxfs filesystem doesn't exist.
>
> Does anybody knows if that could be the reason? and if so, how do i get
> selinux work on SLES 11.
> (As far as I know SLES 11 should be prepared to use selinux as technical
> preview).
>
> Thanks in advance
> Matthias
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


should be working(at-least for opensuse 12),you need to mkdir /selinux
then reboot(SELinux will mount it's file-system there(but cant if the 
mount-point doesn't exist)).

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[imsand]

> On 08/23/2010 06:23 AM, imsand@puzzle.ch wrote:
>> Hello Everybody
>>
>> For quite a while I've been trying to enable selinux in SLES11, but
>> sestatus always show DISABLED.
>>
>> The following steps I've already done:
>>    * installed all *selinux* packages from yast2
>>    * add the following boot parameters to the kernel: security=selinux
>> selinux=1 enforcing=0
>>    * created /etc/selinux/config file with the that content:
>>      SELINUX=enforcing
>>      SELINUXTYPE=targeted
>>
>> What I've noticed is, that /selinux doesn't exit. I can't create that
>> mountpoint manually because selinuxfs filesystem doesn't exist.
>>
>> Does anybody knows if that could be the reason? and if so, how do i get
>> selinux work on SLES 11.
>> (As far as I know SLES 11 should be prepared to use selinux as technical
>> preview).
>>
>> Thanks in advance
>> Matthias
>>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
>
> should be working(at-least for opensuse 12),you need to mkdir /selinux
> then reboot(SELinux will mount it's file-system there(but cant if the
> mount-point doesn't exist)).
>
> Justin P. Mattock
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
>

OpenSuse12? Do you mean opensuse 11.2?
Any other suggestions?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Justin P. Mattock]

On 08/24/2010 12:14 AM, imsand@puzzle.ch wrote:
>> On 08/23/2010 06:23 AM, imsand@puzzle.ch wrote:
>>> Hello Everybody
>>>
>>> For quite a while I've been trying to enable selinux in SLES11, but
>>> sestatus always show DISABLED.
>>>
>>> The following steps I've already done:
>>>     * installed all *selinux* packages from yast2
>>>     * add the following boot parameters to the kernel: security=selinux
>>> selinux=1 enforcing=0
>>>     * created /etc/selinux/config file with the that content:
>>>       SELINUX=enforcing
>>>       SELINUXTYPE=targeted
>>>
>>> What I've noticed is, that /selinux doesn't exit. I can't create that
>>> mountpoint manually because selinuxfs filesystem doesn't exist.
>>>
>>> Does anybody knows if that could be the reason? and if so, how do i get
>>> selinux work on SLES 11.
>>> (As far as I know SLES 11 should be prepared to use selinux as technical
>>> preview).
>>>
>>> Thanks in advance
>>> Matthias
>>>
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>
>>
>> should be working(at-least for opensuse 12),you need to mkdir /selinux
>> then reboot(SELinux will mount it's file-system there(but cant if the
>> mount-point doesn't exist)).
>>
>> Justin P. Mattock
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
> OpenSuse12? Do you mean opensuse 11.2?
> Any other suggestions?
>
>


yeah open suse 11.2 Oops... as for any other advice, what Stephan had 
posted for you is probably the right info to go through.. just dont be 
afraid to ask questions..

Justin P. Mattock

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[imsand]

> On 08/24/2010 12:14 AM, imsand@puzzle.ch wrote:
>>> On 08/23/2010 06:23 AM, imsand@puzzle.ch wrote:
>>>> Hello Everybody
>>>>
>>>> For quite a while I've been trying to enable selinux in SLES11, but
>>>> sestatus always show DISABLED.
>>>>
>>>> The following steps I've already done:
>>>>     * installed all *selinux* packages from yast2
>>>>     * add the following boot parameters to the kernel:
>>>> security=selinux
>>>> selinux=1 enforcing=0
>>>>     * created /etc/selinux/config file with the that content:
>>>>       SELINUX=enforcing
>>>>       SELINUXTYPE=targeted
>>>>
>>>> What I've noticed is, that /selinux doesn't exit. I can't create that
>>>> mountpoint manually because selinuxfs filesystem doesn't exist.
>>>>
>>>> Does anybody knows if that could be the reason? and if so, how do i
>>>> get
>>>> selinux work on SLES 11.
>>>> (As far as I know SLES 11 should be prepared to use selinux as
>>>> technical
>>>> preview).
>>>>
>>>> Thanks in advance
>>>> Matthias
>>>>
>>>>
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing
>>>> list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo@tycho.nsa.gov
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>
>>>
>>> should be working(at-least for opensuse 12),you need to mkdir /selinux
>>> then reboot(SELinux will mount it's file-system there(but cant if the
>>> mount-point doesn't exist)).
>>>
>>> Justin P. Mattock
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing
>>> list.
>>> If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>
>> OpenSuse12? Do you mean opensuse 11.2?
>> Any other suggestions?
>>
>>
>
>
> yeah open suse 11.2 Oops... as for any other advice, what Stephan had
> posted for you is probably the right info to go through.. just dont be
> afraid to ask questions..
>
> Justin P. Mattock
>
> Justin P. Mattock
>
Unfortunately it doesn't work. I've done all steps described in here:
http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html
but this doesn't seems to work for sles 11.
Anybody out there, who was able to run selinux on sles 11?
I've got some other questions?
  * what happens if the policy is not found? what would sestatus report?
  * are there some good debug options for selinux? logs? any other hints?
(dmesg shows nothing related to selinux)

best regards
Imsand


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Justin P. Mattock]

On 08/24/2010 07:09 AM, imsand@puzzle.ch wrote:
>> On 08/24/2010 12:14 AM, imsand@puzzle.ch wrote:
>>>> On 08/23/2010 06:23 AM, imsand@puzzle.ch wrote:
>>>>> Hello Everybody
>>>>>
>>>>> For quite a while I've been trying to enable selinux in SLES11, but
>>>>> sestatus always show DISABLED.
>>>>>
>>>>> The following steps I've already done:
>>>>>      * installed all *selinux* packages from yast2
>>>>>      * add the following boot parameters to the kernel:
>>>>> security=selinux
>>>>> selinux=1 enforcing=0
>>>>>      * created /etc/selinux/config file with the that content:
>>>>>        SELINUX=enforcing
>>>>>        SELINUXTYPE=targeted
>>>>>
>>>>> What I've noticed is, that /selinux doesn't exit. I can't create that
>>>>> mountpoint manually because selinuxfs filesystem doesn't exist.
>>>>>
>>>>> Does anybody knows if that could be the reason? and if so, how do i
>>>>> get
>>>>> selinux work on SLES 11.
>>>>> (As far as I know SLES 11 should be prepared to use selinux as
>>>>> technical
>>>>> preview).
>>>>>
>>>>> Thanks in advance
>>>>> Matthias
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>
>>>>
>>>> should be working(at-least for opensuse 12),you need to mkdir /selinux
>>>> then reboot(SELinux will mount it's file-system there(but cant if the
>>>> mount-point doesn't exist)).
>>>>
>>>> Justin P. Mattock
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing
>>>> list.
>>>> If you no longer wish to subscribe, send mail to
>>>> majordomo@tycho.nsa.gov
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>
>>> OpenSuse12? Do you mean opensuse 11.2?
>>> Any other suggestions?
>>>
>>>
>>
>>
>> yeah open suse 11.2 Oops... as for any other advice, what Stephan had
>> posted for you is probably the right info to go through.. just dont be
>> afraid to ask questions..
>>
>> Justin P. Mattock
>>
>> Justin P. Mattock
>>
> Unfortunately it doesn't work. I've done all steps described in here:
> http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html
> but this doesn't seems to work for sles 11.
> Anybody out there, who was able to run selinux on sles 11?
> I've got some other questions?
>    * what happens if the policy is not found? what would sestatus report?
>    * are there some good debug options for selinux? logs? any other hints?
> (dmesg shows nothing related to selinux)
>
> best regards
> Imsand
>
>

hmm.. well if they have the SELinux packages from sles then thats a good 
indication that theres support..

some things need to be checked though:

1) if sles already has the SELinux packages then you already have 
libselinux.so, libsepol, etc... if not, then download the SELinux 
userspace package and install it(gives you all the tools and libraries 
needed to use SELinux)

2) is SELinux enabled in the kernel?(if not either build a vanilla and 
check "y" under security options for SELinux, or grab an already built rpm)

2) sysvinit needs to have the init_load_policy() patch added to it in 
order for the policy to be loaded at boot.(if using upstart theres a 
patch as well, or proceedured to load_policy)

3) grab the latest refpolicy from tresys and install it.
(or use the rpm that sles has(if it has one)

4) once the policy is loading at boot then create your login info so 
SELinux starts in the right context.(semanage login -a -s staff_u name)

5) use audit2allow to add allow rules for the apps you want to use.
(audit2allow -dM amodulenameforyourallowrules)

6) sit back with a beer(in enforcement mode) and enjoy SELinux!!

remember theres plenty of people here to get you up and running...

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Stephen Smalley]

On Tue, 2010-08-24 at 16:09 +0200, imsand@puzzle.ch wrote:
> Unfortunately it doesn't work. I've done all steps described in here:
> http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html
> but this doesn't seems to work for sles 11.
> Anybody out there, who was able to run selinux on sles 11?
> I've got some other questions?
>   * what happens if the policy is not found? what would sestatus report?
>   * are there some good debug options for selinux? logs? any other hints?
> (dmesg shows nothing related to selinux)

I've only seen successful reports of getting SELinux to run with
OpenSUSE 11.2 and later, and even that hasn't been trivial.  I haven't
seen any reports of getting it to work with SLES 11.  But you should ask
Novell about it.

If policy is not found, then sestatus will report disabled.  No policy
loaded is treated the same as SELinux disabled as far as userspace is
concerned.

Was SELinux built into your kernel?
$ grep selinux_init /proc/kallsyms
<some address>	t	selinux_init
<some address>	t	__initcall_selinux_init

Was SELinux enabled at boot?
$ dmesg | grep SELinux
SELinux:  Initializing.
SELinux:  Starting in permissive mode
...

Is SELinux enabled in the kernel?
$ grep selinuxfs /proc/filesystems

Do you have a policy installed under /etc/selinux/targeted?
$ ls -l /etc/selinux/targeted/policy

Was your policy loaded?
$ dmesg | grep SELinux
...
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
...

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[imsand]

> On 08/24/2010 07:09 AM, imsand@puzzle.ch wrote:
>>> On 08/24/2010 12:14 AM, imsand@puzzle.ch wrote:
>>>>> On 08/23/2010 06:23 AM, imsand@puzzle.ch wrote:
>>>>>> Hello Everybody
>>>>>>
>>>>>> For quite a while I've been trying to enable selinux in SLES11, but
>>>>>> sestatus always show DISABLED.
>>>>>>
>>>>>> The following steps I've already done:
>>>>>>      * installed all *selinux* packages from yast2
>>>>>>      * add the following boot parameters to the kernel:
>>>>>> security=selinux
>>>>>> selinux=1 enforcing=0
>>>>>>      * created /etc/selinux/config file with the that content:
>>>>>>        SELINUX=enforcing
>>>>>>        SELINUXTYPE=targeted
>>>>>>
>>>>>> What I've noticed is, that /selinux doesn't exit. I can't create
>>>>>> that
>>>>>> mountpoint manually because selinuxfs filesystem doesn't exist.
>>>>>>
>>>>>> Does anybody knows if that could be the reason? and if so, how do i
>>>>>> get
>>>>>> selinux work on SLES 11.
>>>>>> (As far as I know SLES 11 should be prepared to use selinux as
>>>>>> technical
>>>>>> preview).
>>>>>>
>>>>>> Thanks in advance
>>>>>> Matthias
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>> list.
>>>>>> If you no longer wish to subscribe, send mail to
>>>>>> majordomo@tycho.nsa.gov
>>>>>> with
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>
>>>>>
>>>>>
>>>>> should be working(at-least for opensuse 12),you need to mkdir
>>>>> /selinux
>>>>> then reboot(SELinux will mount it's file-system there(but cant if the
>>>>> mount-point doesn't exist)).
>>>>>
>>>>> Justin P. Mattock
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>
>>>> OpenSuse12? Do you mean opensuse 11.2?
>>>> Any other suggestions?
>>>>
>>>>
>>>
>>>
>>> yeah open suse 11.2 Oops... as for any other advice, what Stephan had
>>> posted for you is probably the right info to go through.. just dont be
>>> afraid to ask questions..
>>>
>>> Justin P. Mattock
>>>
>>> Justin P. Mattock
>>>
>> Unfortunately it doesn't work. I've done all steps described in here:
>> http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html
>> but this doesn't seems to work for sles 11.
>> Anybody out there, who was able to run selinux on sles 11?
>> I've got some other questions?
>>    * what happens if the policy is not found? what would sestatus
>> report?
>>    * are there some good debug options for selinux? logs? any other
>> hints?
>> (dmesg shows nothing related to selinux)
>>
>> best regards
>> Imsand
>>
>>

Thank you for your answer.
Now I'm one step further :)
SELinux will now be loaded during startup. YEAH!!!
But now it has a problem with the installed policy. I get this error:
-----
SELinux: Could not open policy file <=
/etc/selinux/refpolicy-standard/policy/policy.23: No such file or
directory
Unable to load SELinux Policy. Machine is in enforcing mode. halting now.
-----

It is looking for a version 23 policy. but the installed one is
/etc/selinux/refpolicy-standard/policy/policy.24.

Simply renaming policy.24 to policy.23 doesn't work.
----
SELinux: policydb version 24 does not match my version range 15-23
SELinux: Could not load policy file
/etc/selinux/refpolicy-standard/policy/policy.23: Invalid argument.
----

Based on this error I have some questions:
1) It seems that SELinux is looking for a binary policy. Are there only
monolithic policies allowed? Or how can I use the newer modular policies?

2) Is there a possibility to converting version 24 policies to version 23?
Or do I have to search a version 23 policy for sles 11?

3) How can I upgrade sles 11 so that is accepts version 24 policies? Which
parts or library are responsible for the version-check?

4) The policies from tresys seems to have an other format than the one
from
http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory
that I've installed. (It is not simply a binary file?!?)

Here are some more information based on your guidance:
> hmm.. well if they have the SELinux packages from sles then thats a good
> indication that theres support..
>
> some things need to be checked though:
>
> 1) if sles already has the SELinux packages then you already have
> libselinux.so, libsepol, etc... if not, then download the SELinux
> userspace package and install it(gives you all the tools and libraries
> needed to use SELinux)
installed by standard repository. This is okey!
>
> 2) is SELinux enabled in the kernel?(if not either build a vanilla and
> check "y" under security options for SELinux, or grab an already built
> rpm)
yes it is.
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set

> 2) sysvinit needs to have the init_load_policy() patch added to it in
> order for the policy to be loaded at boot.(if using upstart theres a
> patch as well, or proceedured to load_policy)
seems to be.

> 3) grab the latest refpolicy from tresys and install it.
> (or use the rpm that sles has(if it has one)
>
used this:
http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory/noarch/selinux-policy-refpolicy-standard-2.20081210-13.1.noarch.rpm
This installs a /etc/selinux/config which points to refpolicy-standard
which was created in /etc/selinux/refpolicy-standard/policy.24

> 4) once the policy is loading at boot then create your login info so
> SELinux starts in the right context.(semanage login -a -s staff_u name)
>
> 5) use audit2allow to add allow rules for the apps you want to use.
> (audit2allow -dM amodulenameforyourallowrules)
>
> 6) sit back with a beer(in enforcement mode) and enjoy SELinux!!
>
> remember theres plenty of people here to get you up and running...
>
> Justin P. Mattock
>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Justin P. Mattock]

On 08/25/2010 12:53 AM, imsand@puzzle.ch wrote:
>> On 08/24/2010 07:09 AM, imsand@puzzle.ch wrote:
>>>> On 08/24/2010 12:14 AM, imsand@puzzle.ch wrote:
>>>>>> On 08/23/2010 06:23 AM, imsand@puzzle.ch wrote:
>>>>>>> Hello Everybody
>>>>>>>
>>>>>>> For quite a while I've been trying to enable selinux in SLES11, but
>>>>>>> sestatus always show DISABLED.
>>>>>>>
>>>>>>> The following steps I've already done:
>>>>>>>       * installed all *selinux* packages from yast2
>>>>>>>       * add the following boot parameters to the kernel:
>>>>>>> security=selinux
>>>>>>> selinux=1 enforcing=0
>>>>>>>       * created /etc/selinux/config file with the that content:
>>>>>>>         SELINUX=enforcing
>>>>>>>         SELINUXTYPE=targeted
>>>>>>>
>>>>>>> What I've noticed is, that /selinux doesn't exit. I can't create
>>>>>>> that
>>>>>>> mountpoint manually because selinuxfs filesystem doesn't exist.
>>>>>>>
>>>>>>> Does anybody knows if that could be the reason? and if so, how do i
>>>>>>> get
>>>>>>> selinux work on SLES 11.
>>>>>>> (As far as I know SLES 11 should be prepared to use selinux as
>>>>>>> technical
>>>>>>> preview).
>>>>>>>
>>>>>>> Thanks in advance
>>>>>>> Matthias
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>> list.
>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>> majordomo@tycho.nsa.gov
>>>>>>> with
>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>
>>>>>>
>>>>>>
>>>>>> should be working(at-least for opensuse 12),you need to mkdir
>>>>>> /selinux
>>>>>> then reboot(SELinux will mount it's file-system there(but cant if the
>>>>>> mount-point doesn't exist)).
>>>>>>
>>>>>> Justin P. Mattock
>>>>>>
>>>>>> --
>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>> list.
>>>>>> If you no longer wish to subscribe, send mail to
>>>>>> majordomo@tycho.nsa.gov
>>>>>> with
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>
>>>>>
>>>>> OpenSuse12? Do you mean opensuse 11.2?
>>>>> Any other suggestions?
>>>>>
>>>>>
>>>>
>>>>
>>>> yeah open suse 11.2 Oops... as for any other advice, what Stephan had
>>>> posted for you is probably the right info to go through.. just dont be
>>>> afraid to ask questions..
>>>>
>>>> Justin P. Mattock
>>>>
>>>> Justin P. Mattock
>>>>
>>> Unfortunately it doesn't work. I've done all steps described in here:
>>> http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html
>>> but this doesn't seems to work for sles 11.
>>> Anybody out there, who was able to run selinux on sles 11?
>>> I've got some other questions?
>>>     * what happens if the policy is not found? what would sestatus
>>> report?
>>>     * are there some good debug options for selinux? logs? any other
>>> hints?
>>> (dmesg shows nothing related to selinux)
>>>
>>> best regards
>>> Imsand
>>>
>>>
>
> Thank you for your answer.
> Now I'm one step further :)
> SELinux will now be loaded during startup. YEAH!!!
> But now it has a problem with the installed policy. I get this error:

hey alright!!!

> -----
> SELinux: Could not open policy file<=
> /etc/selinux/refpolicy-standard/policy/policy.23: No such file or
> directory
> Unable to load SELinux Policy. Machine is in enforcing mode. halting now.

theres a policy version you can give to the policy in the 
policy(build.conf)and in the kernel you can disable this in the kernel
then rebuild refpolicy to not use this(or set the kernel at 23/23 etc.. 
and set it in the policy.

> -----
>
> It is looking for a version 23 policy. but the installed one is
> /etc/selinux/refpolicy-standard/policy/policy.24.
>
> Simply renaming policy.24 to policy.23 doesn't work.
> ----
> SELinux: policydb version 24 does not match my version range 15-23
> SELinux: Could not load policy file
> /etc/selinux/refpolicy-standard/policy/policy.23: Invalid argument.
> ----
>
> Based on this error I have some questions:
> 1) It seems that SELinux is looking for a binary policy. Are there only
> monolithic policies allowed? Or how can I use the newer modular policies?
>

either or.. binary is easier to deal with(I think)

> 2) Is there a possibility to converting version 24 policies to version 23?
> Or do I have to search a version 23 policy for sles 11?

if sles built the kernel with 23 then just rebuilt the policy with 23
(depending on the policy, it's located at /usr/share/selinux/*

>
> 3) How can I upgrade sles 11 so that is accepts version 24 policies? Which
> parts or library are responsible for the version-check?
>
> 4) The policies from tresys seems to have an other format than the one
> from
> http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory
> that I've installed. (It is not simply a binary file?!?)
>
> Here are some more information based on your guidance:
>> hmm.. well if they have the SELinux packages from sles then thats a good
>> indication that theres support..
>>
>> some things need to be checked though:
>>
>> 1) if sles already has the SELinux packages then you already have
>> libselinux.so, libsepol, etc... if not, then download the SELinux
>> userspace package and install it(gives you all the tools and libraries
>> needed to use SELinux)
> installed by standard repository. This is okey!

main thing is making sure you build the arch i.e. opensuse x86_64 uses 
"multilib" x86_32 libs(-m32) and x86_64(-m64) libs /lib /lib64 so 
getting that you need to tweak a bit. if standard i686 everything just 
goes into /lib /usr/lib

>>
>> 2) is SELinux enabled in the kernel?(if not either build a vanilla and
>> check "y" under security options for SELinux, or grab an already built
>> rpm)
> yes it is.
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
> CONFIG_SECURITY_SELINUX_DISABLE=y
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
> # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
>

CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
so they didnt set this to a policy version, but they built the policy 
with 23

>> 2) sysvinit needs to have the init_load_policy() patch added to it in
>> order for the policy to be loaded at boot.(if using upstart theres a
>> patch as well, or proceedured to load_policy)
> seems to be.
>

if it's loading early, then yeah they patched sysvinit

>> 3) grab the latest refpolicy from tresys and install it.
>> (or use the rpm that sles has(if it has one)
>>
> used this:
> http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory/noarch/selinux-policy-refpolicy-standard-2.20081210-13.1.noarch.rpm
> This installs a /etc/selinux/config which points to refpolicy-standard
> which was created in /etc/selinux/refpolicy-standard/policy.24
>

theres a bug with opensuse to where /etc/selinux/config had the wrong 
permissions (check and make sure: chmod 644 /etc/selinux/config
also add SETLOCALDEFS=0) heres the bug report for pam.d so you can have 
the right context:
https://bugzilla.novell.com/show_bug.cgi?id=582366
(simple fix)

also /etc/initscript messes things up so set the boolean
init_upstart to on(/usr/sbin/setesebool -P init_upstart on
or vim /etc/selinux/policytype/booleans*)


keep in mind these where things with opensuse so things might be 
different with sles


cool glad your working this!!

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Stephen Smalley]

On Wed, 2010-08-25 at 09:53 +0200, imsand@puzzle.ch wrote:
> Thank you for your answer.
> Now I'm one step further :)
> SELinux will now be loaded during startup. YEAH!!!
> But now it has a problem with the installed policy. I get this error:
> -----
> SELinux: Could not open policy file <=
> /etc/selinux/refpolicy-standard/policy/policy.23: No such file or
> directory
> Unable to load SELinux Policy. Machine is in enforcing mode. halting now.
> -----
> 
> It is looking for a version 23 policy. but the installed one is
> /etc/selinux/refpolicy-standard/policy/policy.24.
> 
> Simply renaming policy.24 to policy.23 doesn't work.
> ----
> SELinux: policydb version 24 does not match my version range 15-23
> SELinux: Could not load policy file
> /etc/selinux/refpolicy-standard/policy/policy.23: Invalid argument.

This means that the kernel and the libsepol in SLES 11 only supports up
to policy.23, so you need to build a policy with that version or older.

> ----
> 
> Based on this error I have some questions:
> 1) It seems that SELinux is looking for a binary policy. Are there only
> monolithic policies allowed? Or how can I use the newer modular policies?

Either one.  But regardless, in the end, even modular policies are
linked together into a single binary kernel policy for loading into the
kernel.  Policy modules are just a userspace construct.

> 2) Is there a possibility to converting version 24 policies to version 23?
> Or do I have to search a version 23 policy for sles 11?

You can:
a) rebuild the policy package from source on SLES 11.  This should yield
a policy.23 if that is what SLES 11 supports.  -or-
b) install a newer libsepol and checkpolicy that support policy.24.
Then the newer libsepol should allow you to load it (by automatically
converting it to policy.23 at load time).

> 3) How can I upgrade sles 11 so that is accepts version 24 policies? Which
> parts or library are responsible for the version-check?

You would need to upgrade libsepol and checkpolicy.

> 4) The policies from tresys seems to have an other format than the one
> from
> http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory
> that I've installed. (It is not simply a binary file?!?)

Not sure what you mean.  Tresys distributes a tar file containing the
policy sources that you can build to generate a binary policy file.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Thomas]

Hi,

Am Montag 23 August 2010 15:23:54 schrieb imsand@puzzle.ch:
> Hello Everybody
> 
> For quite a while I've been trying to enable selinux in SLES11, but
> sestatus always show DISABLED.

sles11-sp1?


> The following steps I've already done:
>   * installed all *selinux* packages from yast2
>   * add the following boot parameters to the kernel: security=selinux
> selinux=1 enforcing=0
>   * created /etc/selinux/config file with the that content:
>     SELINUX=enforcing
>     SELINUXTYPE=targeted
> 
> What I've noticed is, that /selinux doesn't exit. I can't create that
> mountpoint manually because selinuxfs filesystem doesn't exist.

Just a "mkdir /selinux" and reboot is/should be sufficient.

Around July this year we released new SElinux packages and an updated
mkinitrd for SLES11 to solve this issue. Are these packages at their
current state?

HTH
Thomas


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Enable selinux in SLES 11

[Thomas]

Hi.

Am Dienstag 24 August 2010 16:48:50 schrieb Stephen Smalley:
> On Tue, 2010-08-24 at 16:09 +0200, imsand@puzzle.ch wrote:
> > Unfortunately it doesn't work. I've done all steps described in here:
> > http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-1
> >11.html but this doesn't seems to work for sles 11.
> > Anybody out there, who was able to run selinux on sles 11?
> > I've got some other questions?
> >   * what happens if the policy is not found? what would sestatus report?
> >   * are there some good debug options for selinux? logs? any other hints?
> > (dmesg shows nothing related to selinux)
> 
> I've only seen successful reports of getting SELinux to run with
> OpenSUSE 11.2 and later, and even that hasn't been trivial.  I haven't
> seen any reports of getting it to work with SLES 11.  But you should ask
> Novell about it.

Since openSUSE 11.3 is is much easier. You can use yast2 (bootloader menu)
to enable SELinux.

Bye
Thomas

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.