libsepol will not compile

libsepol will not compile

[Jesse M. Bacon]

[-- Attachment #1: Type: text/plain, Size: 4546 bytes --]

Tycho,


I am having an issue with SELinux.  We have servers currently deployed with Red Hat Enterprise Linux on them and they required enhanced access controls.  I have already recommended that we use SELinux to increase the security of our access controls for users and files.  I am attempting to work through a book on SELinux in order to make recommendations about how it can be leveraged on these systems.  The book exercises lead me to an example where I am running "chcat -l -- +Salaries myuser".


RHEL 6.7 is unable to create the security context.  I am in mls mode.   I grabbed a source version of the most recent build of SELinux so that I could build libsepol and semanage from source and see if that made a difference.  I found that RedHat had a bug report where semanage is faulty within their distribution and that a patch had been issued and everything but it looks like the patch is for Fedora.



Reference:

https://bugzilla.redhat.com/show_bug.cgi?id=1048524


The latest version of SELinux requires a compiler in excess of what ships with RHEL 6.7.  I upgraded to the 6.1 version of gcc and installed all the dependencies and crossed my fingers and ran make.  Unfortunately libsepol cannot compile because:

"""

util.c:127: error: 'low_bit' may be used uninitialized in this function

"""

I can't get any of it to compile even when I set the LIBDIR to lib64 and run make with --disable-multilib.


Forgive me, I'm a beginner, I've never written a driver or kernel module, and I don't know what that means.  The RedHat guide for SELinux provides a gist for MLS.  I can work through that and will.  I am concerned that there will be no way to get this running given the OS and the documentation and a clean source build.


In order to get e more current version of SELinux and gcc I will have to go to RHEL7.  RHEL7 features grub2 and I still have to figure out how to audit that at boot time and additionally there is a use after free vulnerability that has me worried about access control credentials getting snooped.  I can't let that happen and RedHat says the vulnerability does not affect RHEL 6.7.  That I believe, is a separate issue.


There are a lot of appliances affected by this, I will need help writing configuration scripts to get them all into MLS mode and enforcing.


Please forgive me if this isn't proper forum for this.


My system is unable to create the MLS context when I run the chcat -l command using the RedHat supplied packages

"""

libsepol.mls_from_string:  invalid MLS context s0-s0:Salaries (No such file or directory)

"""


The contents of my /etc/selinux/mls/setrans.conf is as follows:

# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
#  SystemLow
#  SystemHigh
#  Unclassified
#  Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
s0:c102=Contracts
s0:c103=Salaries
s0-s0:c1.c127=FinanceData
# Unclassified level
s1=Unclassified

# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B

# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh

# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

?sincerely,

Jesse Bacon


This e-mail communication (including any attachments) may contain confidential information intended solely for the use of the intended recipient. If you are not the intended recipient, you should immediately stop reading this message and delete it from your system. Any unauthorized reading, distribution, copying or other use of this communication (or its attachments) is strictly prohibited.

[-- Attachment #2: Type: text/html, Size: 7176 bytes --]

Fw: libsepol will not compile

[Jesse M. Bacon]

[-- Attachment #1: Type: text/plain, Size: 4946 bytes --]

?

Tycho,


I am having an issue with SELinux.  We have servers currently deployed with Red Hat Enterprise Linux on them and they required enhanced access controls.  I have already recommended that we use SELinux to increase the security of our access controls for users and files.  I am attempting to work through a book on SELinux in order to make recommendations about how it can be leveraged on these systems.  The book exercises lead me to an example where I am running "chcat -l -- +Salaries myuser".


RHEL 6.7 is unable to create the security context.  I am in mls mode.   I grabbed a source version of the most recent build of SELinux so that I could build libsepol and semanage from source and see if that made a difference.  I found that RedHat had a bug report where semanage is faulty within their distribution and that a patch had been issued and everything but it looks like the patch is for Fedora.



Reference:

https://bugzilla.redhat.com/show_bug.cgi?id=1048524


The latest version of SELinux requires a compiler in excess of what ships with RHEL 6.7.  I upgraded to the 6.1 version of gcc and installed all the dependencies and crossed my fingers and ran make.  Unfortunately libsepol cannot compile because:

"""

util.c:127: error: 'low_bit' may be used uninitialized in this function

"""

I can't get any of it to compile even when I set the LIBDIR to lib64 and run make with --disable-multilib.


Forgive me, I'm a beginner, I've never written a driver or kernel module, and I don't know what that means.  The RedHat guide for SELinux provides a gist for MLS.  I can work through that and will.  I am concerned that there will be no way to get this running given the OS and the documentation and a clean source build.


In order to get e more current version of SELinux and gcc I will have to go to RHEL7.  RHEL7 features grub2 and I still have to figure out how to audit that at boot time and additionally there is a use after free vulnerability that has me worried about access control credentials getting snooped.  I can't let that happen and RedHat says the vulnerability does not affect RHEL 6.7.  That I believe, is a separate issue.


There are a lot of appliances affected by this, I will need help writing configuration scripts to get them all into MLS mode and enforcing.


Please forgive me if this isn't proper forum for this.


My system is unable to create the MLS context when I run the chcat -l command using the RedHat supplied packages

"""

libsepol.mls_from_string:  invalid MLS context s0-s0:Salaries (No such file or directory)

"""


The contents of my /etc/selinux/mls/setrans.conf is as follows:

# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
#  SystemLow
#  SystemHigh
#  Unclassified
#  Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
s0:c102=Contracts
s0:c103=Salaries
s0-s0:c1.c127=FinanceData
# Unclassified level
s1=Unclassified

# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B

# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh

# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

?sincerely,

Jesse Bacon


This e-mail communication (including any attachments) may contain confidential information intended solely for the use of the intended recipient. If you are not the intended recipient, you should immediately stop reading this message and delete it from your system. Any unauthorized reading, distribution, copying or other use of this communication (or its attachments) is strictly prohibited.
This e-mail communication (including any attachments) may contain confidential information intended solely for the use of the intended recipient. If you are not the intended recipient, you should immediately stop reading this message and delete it from your system. Any unauthorized reading, distribution, copying or other use of this communication (or its attachments) is strictly prohibited.

[-- Attachment #2: Type: text/html, Size: 7887 bytes --]

Re: libsepol will not compile

[Stephen Smalley]

On 05/20/2016 02:11 PM, Jesse M. Bacon wrote:
> I am having an issue with SELinux.  We have servers currently deployed
> with Red Hat Enterprise Linux on them and they required enhanced access
> controls.  I have already recommended that we use SELinux to increase
> the security of our access controls for users and files.  I am
> attempting to work through a book on SELinux in order to make
> recommendations about how it can be leveraged on these systems.  The
> book exercises lead me to an example where I am running "chcat -l --
> +Salaries myuser".
> 
> 
> RHEL 6.7 is unable to create the security context.  I am in mls mode.
>   I grabbed a source version of the most recent build of SELinux so that
> I could build libsepol and semanage from source and see if that made a
> difference.  I found that RedHat had a bug report where semanage is
> faulty within their distribution and that a patch had been issued and
> everything but it looks like the patch is for Fedora.
> 
>  
> 
> Reference:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1048524
> 
> 
> The latest version of SELinux requires a compiler in excess of what
> ships with RHEL 6.7.  I upgraded to the 6.1 version of gcc and installed
> all the dependencies and crossed my fingers and ran make.
>  Unfortunately libsepol cannot compile because:
> 
> """
> 
> util.c:127: error: 'low_bit' may be used uninitialized in this function
> 
> """
> 
> I can't get any of it to compile even when I set the LIBDIR to lib64 and
> run make with --disable-multilib.
> 
> 
> Forgive me, I'm a beginner, I've never written a driver or kernel
> module, and I don't know what that means.  The RedHat guide for SELinux
> provides a gist for MLS.  I can work through that and will.  I am
> concerned that there will be no way to get this running given the OS and
> the documentation and a clean source build.  
> 
> 
> In order to get e more current version of SELinux and gcc I will have to
> go to RHEL7.  RHEL7 features grub2 and I still have to figure out how to
> audit that at boot time and additionally there is a use after free
> vulnerability that has me worried about access control credentials
> getting snooped.  I can't let that happen and RedHat says the
> vulnerability does not affect RHEL 6.7.  That I believe, is a
> separate issue. 
> 
> 
> There are a lot of appliances affected by this, I will need help writing
> configuration scripts to get them all into MLS mode and enforcing.
> 
> 
> Please forgive me if this isn't proper forum for this.      
> 
> 
> My system is unable to create the MLS context when I run the chcat
> -l command using the RedHat supplied packages
> 
> """
> 
> libsepol.mls_from_string:  invalid MLS context s0-s0:Salaries (No such
> file or directory)

I don't think you need to upgrade your SELinux userspace or compiler or
RHEL version if you just want to use SELinux on existing systems.  I
certainly wouldn't start there.

Your problem could be as simple as not running mcstrans, the label
translation daemon, which would normally handle mapping something like
Salaries to a value understood by libsepol and the kernel. Do you have
mcstrans installed and running?