SELinux on Wheezy

SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 539 bytes --]

Hey folks,

I brought up a wheezy install on an alternate lvm root a couple of weeks
ago.  I turned SELinux on shortly thereafter.  I think I updated my
kernel, and now X won't start.  Could someone look at these logs with me
and help figure out what's going on?  Something showed up during boot
that said something about updating labels, but I didn't capture it.
Where should I look to find these boot logs, do you think?

http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log

Thank you in advance!

C.J.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Stephen Smalley]

On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> Hey folks,
> 
> I brought up a wheezy install on an alternate lvm root a couple of weeks
> ago.  I turned SELinux on shortly thereafter.  I think I updated my
> kernel, and now X won't start.  Could someone look at these logs with me
> and help figure out what's going on?  Something showed up during boot
> that said something about updating labels, but I didn't capture it.
> Where should I look to find these boot logs, do you think?
> 
> http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log

Are there any avc denials?  If running auditd, then use ausearch -m AVC.
Otherwise grep for avc: in your messages file or dmesg output.

What does sestatus report?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[Dominick Grift]

On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> Hey folks,
> 
> I brought up a wheezy install on an alternate lvm root a couple of weeks
> ago.  I turned SELinux on shortly thereafter.  I think I updated my
> kernel, and now X won't start.  Could someone look at these logs with me
> and help figure out what's going on?  Something showed up during boot
> that said something about updating labels, but I didn't capture it.
> Where should I look to find these boot logs, do you think?
> 
> http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> 
> Thank you in advance!
> 
> C.J.
> 
> 

Seems to be an XACE issue.

> > /var/log/Xorg.56.log.old:[    46.050] SELinux: a property label lookup failed!
> > /var/log/Xorg.56.log.old:[    46.050] SELinux: Failed to set label property on window!

getsebool -a | xserver_object_manager

Does it work if you set it to off?

setsebool -P xserver_object_manager off

http://selinuxproject.org/page/NB_XWIN



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 1313 bytes --]

On Mon, 2012-02-06 at 10:39 -0500, Stephen Smalley wrote:
> On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > Hey folks,
> > 
> > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > kernel, and now X won't start.  Could someone look at these logs with me
> > and help figure out what's going on?  Something showed up during boot
> > that said something about updating labels, but I didn't capture it.
> > Where should I look to find these boot logs, do you think?
> > 
> > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> 
> Are there any avc denials?  If running auditd, then use ausearch -m AVC.
> Otherwise grep for avc: in your messages file or dmesg output.
> 
> What does sestatus report?

Thank you for your quick response, Stephan.

I'm using Evolution as my MUA and haven't got mutt set up on the new
system yet, so email and selinux are currently mutually exclusive.  I've
saved this email to a text file and will re-start the kernel with
selinux enabled, run these commands > log and re-boot.  I'm waiting on a
ferry that leaves in 15 minutes, so I won't have the results until I get
to my desk in Seattle after noon (-0800).

C.J.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 1288 bytes --]

On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote:
> On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > Hey folks,
> > 
> > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > kernel, and now X won't start.  Could someone look at these logs with me
> > and help figure out what's going on?  Something showed up during boot
> > that said something about updating labels, but I didn't capture it.
> > Where should I look to find these boot logs, do you think?
> > 
> > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> > 
> > Thank you in advance!
> > 
> > C.J.
> > 
> > 
> 
> Seems to be an XACE issue.
> 
> > > /var/log/Xorg.56.log.old:[    46.050] SELinux: a property label lookup failed!
> > > /var/log/Xorg.56.log.old:[    46.050] SELinux: Failed to set label property on window!
> 
> getsebool -a | xserver_object_manager
> 
> Does it work if you set it to off?
> 
> setsebool -P xserver_object_manager off
> 
> http://selinuxproject.org/page/NB_XWIN

Thank you Dominick.  I will give this a try when I re-boot.

Russell, do you think this is something we should patch in to the xorg
debian packaging?


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 2065 bytes --]

On Mon, 2012-02-06 at 08:17 -0800, C.J. Adams-Collier KF7BMP wrote:
> On Mon, 2012-02-06 at 10:39 -0500, Stephen Smalley wrote:
> > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > Hey folks,
> > > 
> > > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > > kernel, and now X won't start.  Could someone look at these logs with me
> > > and help figure out what's going on?  Something showed up during boot
> > > that said something about updating labels, but I didn't capture it.
> > > Where should I look to find these boot logs, do you think?
> > > 
> > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> > 
> > Are there any avc denials?  If running auditd, then use ausearch -m AVC.
> > Otherwise grep for avc: in your messages file or dmesg output.
> > 
> > What does sestatus report?
> 
> Thank you for your quick response, Stephan.
> 
> I'm using Evolution as my MUA and haven't got mutt set up on the new
> system yet, so email and selinux are currently mutually exclusive.  I've
> saved this email to a text file and will re-start the kernel with
> selinux enabled, run these commands > log and re-boot.  I'm waiting on a
> ferry that leaves in 15 minutes, so I won't have the results until I get
> to my desk in Seattle after noon (-0800).
> 
> C.J.

Stephen,

Here are the logs you requested:

http://www.colliertech.org/federal/nsa/avc-20120206T090101.log

http://www.colliertech.org/federal/nsa/sestatus-20120206T090618.log

It seems to me that the Debian SELinux docs could use some improvement.
To this end, I have submitted an application to join the SELinux project
on Alioth.  I will probably make some updates to the wiki pages as well.

I am going to install the packages which provide the tools you and
Dominick recommended this morning and dig a little deeper as time
permits.

Thank you again for taking the time to help me through this.

C.J.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Dominick Grift]

> Stephen,
> 
> Here are the logs you requested:
> 
> http://www.colliertech.org/federal/nsa/avc-20120206T090101.log

Above logs exposes two bugs in your policy i believe.
Are you using the latest available policy?

possible temporary fixes:

echo "avc:  denied  { associate } for  pid=384 comm="restorecon"
name="shm" dev=devtmpfs ino=5266 scontext=system_u:object_r:tmpfs_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=filesystem" | audit2allow
-M myfs; sudo semodule -i myfs.pp

echo "avc:  denied  { syslog } for  pid=1824 comm="rsyslogd"
capability=34  scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=capability2" | audit2allow
-M mykernel; sudo semodule -i mykernel.pp




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 2009 bytes --]

On Mon, 2012-02-06 at 08:21 -0800, C.J. Adams-Collier KF7BMP wrote:
> On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote:
> > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > Hey folks,
> > > 
> > > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > > kernel, and now X won't start.  Could someone look at these logs with me
> > > and help figure out what's going on?  Something showed up during boot
> > > that said something about updating labels, but I didn't capture it.
> > > Where should I look to find these boot logs, do you think?
> > > 
> > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> > > 
> > > Thank you in advance!
> > > 
> > > C.J.
> > > 
> > > 
> > 
> > Seems to be an XACE issue.
> > 
> > > > /var/log/Xorg.56.log.old:[    46.050] SELinux: a property label lookup failed!
> > > > /var/log/Xorg.56.log.old:[    46.050] SELinux: Failed to set label property on window!
> > 
> > getsebool -a | xserver_object_manager
> > 
> > Does it work if you set it to off?
> > 
> > setsebool -P xserver_object_manager off
> > 
> > http://selinuxproject.org/page/NB_XWIN
> 
> Thank you Dominick.  I will give this a try when I re-boot.
> 
> Russell, do you think this is something we should patch in to the xorg
> debian packaging?
> 


http://www.colliertech.org/federal/nsa/sebool-20120206T091638.log:
cjac@foxtrot:~$ sudo getsebool -a | grep -i xserver_object_manager | wc -l
0
cjac@foxtrot:~$ sudo setsebool -P xserver_object_manager off
libsemanage.dbase_llist_set: record not found in the database (No such file or directory).
libsemanage.dbase_llist_set: could not set record value (No such file or directory).
Could not change boolean xserver_object_manager
Could not change policy booleans

How do I fill these in?  Is there a .deb with the correct policy
modification?

Thanks,

C.J.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Stephen Smalley]

On Mon, 2012-02-06 at 15:23 -0800, C.J. Adams-Collier KF7BMP wrote:
> Here are the logs you requested:
> 
> http://www.colliertech.org/federal/nsa/avc-20120206T090101.log
> 
> http://www.colliertech.org/federal/nsa/sestatus-20120206T090618.log
> 
> It seems to me that the Debian SELinux docs could use some improvement.
> To this end, I have submitted an application to join the SELinux project
> on Alioth.  I will probably make some updates to the wiki pages as well.
> 
> I am going to install the packages which provide the tools you and
> Dominick recommended this morning and dig a little deeper as time
> permits.
> 
> Thank you again for taking the time to help me through this.

The avc message suggests that your processes are not running in the
right domains, which in turn suggests that perhaps your filesystems are
not correctly labeled.  sestatus -v should provide more information.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[Stephen Smalley]

On Tue, 2012-02-07 at 09:35 -0800, C.J. Adams-Collier KF7BMP wrote:
> On Mon, 2012-02-06 at 08:21 -0800, C.J. Adams-Collier KF7BMP wrote:
> > On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote:
> > > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > > Hey folks,
> > > > 
> > > > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > > > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > > > kernel, and now X won't start.  Could someone look at these logs with me
> > > > and help figure out what's going on?  Something showed up during boot
> > > > that said something about updating labels, but I didn't capture it.
> > > > Where should I look to find these boot logs, do you think?
> > > > 
> > > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> > > > 
> > > > Thank you in advance!
> > > > 
> > > > C.J.
> > > > 
> > > > 
> > > 
> > > Seems to be an XACE issue.
> > > 
> > > > > /var/log/Xorg.56.log.old:[    46.050] SELinux: a property label lookup failed!
> > > > > /var/log/Xorg.56.log.old:[    46.050] SELinux: Failed to set label property on window!
> > > 
> > > getsebool -a | xserver_object_manager
> > > 
> > > Does it work if you set it to off?
> > > 
> > > setsebool -P xserver_object_manager off
> > > 
> > > http://selinuxproject.org/page/NB_XWIN
> > 
> > Thank you Dominick.  I will give this a try when I re-boot.
> > 
> > Russell, do you think this is something we should patch in to the xorg
> > debian packaging?
> > 
> 
> 
> http://www.colliertech.org/federal/nsa/sebool-20120206T091638.log:
> cjac@foxtrot:~$ sudo getsebool -a | grep -i xserver_object_manager | wc -l
> 0
> cjac@foxtrot:~$ sudo setsebool -P xserver_object_manager off
> libsemanage.dbase_llist_set: record not found in the database (No such file or directory).
> libsemanage.dbase_llist_set: could not set record value (No such file or directory).
> Could not change boolean xserver_object_manager
> Could not change policy booleans
> 
> How do I fill these in?  Is there a .deb with the correct policy
> modification?

That's interesting - suggests that you do not have the xserver policy
module installed.  semodule -l shows what?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[Dominick Grift]

On Tue, 2012-02-07 at 12:42 -0500, Stephen Smalley wrote:

> 
> The avc message suggests that your processes are not running in the
> right domains, which in turn suggests that perhaps your filesystems are
> not correctly labeled.  sestatus -v should provide more information.
> 

whoops yes i agree there. rsyslogd runs in the kernel_t domain.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 120 bytes --]

On Tue, 2012-02-07 at 12:42 -0500, Stephen Smalley wrote:
> sestatus -v

Rebooting and running this command + logs.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 107 bytes --]

On Tue, 2012-02-07 at 12:47 -0500, Stephen Smalley wrote:
> semodule -l

Rebooting and running + logs.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[C.J. Adams-Collier]

[-- Attachment #1: Type: text/plain, Size: 2318 bytes --]

cjac@foxtrot:~$ scp ~/selinux/*20120207*.log 172.16.12.22:/var/www/colliertech.org/wiki/federal/nsa/

--

~/selinux/semodule_-l_20120207T110759.log:
apache	2.3.0	
dbus	1.15.0	
devicekit	1.1.0	
dmidecode	1.4.0	
exim	1.5.0	
ftp	1.13.0	
git	1.0	
gpg	2.4.0	
lda	1.9.0	
lvm	1.13.0	
netutils	1.11.0	
openvpn	1.10.0	
ptchown	1.1.0	
pythonsupport	0.0.1	
remotelogin	1.7.0	
rpc	1.13.0	
rpcbind	1.5.0	
rsync	1.11.0	
ssh	2.2.0	
sudo	1.8.0	
tcpd	1.4.0	
telnet	1.10.0	
tzdata	1.4.0	
unconfined	3.3.0	

--

~/selinux/sestatus_-v_20120207T110759.log:
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 26
Policy from config file:        default

Process contexts:
Current context:                unconfined_u:system_r:insmod_t:SystemLow-SystemHigh
Init context:                   system_u:system_r:kernel_t:SystemLow
/usr/sbin/sshd                  system_u:system_r:kernel_t:SystemLow

File contexts:
Controlling term:               unconfined_u:object_r:tty_device_t:SystemLow
/etc/passwd                     unconfined_u:object_r:user_home_t:SystemLow
/etc/shadow                     unconfined_u:object_r:user_home_t:SystemLow
/bin/bash                       unconfined_u:object_r:user_home_t:SystemLow
/bin/login                      unconfined_u:object_r:user_home_t:SystemLow
/bin/sh                         unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow
/sbin/agetty                    unconfined_u:object_r:user_home_t:SystemLow
/sbin/init                      unconfined_u:object_r:user_home_t:SystemLow
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:SystemLow
/lib/ld-linux.so.2              unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow

--

~/selinux/ausearch_-m_20120207T110759.log:
Tue Feb  7 11:14:55 PST 2012
<no matches>

--

cjac@foxtrot:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: cjac@COLLIERTECH.ORG

Valid starting    Expires           Service principal
07/02/2012 12:01  07/02/2012 22:01  krbtgt/COLLIERTECH.ORG@COLLIERTECH.ORG
        renew until 08/02/2012 12:01

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Stephen Smalley]

On Tue, 2012-02-07 at 12:02 -0800, C.J. Adams-Collier wrote:
> ~/selinux/semodule_-l_20120207T110759.log:
> apache	2.3.0	
> dbus	1.15.0	
> devicekit	1.1.0	
> dmidecode	1.4.0	
> exim	1.5.0	
> ftp	1.13.0	
> git	1.0	
> gpg	2.4.0	
> lda	1.9.0	
> lvm	1.13.0	
> netutils	1.11.0	
> openvpn	1.10.0	
> ptchown	1.1.0	
> pythonsupport	0.0.1	
> remotelogin	1.7.0	
> rpc	1.13.0	
> rpcbind	1.5.0	
> rsync	1.11.0	
> ssh	2.2.0	
> sudo	1.8.0	
> tcpd	1.4.0	
> telnet	1.10.0	
> tzdata	1.4.0	
> unconfined	3.3.0

So no xserver module, unless it happens to be part of your base module.
seinfo -txserver_t


> ~/selinux/sestatus_-v_20120207T110759.log:
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 26
> Policy from config file:        default
> 
> Process contexts:
> Current context:                unconfined_u:system_r:insmod_t:SystemLow-SystemHigh
> Init context:                   system_u:system_r:kernel_t:SystemLow
> /usr/sbin/sshd                  system_u:system_r:kernel_t:SystemLow
> 
> File contexts:
> Controlling term:               unconfined_u:object_r:tty_device_t:SystemLow
> /etc/passwd                     unconfined_u:object_r:user_home_t:SystemLow
> /etc/shadow                     unconfined_u:object_r:user_home_t:SystemLow
> /bin/bash                       unconfined_u:object_r:user_home_t:SystemLow
> /bin/login                      unconfined_u:object_r:user_home_t:SystemLow
> /bin/sh                         unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow
> /sbin/agetty                    unconfined_u:object_r:user_home_t:SystemLow
> /sbin/init                      unconfined_u:object_r:user_home_t:SystemLow
> /usr/sbin/sshd                  system_u:object_r:sshd_exec_t:SystemLow
> /lib/ld-linux.so.2              unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow

So everything except for /usr/sbin/sshd has the wrong file context, and
all of your processes are still running in the kernel's domain.

I think you need a new policy, and then you need to relabel your
filesystems.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[C.J. Adams-Collier]

[-- Attachment #1: Type: text/plain, Size: 4126 bytes --]

On Tue, Feb 07, 2012 at 03:08:25PM -0500, Stephen Smalley wrote:
> On Tue, 2012-02-07 at 12:02 -0800, C.J. Adams-Collier wrote:
> > ~/selinux/semodule_-l_20120207T110759.log:
> > apache	2.3.0	
> > dbus	1.15.0	
> > devicekit	1.1.0	
> > dmidecode	1.4.0	
> > exim	1.5.0	
> > ftp	1.13.0	
> > git	1.0	
> > gpg	2.4.0	
> > lda	1.9.0	
> > lvm	1.13.0	
> > netutils	1.11.0	
> > openvpn	1.10.0	
> > ptchown	1.1.0	
> > pythonsupport	0.0.1	
> > remotelogin	1.7.0	
> > rpc	1.13.0	
> > rpcbind	1.5.0	
> > rsync	1.11.0	
> > ssh	2.2.0	
> > sudo	1.8.0	
> > tcpd	1.4.0	
> > telnet	1.10.0	
> > tzdata	1.4.0	
> > unconfined	3.3.0
> 
> So no xserver module, unless it happens to be part of your base module.
> seinfo -txserver_t

cjac@foxtrot:~$ sudo which seinfo
cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l
0

Any idea where I can get the xserver module?  Russell?
 
> 
> > ~/selinux/sestatus_-v_20120207T110759.log:
> > SELinux status:                 enabled
> > SELinuxfs mount:                /selinux
> > Current mode:                   permissive
> > Mode from config file:          permissive
> > Policy version:                 26
> > Policy from config file:        default
> > 
> > Process contexts:
> > Current context:                unconfined_u:system_r:insmod_t:SystemLow-SystemHigh
> > Init context:                   system_u:system_r:kernel_t:SystemLow
> > /usr/sbin/sshd                  system_u:system_r:kernel_t:SystemLow
> > 
> > File contexts:
> > Controlling term:               unconfined_u:object_r:tty_device_t:SystemLow
> > /etc/passwd                     unconfined_u:object_r:user_home_t:SystemLow
> > /etc/shadow                     unconfined_u:object_r:user_home_t:SystemLow
> > /bin/bash                       unconfined_u:object_r:user_home_t:SystemLow
> > /bin/login                      unconfined_u:object_r:user_home_t:SystemLow
> > /bin/sh                         unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow
> > /sbin/agetty                    unconfined_u:object_r:user_home_t:SystemLow
> > /sbin/init                      unconfined_u:object_r:user_home_t:SystemLow
> > /usr/sbin/sshd                  system_u:object_r:sshd_exec_t:SystemLow
> > /lib/ld-linux.so.2              unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow
> 
> So everything except for /usr/sbin/sshd has the wrong file context, and
> all of your processes are still running in the kernel's domain.
> 
> I think you need a new policy, and then you need to relabel your
> filesystems.

Sounds reasonable.  Do I get policy from my distribution, or should I
generate one myself?

cjac@foxtrot:~$ dpkg -l | grep selinux-policy
ii  selinux-policy-default               2:2.20110726-3                 Strict and Targeted variants of the SELinux policy
ii  selinux-policy-dev                   2:2.20110726-3                 Headers from the SELinux reference policy for building modules
ii  selinux-policy-doc                   2:2.20110726-3                 Documentation for the SELinux reference policy

cjac@foxtrot:~$ apt-cache search selinux-policy
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization

If I'm going to generate one myself, I need to understand them a bit
better.  I would like anything I generate to be useable by the rest of
the Debian world.  There seem to be some examples I ran review in the
selinux-policy-doc and selinux-policy-mls packages.

Regarding re-labeling, every time I boot without the selinux arguments
to my kernel and then boot with them, the filesystem seems to get
re-labeled.  Is there a better way to do this?

Thanks for helping me cope with my ignorance.

C.J.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Stephen Smalley]

On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> cjac@foxtrot:~$ sudo which seinfo
> cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> 0

seinfo is part of the setools package.

> Sounds reasonable.  Do I get policy from my distribution, or should I
> generate one myself?

Normally from your distribution, assuming the selinux packages for
Debian are still being maintained.

IIRC, the Debian selinux policy package tries to minimize the set of
installed policy modules based on the set of installed packages, but
that isn't an exact mapping and might be leaving you without a complete
policy.  Whereas Fedora installs all policy modules unconditionally.

If the .pp files are on your filesystem and just not installed into the
policy store, you can manually add them by running semodule -i on them.
Try listing the files installed from your policy packages and see if
xserver.pp is among them.  

> cjac@foxtrot:~$ dpkg -l | grep selinux-policy
> ii  selinux-policy-default               2:2.20110726-3                 Strict and Targeted variants of the SELinux policy
> ii  selinux-policy-dev                   2:2.20110726-3                 Headers from the SELinux reference policy for building modules
> ii  selinux-policy-doc                   2:2.20110726-3                 Documentation for the SELinux reference policy
> 
> cjac@foxtrot:~$ apt-cache search selinux-policy
> selinux-policy-default - Strict and Targeted variants of the SELinux policy
> selinux-policy-dev - Headers from the SELinux reference policy for building modules
> selinux-policy-doc - Documentation for the SELinux reference policy
> selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
> selinux-policy-src - Source of the SELinux reference policy for customization
> 
> If I'm going to generate one myself, I need to understand them a bit
> better.  I would like anything I generate to be useable by the rest of
> the Debian world.  There seem to be some examples I ran review in the
> selinux-policy-doc and selinux-policy-mls packages.
> 
> Regarding re-labeling, every time I boot without the selinux arguments
> to my kernel and then boot with them, the filesystem seems to get
> re-labeled.  Is there a better way to do this?

On Fedora, you could touch /.autorelabel or pass "autorelabel" on the
kernel command line to force a relabel at boot.  You can also run
fixfiles relabel as a command after booting.  No need to disable SELinux
and then re-enable it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 3685 bytes --]

On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > cjac@foxtrot:~$ sudo which seinfo
> > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > 0
> 
> seinfo is part of the setools package.

$ apt-cache search -n setools
erlang-parsetools - Erlang/OTP parsing tools

Hmm.

Would it be safe to build seinfo from source and use it along with the
distro-installed tools?  If so, what's the git repo I should clone from?

> > Sounds reasonable.  Do I get policy from my distribution, or should I
> > generate one myself?
> 
> Normally from your distribution, assuming the selinux packages for
> Debian are still being maintained.

I believe they are.  I exchanged email with Russell about it not long
ago.  But then, gtkglarea is still officially maintained and I made the
first update in nearly a year 36 hours ago.  Perhaps the package needs 1
or more co-maintainers to improve coverage.

> IIRC, the Debian selinux policy package tries to minimize the set of
> installed policy modules based on the set of installed packages, but
> that isn't an exact mapping and might be leaving you without a complete
> policy.  Whereas Fedora installs all policy modules unconditionally.

If the overhead is not too great, perhaps this can be duplicated in
Debian.  I do hate paying for things I don't use, though.  Especially
when the cost is substantial.  The same is probably true of many other
Debian users.

> If the .pp files are on your filesystem and just not installed into the
> policy store, you can manually add them by running semodule -i on them.
> Try listing the files installed from your policy packages and see if
> xserver.pp is among them.  

$ locate xserver.pp
/usr/share/selinux/default/xserver.pp

I'll run semodule -i after this morning's reboot.  I installed mutt
yesterday, so I'll work from the console until you folks sign off for
the evening.

> > cjac@foxtrot:~$ dpkg -l | grep selinux-policy
> > ii  selinux-policy-default               2:2.20110726-3                 Strict and Targeted variants of the SELinux policy
> > ii  selinux-policy-dev                   2:2.20110726-3                 Headers from the SELinux reference policy for building modules
> > ii  selinux-policy-doc                   2:2.20110726-3                 Documentation for the SELinux reference policy
> > 
> > cjac@foxtrot:~$ apt-cache search selinux-policy
> > selinux-policy-default - Strict and Targeted variants of the SELinux policy
> > selinux-policy-dev - Headers from the SELinux reference policy for building modules
> > selinux-policy-doc - Documentation for the SELinux reference policy
> > selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
> > selinux-policy-src - Source of the SELinux reference policy for customization
> > 
> > If I'm going to generate one myself, I need to understand them a bit
> > better.  I would like anything I generate to be useable by the rest of
> > the Debian world.  There seem to be some examples I ran review in the
> > selinux-policy-doc and selinux-policy-mls packages.
> > 
> > Regarding re-labeling, every time I boot without the selinux arguments
> > to my kernel and then boot with them, the filesystem seems to get
> > re-labeled.  Is there a better way to do this?
> 
> On Fedora, you could touch /.autorelabel or pass "autorelabel" on the
> kernel command line to force a relabel at boot.  You can also run
> fixfiles relabel as a command after booting.  No need to disable SELinux
> and then re-enable it.

Great.  I do have a copy of fixfiles.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Stephen Smalley]

On Wed, 2012-02-08 at 09:39 -0800, C.J. Adams-Collier KF7BMP wrote:
> On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > > cjac@foxtrot:~$ sudo which seinfo
> > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > > 0
> > 
> > seinfo is part of the setools package.
> 
> $ apt-cache search -n setools
> erlang-parsetools - Erlang/OTP parsing tools
> 
> Hmm.
> 
> Would it be safe to build seinfo from source and use it along with the
> distro-installed tools?  If so, what's the git repo I should clone from?

Curious, as setools is packaged for Debian squeeze per
packages.debian.org.  Did the package go un-maintained before wheezy?

Upstream is at:
http://oss.tresys.com/projects/setools

> $ locate xserver.pp
> /usr/share/selinux/default/xserver.pp
> 
> I'll run semodule -i after this morning's reboot.  I installed mutt
> yesterday, so I'll work from the console until you folks sign off for
> the evening.

I'd suggest installing all of the .pp files to ensure you aren't missing
anything else.  The man page for semodule has some examples of how to
install all modules from a directory.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 1735 bytes --]

On Wed, 2012-02-08 at 12:54 -0500, Stephen Smalley wrote:
> On Wed, 2012-02-08 at 09:39 -0800, C.J. Adams-Collier KF7BMP wrote:
> > On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> > > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > > > cjac@foxtrot:~$ sudo which seinfo
> > > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > > > 0
> > > 
> > > seinfo is part of the setools package.
> > 
> > $ apt-cache search -n setools
> > erlang-parsetools - Erlang/OTP parsing tools
> > 
> > Hmm.
> > 
> > Would it be safe to build seinfo from source and use it along with the
> > distro-installed tools?  If so, what's the git repo I should clone from?
> 
> Curious, as setools is packaged for Debian squeeze per
> packages.debian.org.  Did the package go un-maintained before wheezy?
> 
> Upstream is at:
> http://oss.tresys.com/projects/setools

cjac@foxtrot:/usr/src/git/debian/setools$ git log | head -5
commit 22a5d3e451d8a1e60a3c746466c865e63089a92a
Merge: fa238f0 149e283
Author: Manoj Srivastava <srivasta@debian.org>
Date:   Tue Jul 20 23:10:06 2010 -0700

I guess it has been unmaintained.  I just sent an email off to srivasta@
requesting some help getting the package built.

> > $ locate xserver.pp
> > /usr/share/selinux/default/xserver.pp
> > 
> > I'll run semodule -i after this morning's reboot.  I installed mutt
> > yesterday, so I'll work from the console until you folks sign off for
> > the evening.
> 
> I'd suggest installing all of the .pp files to ensure you aren't missing
> anything else.  The man page for semodule has some examples of how to
> install all modules from a directory.

What's the best way to do this at boot?



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Stephen Smalley]

On Wed, 2012-02-08 at 11:45 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > $ locate xserver.pp
> > > /usr/share/selinux/default/xserver.pp
> > > 
> > > I'll run semodule -i after this morning's reboot.  I installed mutt
> > > yesterday, so I'll work from the console until you folks sign off for
> > > the evening.
> > 
> > I'd suggest installing all of the .pp files to ensure you aren't missing
> > anything else.  The man page for semodule has some examples of how to
> > install all modules from a directory.
> 
> What's the best way to do this at boot?

You just do it once and it remains until/unless you remove it with
semodule -r.  No need to do it on each boot.  Normally it is done when
you install the policy package, but since your policy package apparently
didn't install all modules, I'm suggesting that you do so manually.  

cd /usr/share/selinux/default
ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
should install them all.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 2090 bytes --]

On Wed, 2012-02-08 at 15:17 -0500, Stephen Smalley wrote:
> On Wed, 2012-02-08 at 11:45 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > > $ locate xserver.pp
> > > > /usr/share/selinux/default/xserver.pp
> > > > 
> > > > I'll run semodule -i after this morning's reboot.  I installed mutt
> > > > yesterday, so I'll work from the console until you folks sign off for
> > > > the evening.
> > > 
> > > I'd suggest installing all of the .pp files to ensure you aren't missing
> > > anything else.  The man page for semodule has some examples of how to
> > > install all modules from a directory.
> > 
> > What's the best way to do this at boot?
> 
> You just do it once and it remains until/unless you remove it with
> semodule -r.  No need to do it on each boot.  Normally it is done when
> you install the policy package, but since your policy package apparently
> didn't install all modules, I'm suggesting that you do so manually.  
> 
> cd /usr/share/selinux/default
> ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
> should install them all.

Okay.  Do these ever get purged under any other circumstances?  I noted
that when I booted without selinux enabled and then with it enabled, the
filesystem was re-labeled.  Does anything else get triggered in this
situation?  Specifically, do policies get removed?

It looks like the alsa.pp is failing, so my working and slightly
modified command was:

        $ pushd /usr/share/selinux/default
        $ time sudo \
        semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'`
        
        real	0m24.148s
        user	0m23.249s
        sys	0m0.628s
        
This seems like it would take slightly less time than piping the output
of ls to xargs, since it only runs semodule once.

        $ time ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp' | \
        xargs sudo semodule -b base.pp -i 
        
        real	0m25.659s
        user	0m24.778s
        sys	0m0.660s

But they both get the job done and the difference in run time is very
small.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Russell Coker]

On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote:
> On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > > cjac@foxtrot:~$ sudo which seinfo
> > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > > 0
> > 
> > seinfo is part of the setools package.
> 
> $ apt-cache search -n setools
> erlang-parsetools - Erlang/OTP parsing tools
> 
> Hmm.

# apt-cache search -n setools
erlang-parsetools - Erlang/OTP parsing tools
libsetools-java - SETools Java bindings (architecture-independent)
libsetools-jni - SETools Java bindings (architecture-dependent)
libsetools-tcl - SETools Tcl bindings
python-setools - SETools Python bindings
setools - tools for Security Enhanced Linux policy analysis

Works for me when tracking unstable.

http://bugs.debian.org/cgi-bin/pkgreport.cgi?package=setools

But it's got a grave bug and an important bug.  CJ Would you like to help in 
fixing these?  It's probably not going to be any more difficult than building 
your own copy from upstream source.

> > > Sounds reasonable.  Do I get policy from my distribution, or should I
> > > generate one myself?
> > 
> > Normally from your distribution, assuming the selinux packages for
> > Debian are still being maintained.

Of course they are still being maintained.

> I believe they are.  I exchanged email with Russell about it not long
> ago.  But then, gtkglarea is still officially maintained and I made the
> first update in nearly a year 36 hours ago.  Perhaps the package needs 1
> or more co-maintainers to improve coverage.

Yes, more help would be good.

Manoj has disappeared, he has not answered any mail I sent him for a long 
time.  Everything that lists him as the maintainer needs a new maintainer.

> > IIRC, the Debian selinux policy package tries to minimize the set of
> > installed policy modules based on the set of installed packages, but
> > that isn't an exact mapping and might be leaving you without a complete
> > policy.  Whereas Fedora installs all policy modules unconditionally.
> 
> If the overhead is not too great, perhaps this can be duplicated in
> Debian.  I do hate paying for things I don't use, though.  Especially
> when the cost is substantial.  The same is probably true of many other
> Debian users.

The only problem in Debian in this regard is when you install new packages 
after installing the SE Linux policy.  I plan to somehow hook into the package 
installation process to install new policy modules as needed.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[Russell Coker]

On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote:
> Okay.  Do these ever get purged under any other circumstances?

Generally no.  The only case where modules are automatically removed is when 
you upgrade the policy package and you have obsolate modules installed.  This 
is generally to prevent upgrades from failing.

> I noted
> that when I booted without selinux enabled and then with it enabled, the
> filesystem was re-labeled.  Does anything else get triggered in this
> situation?  Specifically, do policies get removed?

No.  That will never happen.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[Russell Coker]

On Tue, 7 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote:
> > Does it work if you set it to off?
> >
> > 
> >
> > setsebool -P xserver_object_manager off
> >
> > 
> >
> > http://selinuxproject.org/page/NB_XWIN
> 
> Thank you Dominick.  I will give this a try when I re-boot.
> 
> Russell, do you think this is something we should patch in to the xorg
> debian packaging?

Yes, I want to get XACE supported.  It's just a matter of time...

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[Russell Coker]

On Tue, 7 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote:
> It seems to me that the Debian SELinux docs could use some improvement.
> To this end, I have submitted an application to join the SELinux project
> on Alioth.  I will probably make some updates to the wiki pages as well.

I've approved that (sorry for the delay).  I look forward to seeing your work.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[Stephen Smalley]

On Wed, 2012-02-08 at 13:32 -0800, C.J. Adams-Collier KF7BMP wrote:
> Okay.  Do these ever get purged under any other circumstances?  I noted
> that when I booted without selinux enabled and then with it enabled, the
> filesystem was re-labeled.  Does anything else get triggered in this
> situation?  Specifically, do policies get removed?

No.

> It looks like the alsa.pp is failing, so my working and slightly
> modified command was:

That's interesting, and it might explain why your policy didn't get
fully installed originally.  Is that alsa.pp file from the current
selinux-policy package or is it a leftover of an older one?  What is the
error you get with it?  It should be removed if it doesn't work.

>         $ pushd /usr/share/selinux/default
>         $ time sudo \
>         semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'`
>         
>         real	0m24.148s
>         user	0m23.249s
>         sys	0m0.628s
>         
> This seems like it would take slightly less time than piping the output
> of ls to xargs, since it only runs semodule once.
> 
>         $ time ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp' | \
>         xargs sudo semodule -b base.pp -i 
>         
>         real	0m25.659s
>         user	0m24.778s
>         sys	0m0.660s
> 
> But they both get the job done and the difference in run time is very
> small.

Feel free to submit a patch for the EXAMPLES section in the semodule man
page.  Even better would be to improve semodule so that it automatically
detects the base module and handles it so that you can just do semodule
-i *.pp in all cases and not have to worry about filtering the list and
handling base specially.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 3849 bytes --]

On Fri, 2012-02-10 at 00:05 +1100, Russell Coker wrote:
> On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@colliertech.org> wrote:
> > On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> > > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > > > cjac@foxtrot:~$ sudo which seinfo
> > > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > > > 0
> > > 
> > > seinfo is part of the setools package.
> > 
> > $ apt-cache search -n setools
> > erlang-parsetools - Erlang/OTP parsing tools
> > 
> > Hmm.
> 
> # apt-cache search -n setools
> erlang-parsetools - Erlang/OTP parsing tools
> libsetools-java - SETools Java bindings (architecture-independent)
> libsetools-jni - SETools Java bindings (architecture-dependent)
> libsetools-tcl - SETools Tcl bindings
> python-setools - SETools Python bindings
> setools - tools for Security Enhanced Linux policy analysis
> 
> Works for me when tracking unstable.

I was hoping you wouldn't say that.  I like the sound of wheezy better
than sid.  I guess my 

$ cat /etc/debian_version 

says

wheezy/sid

Let's get it back into testing if we can.

> http://bugs.debian.org/cgi-bin/pkgreport.cgi?package=setools
> 
> But it's got a grave bug and an important bug.  CJ Would you like to help in 
> fixing these?  It's probably not going to be any more difficult than building 
> your own copy from upstream source.

That sounds fine.  If maintenance lasts beyond 2013/01/01, (and I expect
it will), you should know that my volunteer time will be considered part
of my donation in public service to my state guard association.  Shared
Copyright will then be donated to this public Company.

I have a copy of the upstream source which Mr. Smalley directed me to.
I will build it as time permits.  Right now I've got to write some Perl
for my Employer.

> > > > Sounds reasonable.  Do I get policy from my distribution, or should I
> > > > generate one myself?
> > > 
> > > Normally from your distribution, assuming the selinux packages for
> > > Debian are still being maintained.
> 
> Of course they are still being maintained.

Good to hear from you what I already knew.  I'm glad we're all on the
same page.

> > I believe they are.  I exchanged email with Russell about it not long
> > ago.  But then, gtkglarea is still officially maintained and I made the
> > first update in nearly a year 36 hours ago.  Perhaps the package needs 1
> > or more co-maintainers to improve coverage.
> 
> Yes, more help would be good.

Sounds good.

> Manoj has disappeared, he has not answered any mail I sent him for a long 
> time.  Everything that lists him as the maintainer needs a new maintainer.

Roger.  I'll get my alioth account back online and my key into my
authorized_keys file.  I tried to bring it back online the other day,
and the mono/cli team said they thought it should still be active.  So
I'll see if the sysops can reset my credentials.

> > > IIRC, the Debian selinux policy package tries to minimize the set of
> > > installed policy modules based on the set of installed packages, but
> > > that isn't an exact mapping and might be leaving you without a complete
> > > policy.  Whereas Fedora installs all policy modules unconditionally.
> > 
> > If the overhead is not too great, perhaps this can be duplicated in
> > Debian.  I do hate paying for things I don't use, though.  Especially
> > when the cost is substantial.  The same is probably true of many other
> > Debian users.
> 
> The only problem in Debian in this regard is when you install new packages 
> after installing the SE Linux policy.  I plan to somehow hook into the package 
> installation process to install new policy modules as needed.
> 

Sounds good.  Last I heard it was written in Perl.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[C.J. Adams-Collier KF7BMP]

[-- Attachment #1: Type: text/plain, Size: 2513 bytes --]

On Thu, 2012-02-09 at 08:55 -0500, Stephen Smalley wrote:
> On Wed, 2012-02-08 at 13:32 -0800, C.J. Adams-Collier KF7BMP wrote:
> > Okay.  Do these ever get purged under any other circumstances?  I noted
> > that when I booted without selinux enabled and then with it enabled, the
> > filesystem was re-labeled.  Does anything else get triggered in this
> > situation?  Specifically, do policies get removed?
> 
> No.
> 
> > It looks like the alsa.pp is failing, so my working and slightly
> > modified command was:
> 
> That's interesting, and it might explain why your policy didn't get
> fully installed originally.  Is that alsa.pp file from the current
> selinux-policy package or is it a leftover of an older one?  What is the
> error you get with it?  It should be removed if it doesn't work.

cjac@foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp
/usr/share/selinux/default/alsa.pp                                            OK
cjac@foxtrot:~$ 

How do I check for an error.  Not on STDOUT or STDERR it seems...  This
may be one of the strangest, least useful error message I've ever seen.
But it's got stiff competition.

cjac@foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp | sudo xargs semodule -i
semodule:  Failed on OK!


> >         $ pushd /usr/share/selinux/default
> >         $ time sudo \
> >         semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'`
> >         
> >         real	0m24.148s
> >         user	0m23.249s
> >         sys	0m0.628s
> >         
> > This seems like it would take slightly less time than piping the output
> > of ls to xargs, since it only runs semodule once.
> > 
> >         $ time ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp' | \
> >         xargs sudo semodule -b base.pp -i 
> >         
> >         real	0m25.659s
> >         user	0m24.778s
> >         sys	0m0.660s
> > 
> > But they both get the job done and the difference in run time is very
> > small.

Yep.  Might be a potential indicator for performance improvement,
however.

> Feel free to submit a patch for the EXAMPLES section in the semodule man
> page.  Even better would be to improve semodule so that it automatically
> detects the base module and handles it so that you can just do semodule
> -i *.pp in all cases and not have to worry about filtering the list and
> handling base specially.

sounds reasonable.  git uri anyone?



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: SELinux on Wheezy

[Stephen Smalley]

On Thu, 2012-02-09 at 09:34 -0800, C.J. Adams-Collier KF7BMP wrote:
> > That's interesting, and it might explain why your policy didn't get
> > fully installed originally.  Is that alsa.pp file from the current
> > selinux-policy package or is it a leftover of an older one?  What is the
> > error you get with it?  It should be removed if it doesn't work.
> 
> cjac@foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp
> /usr/share/selinux/default/alsa.pp                                            OK
> cjac@foxtrot:~$ 
> 
> How do I check for an error.  Not on STDOUT or STDERR it seems...  This
> may be one of the strangest, least useful error message I've ever seen.
> But it's got stiff competition.
>
> cjac@foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp | sudo xargs semodule -i
> semodule:  Failed on OK!

I'm not sure what you are trying to do, but the above command will
ultimately call semodule -i on both alsa.pp and the "OK" string from the
output above, and as OK is not a module or even a file it naturally
fails.  I just wanted to know what semodule -i alsa.pp reports, since
you said it failed in some way.

> > Feel free to submit a patch for the EXAMPLES section in the semodule man
> > page.  Even better would be to improve semodule so that it automatically
> > detects the base module and handles it so that you can just do semodule
> > -i *.pp in all cases and not have to worry about filtering the list and
> > handling base specially.
> 
> sounds reasonable.  git uri anyone?

SELinux userspace lives at http://userspace.selinuxproject.org.
You can clone via git clone http://oss.tresys.com/git/selinux.git .
semodule is under policycoreutils.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.