* SELinux on Wheezy @ 2012-02-06 4:26 C.J. Adams-Collier KF7BMP 2012-02-06 15:39 ` Stephen Smalley 2012-02-06 15:56 ` Dominick Grift 0 siblings, 2 replies; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-06 4:26 UTC (permalink / raw) To: SE-Linux [-- Attachment #1: Type: text/plain, Size: 539 bytes --] Hey folks, I brought up a wheezy install on an alternate lvm root a couple of weeks ago. I turned SELinux on shortly thereafter. I think I updated my kernel, and now X won't start. Could someone look at these logs with me and help figure out what's going on? Something showed up during boot that said something about updating labels, but I didn't capture it. Where should I look to find these boot logs, do you think? http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log Thank you in advance! C.J. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 4:26 SELinux on Wheezy C.J. Adams-Collier KF7BMP @ 2012-02-06 15:39 ` Stephen Smalley 2012-02-06 16:17 ` C.J. Adams-Collier KF7BMP 2012-02-06 15:56 ` Dominick Grift 1 sibling, 1 reply; 30+ messages in thread From: Stephen Smalley @ 2012-02-06 15:39 UTC (permalink / raw) To: cjac; +Cc: SE-Linux, Russell Coker On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote: > Hey folks, > > I brought up a wheezy install on an alternate lvm root a couple of weeks > ago. I turned SELinux on shortly thereafter. I think I updated my > kernel, and now X won't start. Could someone look at these logs with me > and help figure out what's going on? Something showed up during boot > that said something about updating labels, but I didn't capture it. > Where should I look to find these boot logs, do you think? > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log Are there any avc denials? If running auditd, then use ausearch -m AVC. Otherwise grep for avc: in your messages file or dmesg output. What does sestatus report? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 15:39 ` Stephen Smalley @ 2012-02-06 16:17 ` C.J. Adams-Collier KF7BMP 2012-02-06 23:23 ` C.J. Adams-Collier KF7BMP 0 siblings, 1 reply; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-06 16:17 UTC (permalink / raw) To: Stephen Smalley; +Cc: SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 1313 bytes --] On Mon, 2012-02-06 at 10:39 -0500, Stephen Smalley wrote: > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote: > > Hey folks, > > > > I brought up a wheezy install on an alternate lvm root a couple of weeks > > ago. I turned SELinux on shortly thereafter. I think I updated my > > kernel, and now X won't start. Could someone look at these logs with me > > and help figure out what's going on? Something showed up during boot > > that said something about updating labels, but I didn't capture it. > > Where should I look to find these boot logs, do you think? > > > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log > > Are there any avc denials? If running auditd, then use ausearch -m AVC. > Otherwise grep for avc: in your messages file or dmesg output. > > What does sestatus report? Thank you for your quick response, Stephan. I'm using Evolution as my MUA and haven't got mutt set up on the new system yet, so email and selinux are currently mutually exclusive. I've saved this email to a text file and will re-start the kernel with selinux enabled, run these commands > log and re-boot. I'm waiting on a ferry that leaves in 15 minutes, so I won't have the results until I get to my desk in Seattle after noon (-0800). C.J. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 16:17 ` C.J. Adams-Collier KF7BMP @ 2012-02-06 23:23 ` C.J. Adams-Collier KF7BMP 2012-02-06 23:48 ` Dominick Grift ` (2 more replies) 0 siblings, 3 replies; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-06 23:23 UTC (permalink / raw) To: Stephen Smalley; +Cc: SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 2065 bytes --] On Mon, 2012-02-06 at 08:17 -0800, C.J. Adams-Collier KF7BMP wrote: > On Mon, 2012-02-06 at 10:39 -0500, Stephen Smalley wrote: > > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote: > > > Hey folks, > > > > > > I brought up a wheezy install on an alternate lvm root a couple of weeks > > > ago. I turned SELinux on shortly thereafter. I think I updated my > > > kernel, and now X won't start. Could someone look at these logs with me > > > and help figure out what's going on? Something showed up during boot > > > that said something about updating labels, but I didn't capture it. > > > Where should I look to find these boot logs, do you think? > > > > > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log > > > > Are there any avc denials? If running auditd, then use ausearch -m AVC. > > Otherwise grep for avc: in your messages file or dmesg output. > > > > What does sestatus report? > > Thank you for your quick response, Stephan. > > I'm using Evolution as my MUA and haven't got mutt set up on the new > system yet, so email and selinux are currently mutually exclusive. I've > saved this email to a text file and will re-start the kernel with > selinux enabled, run these commands > log and re-boot. I'm waiting on a > ferry that leaves in 15 minutes, so I won't have the results until I get > to my desk in Seattle after noon (-0800). > > C.J. Stephen, Here are the logs you requested: http://www.colliertech.org/federal/nsa/avc-20120206T090101.log http://www.colliertech.org/federal/nsa/sestatus-20120206T090618.log It seems to me that the Debian SELinux docs could use some improvement. To this end, I have submitted an application to join the SELinux project on Alioth. I will probably make some updates to the wiki pages as well. I am going to install the packages which provide the tools you and Dominick recommended this morning and dig a little deeper as time permits. Thank you again for taking the time to help me through this. C.J. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 23:23 ` C.J. Adams-Collier KF7BMP @ 2012-02-06 23:48 ` Dominick Grift 2012-02-07 17:42 ` Stephen Smalley 2012-02-09 13:17 ` Russell Coker 2 siblings, 0 replies; 30+ messages in thread From: Dominick Grift @ 2012-02-06 23:48 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: SE-Linux > Stephen, > > Here are the logs you requested: > > http://www.colliertech.org/federal/nsa/avc-20120206T090101.log Above logs exposes two bugs in your policy i believe. Are you using the latest available policy? possible temporary fixes: echo "avc: denied { associate } for pid=384 comm="restorecon" name="shm" dev=devtmpfs ino=5266 scontext=system_u:object_r:tmpfs_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem" | audit2allow -M myfs; sudo semodule -i myfs.pp echo "avc: denied { syslog } for pid=1824 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2" | audit2allow -M mykernel; sudo semodule -i mykernel.pp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 23:23 ` C.J. Adams-Collier KF7BMP 2012-02-06 23:48 ` Dominick Grift @ 2012-02-07 17:42 ` Stephen Smalley 2012-02-07 18:44 ` Dominick Grift 2012-02-07 18:55 ` C.J. Adams-Collier KF7BMP 2012-02-09 13:17 ` Russell Coker 2 siblings, 2 replies; 30+ messages in thread From: Stephen Smalley @ 2012-02-07 17:42 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: SE-Linux, Russell Coker On Mon, 2012-02-06 at 15:23 -0800, C.J. Adams-Collier KF7BMP wrote: > Here are the logs you requested: > > http://www.colliertech.org/federal/nsa/avc-20120206T090101.log > > http://www.colliertech.org/federal/nsa/sestatus-20120206T090618.log > > It seems to me that the Debian SELinux docs could use some improvement. > To this end, I have submitted an application to join the SELinux project > on Alioth. I will probably make some updates to the wiki pages as well. > > I am going to install the packages which provide the tools you and > Dominick recommended this morning and dig a little deeper as time > permits. > > Thank you again for taking the time to help me through this. The avc message suggests that your processes are not running in the right domains, which in turn suggests that perhaps your filesystems are not correctly labeled. sestatus -v should provide more information. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-07 17:42 ` Stephen Smalley @ 2012-02-07 18:44 ` Dominick Grift 2012-02-07 18:55 ` C.J. Adams-Collier KF7BMP 1 sibling, 0 replies; 30+ messages in thread From: Dominick Grift @ 2012-02-07 18:44 UTC (permalink / raw) To: selinux On Tue, 2012-02-07 at 12:42 -0500, Stephen Smalley wrote: > > The avc message suggests that your processes are not running in the > right domains, which in turn suggests that perhaps your filesystems are > not correctly labeled. sestatus -v should provide more information. > whoops yes i agree there. rsyslogd runs in the kernel_t domain. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-07 17:42 ` Stephen Smalley 2012-02-07 18:44 ` Dominick Grift @ 2012-02-07 18:55 ` C.J. Adams-Collier KF7BMP 1 sibling, 0 replies; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-07 18:55 UTC (permalink / raw) To: Stephen Smalley; +Cc: SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 120 bytes --] On Tue, 2012-02-07 at 12:42 -0500, Stephen Smalley wrote: > sestatus -v Rebooting and running this command + logs. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 23:23 ` C.J. Adams-Collier KF7BMP 2012-02-06 23:48 ` Dominick Grift 2012-02-07 17:42 ` Stephen Smalley @ 2012-02-09 13:17 ` Russell Coker 2 siblings, 0 replies; 30+ messages in thread From: Russell Coker @ 2012-02-09 13:17 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: SE-Linux On Tue, 7 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote: > It seems to me that the Debian SELinux docs could use some improvement. > To this end, I have submitted an application to join the SELinux project > on Alioth. I will probably make some updates to the wiki pages as well. I've approved that (sorry for the delay). I look forward to seeing your work. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 4:26 SELinux on Wheezy C.J. Adams-Collier KF7BMP 2012-02-06 15:39 ` Stephen Smalley @ 2012-02-06 15:56 ` Dominick Grift 2012-02-06 16:21 ` C.J. Adams-Collier KF7BMP 1 sibling, 1 reply; 30+ messages in thread From: Dominick Grift @ 2012-02-06 15:56 UTC (permalink / raw) To: cjac; +Cc: SE-Linux On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote: > Hey folks, > > I brought up a wheezy install on an alternate lvm root a couple of weeks > ago. I turned SELinux on shortly thereafter. I think I updated my > kernel, and now X won't start. Could someone look at these logs with me > and help figure out what's going on? Something showed up during boot > that said something about updating labels, but I didn't capture it. > Where should I look to find these boot logs, do you think? > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log > > Thank you in advance! > > C.J. > > Seems to be an XACE issue. > > /var/log/Xorg.56.log.old:[ 46.050] SELinux: a property label lookup failed! > > /var/log/Xorg.56.log.old:[ 46.050] SELinux: Failed to set label property on window! getsebool -a | xserver_object_manager Does it work if you set it to off? setsebool -P xserver_object_manager off http://selinuxproject.org/page/NB_XWIN -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 15:56 ` Dominick Grift @ 2012-02-06 16:21 ` C.J. Adams-Collier KF7BMP 2012-02-07 17:35 ` C.J. Adams-Collier KF7BMP 2012-02-09 13:12 ` Russell Coker 0 siblings, 2 replies; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-06 16:21 UTC (permalink / raw) To: Dominick Grift; +Cc: SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 1288 bytes --] On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote: > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote: > > Hey folks, > > > > I brought up a wheezy install on an alternate lvm root a couple of weeks > > ago. I turned SELinux on shortly thereafter. I think I updated my > > kernel, and now X won't start. Could someone look at these logs with me > > and help figure out what's going on? Something showed up during boot > > that said something about updating labels, but I didn't capture it. > > Where should I look to find these boot logs, do you think? > > > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log > > > > Thank you in advance! > > > > C.J. > > > > > > Seems to be an XACE issue. > > > > /var/log/Xorg.56.log.old:[ 46.050] SELinux: a property label lookup failed! > > > /var/log/Xorg.56.log.old:[ 46.050] SELinux: Failed to set label property on window! > > getsebool -a | xserver_object_manager > > Does it work if you set it to off? > > setsebool -P xserver_object_manager off > > http://selinuxproject.org/page/NB_XWIN Thank you Dominick. I will give this a try when I re-boot. Russell, do you think this is something we should patch in to the xorg debian packaging? [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 16:21 ` C.J. Adams-Collier KF7BMP @ 2012-02-07 17:35 ` C.J. Adams-Collier KF7BMP 2012-02-07 17:47 ` Stephen Smalley 2012-02-09 13:12 ` Russell Coker 1 sibling, 1 reply; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-07 17:35 UTC (permalink / raw) To: Dominick Grift; +Cc: SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 2009 bytes --] On Mon, 2012-02-06 at 08:21 -0800, C.J. Adams-Collier KF7BMP wrote: > On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote: > > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote: > > > Hey folks, > > > > > > I brought up a wheezy install on an alternate lvm root a couple of weeks > > > ago. I turned SELinux on shortly thereafter. I think I updated my > > > kernel, and now X won't start. Could someone look at these logs with me > > > and help figure out what's going on? Something showed up during boot > > > that said something about updating labels, but I didn't capture it. > > > Where should I look to find these boot logs, do you think? > > > > > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log > > > > > > Thank you in advance! > > > > > > C.J. > > > > > > > > > > Seems to be an XACE issue. > > > > > > /var/log/Xorg.56.log.old:[ 46.050] SELinux: a property label lookup failed! > > > > /var/log/Xorg.56.log.old:[ 46.050] SELinux: Failed to set label property on window! > > > > getsebool -a | xserver_object_manager > > > > Does it work if you set it to off? > > > > setsebool -P xserver_object_manager off > > > > http://selinuxproject.org/page/NB_XWIN > > Thank you Dominick. I will give this a try when I re-boot. > > Russell, do you think this is something we should patch in to the xorg > debian packaging? > http://www.colliertech.org/federal/nsa/sebool-20120206T091638.log: cjac@foxtrot:~$ sudo getsebool -a | grep -i xserver_object_manager | wc -l 0 cjac@foxtrot:~$ sudo setsebool -P xserver_object_manager off libsemanage.dbase_llist_set: record not found in the database (No such file or directory). libsemanage.dbase_llist_set: could not set record value (No such file or directory). Could not change boolean xserver_object_manager Could not change policy booleans How do I fill these in? Is there a .deb with the correct policy modification? Thanks, C.J. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-07 17:35 ` C.J. Adams-Collier KF7BMP @ 2012-02-07 17:47 ` Stephen Smalley 2012-02-07 18:56 ` C.J. Adams-Collier KF7BMP 0 siblings, 1 reply; 30+ messages in thread From: Stephen Smalley @ 2012-02-07 17:47 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: Dominick Grift, SE-Linux, Russell Coker On Tue, 2012-02-07 at 09:35 -0800, C.J. Adams-Collier KF7BMP wrote: > On Mon, 2012-02-06 at 08:21 -0800, C.J. Adams-Collier KF7BMP wrote: > > On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote: > > > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote: > > > > Hey folks, > > > > > > > > I brought up a wheezy install on an alternate lvm root a couple of weeks > > > > ago. I turned SELinux on shortly thereafter. I think I updated my > > > > kernel, and now X won't start. Could someone look at these logs with me > > > > and help figure out what's going on? Something showed up during boot > > > > that said something about updating labels, but I didn't capture it. > > > > Where should I look to find these boot logs, do you think? > > > > > > > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log > > > > > > > > Thank you in advance! > > > > > > > > C.J. > > > > > > > > > > > > > > Seems to be an XACE issue. > > > > > > > > /var/log/Xorg.56.log.old:[ 46.050] SELinux: a property label lookup failed! > > > > > /var/log/Xorg.56.log.old:[ 46.050] SELinux: Failed to set label property on window! > > > > > > getsebool -a | xserver_object_manager > > > > > > Does it work if you set it to off? > > > > > > setsebool -P xserver_object_manager off > > > > > > http://selinuxproject.org/page/NB_XWIN > > > > Thank you Dominick. I will give this a try when I re-boot. > > > > Russell, do you think this is something we should patch in to the xorg > > debian packaging? > > > > > http://www.colliertech.org/federal/nsa/sebool-20120206T091638.log: > cjac@foxtrot:~$ sudo getsebool -a | grep -i xserver_object_manager | wc -l > 0 > cjac@foxtrot:~$ sudo setsebool -P xserver_object_manager off > libsemanage.dbase_llist_set: record not found in the database (No such file or directory). > libsemanage.dbase_llist_set: could not set record value (No such file or directory). > Could not change boolean xserver_object_manager > Could not change policy booleans > > How do I fill these in? Is there a .deb with the correct policy > modification? That's interesting - suggests that you do not have the xserver policy module installed. semodule -l shows what? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-07 17:47 ` Stephen Smalley @ 2012-02-07 18:56 ` C.J. Adams-Collier KF7BMP 2012-02-07 20:02 ` C.J. Adams-Collier 0 siblings, 1 reply; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-07 18:56 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dominick Grift, SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 107 bytes --] On Tue, 2012-02-07 at 12:47 -0500, Stephen Smalley wrote: > semodule -l Rebooting and running + logs. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-07 18:56 ` C.J. Adams-Collier KF7BMP @ 2012-02-07 20:02 ` C.J. Adams-Collier 2012-02-07 20:08 ` Stephen Smalley 0 siblings, 1 reply; 30+ messages in thread From: C.J. Adams-Collier @ 2012-02-07 20:02 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dominick Grift, SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 2318 bytes --] cjac@foxtrot:~$ scp ~/selinux/*20120207*.log 172.16.12.22:/var/www/colliertech.org/wiki/federal/nsa/ -- ~/selinux/semodule_-l_20120207T110759.log: apache 2.3.0 dbus 1.15.0 devicekit 1.1.0 dmidecode 1.4.0 exim 1.5.0 ftp 1.13.0 git 1.0 gpg 2.4.0 lda 1.9.0 lvm 1.13.0 netutils 1.11.0 openvpn 1.10.0 ptchown 1.1.0 pythonsupport 0.0.1 remotelogin 1.7.0 rpc 1.13.0 rpcbind 1.5.0 rsync 1.11.0 ssh 2.2.0 sudo 1.8.0 tcpd 1.4.0 telnet 1.10.0 tzdata 1.4.0 unconfined 3.3.0 -- ~/selinux/sestatus_-v_20120207T110759.log: SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 26 Policy from config file: default Process contexts: Current context: unconfined_u:system_r:insmod_t:SystemLow-SystemHigh Init context: system_u:system_r:kernel_t:SystemLow /usr/sbin/sshd system_u:system_r:kernel_t:SystemLow File contexts: Controlling term: unconfined_u:object_r:tty_device_t:SystemLow /etc/passwd unconfined_u:object_r:user_home_t:SystemLow /etc/shadow unconfined_u:object_r:user_home_t:SystemLow /bin/bash unconfined_u:object_r:user_home_t:SystemLow /bin/login unconfined_u:object_r:user_home_t:SystemLow /bin/sh unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow /sbin/agetty unconfined_u:object_r:user_home_t:SystemLow /sbin/init unconfined_u:object_r:user_home_t:SystemLow /usr/sbin/sshd system_u:object_r:sshd_exec_t:SystemLow /lib/ld-linux.so.2 unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow -- ~/selinux/ausearch_-m_20120207T110759.log: Tue Feb 7 11:14:55 PST 2012 <no matches> -- cjac@foxtrot:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: cjac@COLLIERTECH.ORG Valid starting Expires Service principal 07/02/2012 12:01 07/02/2012 22:01 krbtgt/COLLIERTECH.ORG@COLLIERTECH.ORG renew until 08/02/2012 12:01 [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-07 20:02 ` C.J. Adams-Collier @ 2012-02-07 20:08 ` Stephen Smalley 2012-02-07 21:05 ` C.J. Adams-Collier 0 siblings, 1 reply; 30+ messages in thread From: Stephen Smalley @ 2012-02-07 20:08 UTC (permalink / raw) To: C.J. Adams-Collier; +Cc: Dominick Grift, SE-Linux, Russell Coker On Tue, 2012-02-07 at 12:02 -0800, C.J. Adams-Collier wrote: > ~/selinux/semodule_-l_20120207T110759.log: > apache 2.3.0 > dbus 1.15.0 > devicekit 1.1.0 > dmidecode 1.4.0 > exim 1.5.0 > ftp 1.13.0 > git 1.0 > gpg 2.4.0 > lda 1.9.0 > lvm 1.13.0 > netutils 1.11.0 > openvpn 1.10.0 > ptchown 1.1.0 > pythonsupport 0.0.1 > remotelogin 1.7.0 > rpc 1.13.0 > rpcbind 1.5.0 > rsync 1.11.0 > ssh 2.2.0 > sudo 1.8.0 > tcpd 1.4.0 > telnet 1.10.0 > tzdata 1.4.0 > unconfined 3.3.0 So no xserver module, unless it happens to be part of your base module. seinfo -txserver_t > ~/selinux/sestatus_-v_20120207T110759.log: > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 26 > Policy from config file: default > > Process contexts: > Current context: unconfined_u:system_r:insmod_t:SystemLow-SystemHigh > Init context: system_u:system_r:kernel_t:SystemLow > /usr/sbin/sshd system_u:system_r:kernel_t:SystemLow > > File contexts: > Controlling term: unconfined_u:object_r:tty_device_t:SystemLow > /etc/passwd unconfined_u:object_r:user_home_t:SystemLow > /etc/shadow unconfined_u:object_r:user_home_t:SystemLow > /bin/bash unconfined_u:object_r:user_home_t:SystemLow > /bin/login unconfined_u:object_r:user_home_t:SystemLow > /bin/sh unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow > /sbin/agetty unconfined_u:object_r:user_home_t:SystemLow > /sbin/init unconfined_u:object_r:user_home_t:SystemLow > /usr/sbin/sshd system_u:object_r:sshd_exec_t:SystemLow > /lib/ld-linux.so.2 unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow So everything except for /usr/sbin/sshd has the wrong file context, and all of your processes are still running in the kernel's domain. I think you need a new policy, and then you need to relabel your filesystems. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-07 20:08 ` Stephen Smalley @ 2012-02-07 21:05 ` C.J. Adams-Collier 2012-02-08 13:24 ` Stephen Smalley 0 siblings, 1 reply; 30+ messages in thread From: C.J. Adams-Collier @ 2012-02-07 21:05 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dominick Grift, SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 4126 bytes --] On Tue, Feb 07, 2012 at 03:08:25PM -0500, Stephen Smalley wrote: > On Tue, 2012-02-07 at 12:02 -0800, C.J. Adams-Collier wrote: > > ~/selinux/semodule_-l_20120207T110759.log: > > apache 2.3.0 > > dbus 1.15.0 > > devicekit 1.1.0 > > dmidecode 1.4.0 > > exim 1.5.0 > > ftp 1.13.0 > > git 1.0 > > gpg 2.4.0 > > lda 1.9.0 > > lvm 1.13.0 > > netutils 1.11.0 > > openvpn 1.10.0 > > ptchown 1.1.0 > > pythonsupport 0.0.1 > > remotelogin 1.7.0 > > rpc 1.13.0 > > rpcbind 1.5.0 > > rsync 1.11.0 > > ssh 2.2.0 > > sudo 1.8.0 > > tcpd 1.4.0 > > telnet 1.10.0 > > tzdata 1.4.0 > > unconfined 3.3.0 > > So no xserver module, unless it happens to be part of your base module. > seinfo -txserver_t cjac@foxtrot:~$ sudo which seinfo cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l 0 Any idea where I can get the xserver module? Russell? > > > ~/selinux/sestatus_-v_20120207T110759.log: > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: permissive > > Mode from config file: permissive > > Policy version: 26 > > Policy from config file: default > > > > Process contexts: > > Current context: unconfined_u:system_r:insmod_t:SystemLow-SystemHigh > > Init context: system_u:system_r:kernel_t:SystemLow > > /usr/sbin/sshd system_u:system_r:kernel_t:SystemLow > > > > File contexts: > > Controlling term: unconfined_u:object_r:tty_device_t:SystemLow > > /etc/passwd unconfined_u:object_r:user_home_t:SystemLow > > /etc/shadow unconfined_u:object_r:user_home_t:SystemLow > > /bin/bash unconfined_u:object_r:user_home_t:SystemLow > > /bin/login unconfined_u:object_r:user_home_t:SystemLow > > /bin/sh unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow > > /sbin/agetty unconfined_u:object_r:user_home_t:SystemLow > > /sbin/init unconfined_u:object_r:user_home_t:SystemLow > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:SystemLow > > /lib/ld-linux.so.2 unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow > > So everything except for /usr/sbin/sshd has the wrong file context, and > all of your processes are still running in the kernel's domain. > > I think you need a new policy, and then you need to relabel your > filesystems. Sounds reasonable. Do I get policy from my distribution, or should I generate one myself? cjac@foxtrot:~$ dpkg -l | grep selinux-policy ii selinux-policy-default 2:2.20110726-3 Strict and Targeted variants of the SELinux policy ii selinux-policy-dev 2:2.20110726-3 Headers from the SELinux reference policy for building modules ii selinux-policy-doc 2:2.20110726-3 Documentation for the SELinux reference policy cjac@foxtrot:~$ apt-cache search selinux-policy selinux-policy-default - Strict and Targeted variants of the SELinux policy selinux-policy-dev - Headers from the SELinux reference policy for building modules selinux-policy-doc - Documentation for the SELinux reference policy selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy selinux-policy-src - Source of the SELinux reference policy for customization If I'm going to generate one myself, I need to understand them a bit better. I would like anything I generate to be useable by the rest of the Debian world. There seem to be some examples I ran review in the selinux-policy-doc and selinux-policy-mls packages. Regarding re-labeling, every time I boot without the selinux arguments to my kernel and then boot with them, the filesystem seems to get re-labeled. Is there a better way to do this? Thanks for helping me cope with my ignorance. C.J. [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-07 21:05 ` C.J. Adams-Collier @ 2012-02-08 13:24 ` Stephen Smalley 2012-02-08 17:39 ` C.J. Adams-Collier KF7BMP 0 siblings, 1 reply; 30+ messages in thread From: Stephen Smalley @ 2012-02-08 13:24 UTC (permalink / raw) To: C.J. Adams-Collier; +Cc: Dominick Grift, SE-Linux, Russell Coker On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote: > cjac@foxtrot:~$ sudo which seinfo > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l > 0 seinfo is part of the setools package. > Sounds reasonable. Do I get policy from my distribution, or should I > generate one myself? Normally from your distribution, assuming the selinux packages for Debian are still being maintained. IIRC, the Debian selinux policy package tries to minimize the set of installed policy modules based on the set of installed packages, but that isn't an exact mapping and might be leaving you without a complete policy. Whereas Fedora installs all policy modules unconditionally. If the .pp files are on your filesystem and just not installed into the policy store, you can manually add them by running semodule -i on them. Try listing the files installed from your policy packages and see if xserver.pp is among them. > cjac@foxtrot:~$ dpkg -l | grep selinux-policy > ii selinux-policy-default 2:2.20110726-3 Strict and Targeted variants of the SELinux policy > ii selinux-policy-dev 2:2.20110726-3 Headers from the SELinux reference policy for building modules > ii selinux-policy-doc 2:2.20110726-3 Documentation for the SELinux reference policy > > cjac@foxtrot:~$ apt-cache search selinux-policy > selinux-policy-default - Strict and Targeted variants of the SELinux policy > selinux-policy-dev - Headers from the SELinux reference policy for building modules > selinux-policy-doc - Documentation for the SELinux reference policy > selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy > selinux-policy-src - Source of the SELinux reference policy for customization > > If I'm going to generate one myself, I need to understand them a bit > better. I would like anything I generate to be useable by the rest of > the Debian world. There seem to be some examples I ran review in the > selinux-policy-doc and selinux-policy-mls packages. > > Regarding re-labeling, every time I boot without the selinux arguments > to my kernel and then boot with them, the filesystem seems to get > re-labeled. Is there a better way to do this? On Fedora, you could touch /.autorelabel or pass "autorelabel" on the kernel command line to force a relabel at boot. You can also run fixfiles relabel as a command after booting. No need to disable SELinux and then re-enable it. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-08 13:24 ` Stephen Smalley @ 2012-02-08 17:39 ` C.J. Adams-Collier KF7BMP 2012-02-08 17:54 ` Stephen Smalley 2012-02-09 13:05 ` Russell Coker 0 siblings, 2 replies; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-08 17:39 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dominick Grift, SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 3685 bytes --] On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote: > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote: > > cjac@foxtrot:~$ sudo which seinfo > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l > > 0 > > seinfo is part of the setools package. $ apt-cache search -n setools erlang-parsetools - Erlang/OTP parsing tools Hmm. Would it be safe to build seinfo from source and use it along with the distro-installed tools? If so, what's the git repo I should clone from? > > Sounds reasonable. Do I get policy from my distribution, or should I > > generate one myself? > > Normally from your distribution, assuming the selinux packages for > Debian are still being maintained. I believe they are. I exchanged email with Russell about it not long ago. But then, gtkglarea is still officially maintained and I made the first update in nearly a year 36 hours ago. Perhaps the package needs 1 or more co-maintainers to improve coverage. > IIRC, the Debian selinux policy package tries to minimize the set of > installed policy modules based on the set of installed packages, but > that isn't an exact mapping and might be leaving you without a complete > policy. Whereas Fedora installs all policy modules unconditionally. If the overhead is not too great, perhaps this can be duplicated in Debian. I do hate paying for things I don't use, though. Especially when the cost is substantial. The same is probably true of many other Debian users. > If the .pp files are on your filesystem and just not installed into the > policy store, you can manually add them by running semodule -i on them. > Try listing the files installed from your policy packages and see if > xserver.pp is among them. $ locate xserver.pp /usr/share/selinux/default/xserver.pp I'll run semodule -i after this morning's reboot. I installed mutt yesterday, so I'll work from the console until you folks sign off for the evening. > > cjac@foxtrot:~$ dpkg -l | grep selinux-policy > > ii selinux-policy-default 2:2.20110726-3 Strict and Targeted variants of the SELinux policy > > ii selinux-policy-dev 2:2.20110726-3 Headers from the SELinux reference policy for building modules > > ii selinux-policy-doc 2:2.20110726-3 Documentation for the SELinux reference policy > > > > cjac@foxtrot:~$ apt-cache search selinux-policy > > selinux-policy-default - Strict and Targeted variants of the SELinux policy > > selinux-policy-dev - Headers from the SELinux reference policy for building modules > > selinux-policy-doc - Documentation for the SELinux reference policy > > selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy > > selinux-policy-src - Source of the SELinux reference policy for customization > > > > If I'm going to generate one myself, I need to understand them a bit > > better. I would like anything I generate to be useable by the rest of > > the Debian world. There seem to be some examples I ran review in the > > selinux-policy-doc and selinux-policy-mls packages. > > > > Regarding re-labeling, every time I boot without the selinux arguments > > to my kernel and then boot with them, the filesystem seems to get > > re-labeled. Is there a better way to do this? > > On Fedora, you could touch /.autorelabel or pass "autorelabel" on the > kernel command line to force a relabel at boot. You can also run > fixfiles relabel as a command after booting. No need to disable SELinux > and then re-enable it. Great. I do have a copy of fixfiles. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-08 17:39 ` C.J. Adams-Collier KF7BMP @ 2012-02-08 17:54 ` Stephen Smalley 2012-02-08 19:45 ` C.J. Adams-Collier KF7BMP 2012-02-09 13:05 ` Russell Coker 1 sibling, 1 reply; 30+ messages in thread From: Stephen Smalley @ 2012-02-08 17:54 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: Dominick Grift, SE-Linux, Russell Coker On Wed, 2012-02-08 at 09:39 -0800, C.J. Adams-Collier KF7BMP wrote: > On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote: > > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote: > > > cjac@foxtrot:~$ sudo which seinfo > > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l > > > 0 > > > > seinfo is part of the setools package. > > $ apt-cache search -n setools > erlang-parsetools - Erlang/OTP parsing tools > > Hmm. > > Would it be safe to build seinfo from source and use it along with the > distro-installed tools? If so, what's the git repo I should clone from? Curious, as setools is packaged for Debian squeeze per packages.debian.org. Did the package go un-maintained before wheezy? Upstream is at: http://oss.tresys.com/projects/setools > $ locate xserver.pp > /usr/share/selinux/default/xserver.pp > > I'll run semodule -i after this morning's reboot. I installed mutt > yesterday, so I'll work from the console until you folks sign off for > the evening. I'd suggest installing all of the .pp files to ensure you aren't missing anything else. The man page for semodule has some examples of how to install all modules from a directory. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-08 17:54 ` Stephen Smalley @ 2012-02-08 19:45 ` C.J. Adams-Collier KF7BMP 2012-02-08 20:17 ` Stephen Smalley 0 siblings, 1 reply; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-08 19:45 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dominick Grift, SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 1735 bytes --] On Wed, 2012-02-08 at 12:54 -0500, Stephen Smalley wrote: > On Wed, 2012-02-08 at 09:39 -0800, C.J. Adams-Collier KF7BMP wrote: > > On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote: > > > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote: > > > > cjac@foxtrot:~$ sudo which seinfo > > > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l > > > > 0 > > > > > > seinfo is part of the setools package. > > > > $ apt-cache search -n setools > > erlang-parsetools - Erlang/OTP parsing tools > > > > Hmm. > > > > Would it be safe to build seinfo from source and use it along with the > > distro-installed tools? If so, what's the git repo I should clone from? > > Curious, as setools is packaged for Debian squeeze per > packages.debian.org. Did the package go un-maintained before wheezy? > > Upstream is at: > http://oss.tresys.com/projects/setools cjac@foxtrot:/usr/src/git/debian/setools$ git log | head -5 commit 22a5d3e451d8a1e60a3c746466c865e63089a92a Merge: fa238f0 149e283 Author: Manoj Srivastava <srivasta@debian.org> Date: Tue Jul 20 23:10:06 2010 -0700 I guess it has been unmaintained. I just sent an email off to srivasta@ requesting some help getting the package built. > > $ locate xserver.pp > > /usr/share/selinux/default/xserver.pp > > > > I'll run semodule -i after this morning's reboot. I installed mutt > > yesterday, so I'll work from the console until you folks sign off for > > the evening. > > I'd suggest installing all of the .pp files to ensure you aren't missing > anything else. The man page for semodule has some examples of how to > install all modules from a directory. What's the best way to do this at boot? [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-08 19:45 ` C.J. Adams-Collier KF7BMP @ 2012-02-08 20:17 ` Stephen Smalley 2012-02-08 21:32 ` C.J. Adams-Collier KF7BMP 0 siblings, 1 reply; 30+ messages in thread From: Stephen Smalley @ 2012-02-08 20:17 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: Dominick Grift, SE-Linux, Russell Coker On Wed, 2012-02-08 at 11:45 -0800, C.J. Adams-Collier KF7BMP wrote: > > > $ locate xserver.pp > > > /usr/share/selinux/default/xserver.pp > > > > > > I'll run semodule -i after this morning's reboot. I installed mutt > > > yesterday, so I'll work from the console until you folks sign off for > > > the evening. > > > > I'd suggest installing all of the .pp files to ensure you aren't missing > > anything else. The man page for semodule has some examples of how to > > install all modules from a directory. > > What's the best way to do this at boot? You just do it once and it remains until/unless you remove it with semodule -r. No need to do it on each boot. Normally it is done when you install the policy package, but since your policy package apparently didn't install all modules, I'm suggesting that you do so manually. cd /usr/share/selinux/default ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i should install them all. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-08 20:17 ` Stephen Smalley @ 2012-02-08 21:32 ` C.J. Adams-Collier KF7BMP 2012-02-09 13:08 ` Russell Coker 2012-02-09 13:55 ` Stephen Smalley 0 siblings, 2 replies; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-08 21:32 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dominick Grift, SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 2090 bytes --] On Wed, 2012-02-08 at 15:17 -0500, Stephen Smalley wrote: > On Wed, 2012-02-08 at 11:45 -0800, C.J. Adams-Collier KF7BMP wrote: > > > > $ locate xserver.pp > > > > /usr/share/selinux/default/xserver.pp > > > > > > > > I'll run semodule -i after this morning's reboot. I installed mutt > > > > yesterday, so I'll work from the console until you folks sign off for > > > > the evening. > > > > > > I'd suggest installing all of the .pp files to ensure you aren't missing > > > anything else. The man page for semodule has some examples of how to > > > install all modules from a directory. > > > > What's the best way to do this at boot? > > You just do it once and it remains until/unless you remove it with > semodule -r. No need to do it on each boot. Normally it is done when > you install the policy package, but since your policy package apparently > didn't install all modules, I'm suggesting that you do so manually. > > cd /usr/share/selinux/default > ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i > should install them all. Okay. Do these ever get purged under any other circumstances? I noted that when I booted without selinux enabled and then with it enabled, the filesystem was re-labeled. Does anything else get triggered in this situation? Specifically, do policies get removed? It looks like the alsa.pp is failing, so my working and slightly modified command was: $ pushd /usr/share/selinux/default $ time sudo \ semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'` real 0m24.148s user 0m23.249s sys 0m0.628s This seems like it would take slightly less time than piping the output of ls to xargs, since it only runs semodule once. $ time ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp' | \ xargs sudo semodule -b base.pp -i real 0m25.659s user 0m24.778s sys 0m0.660s But they both get the job done and the difference in run time is very small. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-08 21:32 ` C.J. Adams-Collier KF7BMP @ 2012-02-09 13:08 ` Russell Coker 2012-02-09 13:55 ` Stephen Smalley 1 sibling, 0 replies; 30+ messages in thread From: Russell Coker @ 2012-02-09 13:08 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: Stephen Smalley, SE-Linux On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote: > Okay. Do these ever get purged under any other circumstances? Generally no. The only case where modules are automatically removed is when you upgrade the policy package and you have obsolate modules installed. This is generally to prevent upgrades from failing. > I noted > that when I booted without selinux enabled and then with it enabled, the > filesystem was re-labeled. Does anything else get triggered in this > situation? Specifically, do policies get removed? No. That will never happen. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-08 21:32 ` C.J. Adams-Collier KF7BMP 2012-02-09 13:08 ` Russell Coker @ 2012-02-09 13:55 ` Stephen Smalley 2012-02-09 17:34 ` C.J. Adams-Collier KF7BMP 1 sibling, 1 reply; 30+ messages in thread From: Stephen Smalley @ 2012-02-09 13:55 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: Dominick Grift, SE-Linux, Russell Coker On Wed, 2012-02-08 at 13:32 -0800, C.J. Adams-Collier KF7BMP wrote: > Okay. Do these ever get purged under any other circumstances? I noted > that when I booted without selinux enabled and then with it enabled, the > filesystem was re-labeled. Does anything else get triggered in this > situation? Specifically, do policies get removed? No. > It looks like the alsa.pp is failing, so my working and slightly > modified command was: That's interesting, and it might explain why your policy didn't get fully installed originally. Is that alsa.pp file from the current selinux-policy package or is it a leftover of an older one? What is the error you get with it? It should be removed if it doesn't work. > $ pushd /usr/share/selinux/default > $ time sudo \ > semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'` > > real 0m24.148s > user 0m23.249s > sys 0m0.628s > > This seems like it would take slightly less time than piping the output > of ls to xargs, since it only runs semodule once. > > $ time ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp' | \ > xargs sudo semodule -b base.pp -i > > real 0m25.659s > user 0m24.778s > sys 0m0.660s > > But they both get the job done and the difference in run time is very > small. Feel free to submit a patch for the EXAMPLES section in the semodule man page. Even better would be to improve semodule so that it automatically detects the base module and handles it so that you can just do semodule -i *.pp in all cases and not have to worry about filtering the list and handling base specially. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-09 13:55 ` Stephen Smalley @ 2012-02-09 17:34 ` C.J. Adams-Collier KF7BMP 2012-02-09 17:53 ` Stephen Smalley 0 siblings, 1 reply; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-09 17:34 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dominick Grift, SE-Linux, Russell Coker [-- Attachment #1: Type: text/plain, Size: 2513 bytes --] On Thu, 2012-02-09 at 08:55 -0500, Stephen Smalley wrote: > On Wed, 2012-02-08 at 13:32 -0800, C.J. Adams-Collier KF7BMP wrote: > > Okay. Do these ever get purged under any other circumstances? I noted > > that when I booted without selinux enabled and then with it enabled, the > > filesystem was re-labeled. Does anything else get triggered in this > > situation? Specifically, do policies get removed? > > No. > > > It looks like the alsa.pp is failing, so my working and slightly > > modified command was: > > That's interesting, and it might explain why your policy didn't get > fully installed originally. Is that alsa.pp file from the current > selinux-policy package or is it a leftover of an older one? What is the > error you get with it? It should be removed if it doesn't work. cjac@foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp /usr/share/selinux/default/alsa.pp OK cjac@foxtrot:~$ How do I check for an error. Not on STDOUT or STDERR it seems... This may be one of the strangest, least useful error message I've ever seen. But it's got stiff competition. cjac@foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp | sudo xargs semodule -i semodule: Failed on OK! > > $ pushd /usr/share/selinux/default > > $ time sudo \ > > semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'` > > > > real 0m24.148s > > user 0m23.249s > > sys 0m0.628s > > > > This seems like it would take slightly less time than piping the output > > of ls to xargs, since it only runs semodule once. > > > > $ time ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp' | \ > > xargs sudo semodule -b base.pp -i > > > > real 0m25.659s > > user 0m24.778s > > sys 0m0.660s > > > > But they both get the job done and the difference in run time is very > > small. Yep. Might be a potential indicator for performance improvement, however. > Feel free to submit a patch for the EXAMPLES section in the semodule man > page. Even better would be to improve semodule so that it automatically > detects the base module and handles it so that you can just do semodule > -i *.pp in all cases and not have to worry about filtering the list and > handling base specially. sounds reasonable. git uri anyone? [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-09 17:34 ` C.J. Adams-Collier KF7BMP @ 2012-02-09 17:53 ` Stephen Smalley 0 siblings, 0 replies; 30+ messages in thread From: Stephen Smalley @ 2012-02-09 17:53 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: Dominick Grift, SE-Linux, Russell Coker On Thu, 2012-02-09 at 09:34 -0800, C.J. Adams-Collier KF7BMP wrote: > > That's interesting, and it might explain why your policy didn't get > > fully installed originally. Is that alsa.pp file from the current > > selinux-policy package or is it a leftover of an older one? What is the > > error you get with it? It should be removed if it doesn't work. > > cjac@foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp > /usr/share/selinux/default/alsa.pp OK > cjac@foxtrot:~$ > > How do I check for an error. Not on STDOUT or STDERR it seems... This > may be one of the strangest, least useful error message I've ever seen. > But it's got stiff competition. > > cjac@foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp | sudo xargs semodule -i > semodule: Failed on OK! I'm not sure what you are trying to do, but the above command will ultimately call semodule -i on both alsa.pp and the "OK" string from the output above, and as OK is not a module or even a file it naturally fails. I just wanted to know what semodule -i alsa.pp reports, since you said it failed in some way. > > Feel free to submit a patch for the EXAMPLES section in the semodule man > > page. Even better would be to improve semodule so that it automatically > > detects the base module and handles it so that you can just do semodule > > -i *.pp in all cases and not have to worry about filtering the list and > > handling base specially. > > sounds reasonable. git uri anyone? SELinux userspace lives at http://userspace.selinuxproject.org. You can clone via git clone http://oss.tresys.com/git/selinux.git . semodule is under policycoreutils. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-08 17:39 ` C.J. Adams-Collier KF7BMP 2012-02-08 17:54 ` Stephen Smalley @ 2012-02-09 13:05 ` Russell Coker 2012-02-09 16:40 ` C.J. Adams-Collier KF7BMP 1 sibling, 1 reply; 30+ messages in thread From: Russell Coker @ 2012-02-09 13:05 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: Stephen Smalley, SE-Linux On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote: > On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote: > > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote: > > > cjac@foxtrot:~$ sudo which seinfo > > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l > > > 0 > > > > seinfo is part of the setools package. > > $ apt-cache search -n setools > erlang-parsetools - Erlang/OTP parsing tools > > Hmm. # apt-cache search -n setools erlang-parsetools - Erlang/OTP parsing tools libsetools-java - SETools Java bindings (architecture-independent) libsetools-jni - SETools Java bindings (architecture-dependent) libsetools-tcl - SETools Tcl bindings python-setools - SETools Python bindings setools - tools for Security Enhanced Linux policy analysis Works for me when tracking unstable. http://bugs.debian.org/cgi-bin/pkgreport.cgi?package=setools But it's got a grave bug and an important bug. CJ Would you like to help in fixing these? It's probably not going to be any more difficult than building your own copy from upstream source. > > > Sounds reasonable. Do I get policy from my distribution, or should I > > > generate one myself? > > > > Normally from your distribution, assuming the selinux packages for > > Debian are still being maintained. Of course they are still being maintained. > I believe they are. I exchanged email with Russell about it not long > ago. But then, gtkglarea is still officially maintained and I made the > first update in nearly a year 36 hours ago. Perhaps the package needs 1 > or more co-maintainers to improve coverage. Yes, more help would be good. Manoj has disappeared, he has not answered any mail I sent him for a long time. Everything that lists him as the maintainer needs a new maintainer. > > IIRC, the Debian selinux policy package tries to minimize the set of > > installed policy modules based on the set of installed packages, but > > that isn't an exact mapping and might be leaving you without a complete > > policy. Whereas Fedora installs all policy modules unconditionally. > > If the overhead is not too great, perhaps this can be duplicated in > Debian. I do hate paying for things I don't use, though. Especially > when the cost is substantial. The same is probably true of many other > Debian users. The only problem in Debian in this regard is when you install new packages after installing the SE Linux policy. I plan to somehow hook into the package installation process to install new policy modules as needed. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-09 13:05 ` Russell Coker @ 2012-02-09 16:40 ` C.J. Adams-Collier KF7BMP 0 siblings, 0 replies; 30+ messages in thread From: C.J. Adams-Collier KF7BMP @ 2012-02-09 16:40 UTC (permalink / raw) To: russell; +Cc: Stephen Smalley, SE-Linux [-- Attachment #1: Type: text/plain, Size: 3849 bytes --] On Fri, 2012-02-10 at 00:05 +1100, Russell Coker wrote: > On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote: > > On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote: > > > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote: > > > > cjac@foxtrot:~$ sudo which seinfo > > > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l > > > > 0 > > > > > > seinfo is part of the setools package. > > > > $ apt-cache search -n setools > > erlang-parsetools - Erlang/OTP parsing tools > > > > Hmm. > > # apt-cache search -n setools > erlang-parsetools - Erlang/OTP parsing tools > libsetools-java - SETools Java bindings (architecture-independent) > libsetools-jni - SETools Java bindings (architecture-dependent) > libsetools-tcl - SETools Tcl bindings > python-setools - SETools Python bindings > setools - tools for Security Enhanced Linux policy analysis > > Works for me when tracking unstable. I was hoping you wouldn't say that. I like the sound of wheezy better than sid. I guess my $ cat /etc/debian_version says wheezy/sid Let's get it back into testing if we can. > http://bugs.debian.org/cgi-bin/pkgreport.cgi?package=setools > > But it's got a grave bug and an important bug. CJ Would you like to help in > fixing these? It's probably not going to be any more difficult than building > your own copy from upstream source. That sounds fine. If maintenance lasts beyond 2013/01/01, (and I expect it will), you should know that my volunteer time will be considered part of my donation in public service to my state guard association. Shared Copyright will then be donated to this public Company. I have a copy of the upstream source which Mr. Smalley directed me to. I will build it as time permits. Right now I've got to write some Perl for my Employer. > > > > Sounds reasonable. Do I get policy from my distribution, or should I > > > > generate one myself? > > > > > > Normally from your distribution, assuming the selinux packages for > > > Debian are still being maintained. > > Of course they are still being maintained. Good to hear from you what I already knew. I'm glad we're all on the same page. > > I believe they are. I exchanged email with Russell about it not long > > ago. But then, gtkglarea is still officially maintained and I made the > > first update in nearly a year 36 hours ago. Perhaps the package needs 1 > > or more co-maintainers to improve coverage. > > Yes, more help would be good. Sounds good. > Manoj has disappeared, he has not answered any mail I sent him for a long > time. Everything that lists him as the maintainer needs a new maintainer. Roger. I'll get my alioth account back online and my key into my authorized_keys file. I tried to bring it back online the other day, and the mono/cli team said they thought it should still be active. So I'll see if the sysops can reset my credentials. > > > IIRC, the Debian selinux policy package tries to minimize the set of > > > installed policy modules based on the set of installed packages, but > > > that isn't an exact mapping and might be leaving you without a complete > > > policy. Whereas Fedora installs all policy modules unconditionally. > > > > If the overhead is not too great, perhaps this can be duplicated in > > Debian. I do hate paying for things I don't use, though. Especially > > when the cost is substantial. The same is probably true of many other > > Debian users. > > The only problem in Debian in this regard is when you install new packages > after installing the SE Linux policy. I plan to somehow hook into the package > installation process to install new policy modules as needed. > Sounds good. Last I heard it was written in Perl. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: SELinux on Wheezy 2012-02-06 16:21 ` C.J. Adams-Collier KF7BMP 2012-02-07 17:35 ` C.J. Adams-Collier KF7BMP @ 2012-02-09 13:12 ` Russell Coker 1 sibling, 0 replies; 30+ messages in thread From: Russell Coker @ 2012-02-09 13:12 UTC (permalink / raw) To: C.J. Adams-Collier KF7BMP; +Cc: Dominick Grift, SE-Linux On Tue, 7 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote: > > Does it work if you set it to off? > > > > > > > > setsebool -P xserver_object_manager off > > > > > > > > http://selinuxproject.org/page/NB_XWIN > > Thank you Dominick. I will give this a try when I re-boot. > > Russell, do you think this is something we should patch in to the xorg > debian packaging? Yes, I want to get XACE supported. It's just a matter of time... -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 30+ messages in thread
end of thread, other threads:[~2012-02-09 17:53 UTC | newest] Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-02-06 4:26 SELinux on Wheezy C.J. Adams-Collier KF7BMP 2012-02-06 15:39 ` Stephen Smalley 2012-02-06 16:17 ` C.J. Adams-Collier KF7BMP 2012-02-06 23:23 ` C.J. Adams-Collier KF7BMP 2012-02-06 23:48 ` Dominick Grift 2012-02-07 17:42 ` Stephen Smalley 2012-02-07 18:44 ` Dominick Grift 2012-02-07 18:55 ` C.J. Adams-Collier KF7BMP 2012-02-09 13:17 ` Russell Coker 2012-02-06 15:56 ` Dominick Grift 2012-02-06 16:21 ` C.J. Adams-Collier KF7BMP 2012-02-07 17:35 ` C.J. Adams-Collier KF7BMP 2012-02-07 17:47 ` Stephen Smalley 2012-02-07 18:56 ` C.J. Adams-Collier KF7BMP 2012-02-07 20:02 ` C.J. Adams-Collier 2012-02-07 20:08 ` Stephen Smalley 2012-02-07 21:05 ` C.J. Adams-Collier 2012-02-08 13:24 ` Stephen Smalley 2012-02-08 17:39 ` C.J. Adams-Collier KF7BMP 2012-02-08 17:54 ` Stephen Smalley 2012-02-08 19:45 ` C.J. Adams-Collier KF7BMP 2012-02-08 20:17 ` Stephen Smalley 2012-02-08 21:32 ` C.J. Adams-Collier KF7BMP 2012-02-09 13:08 ` Russell Coker 2012-02-09 13:55 ` Stephen Smalley 2012-02-09 17:34 ` C.J. Adams-Collier KF7BMP 2012-02-09 17:53 ` Stephen Smalley 2012-02-09 13:05 ` Russell Coker 2012-02-09 16:40 ` C.J. Adams-Collier KF7BMP 2012-02-09 13:12 ` Russell Coker
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.