default policy package

default policy package

[Dale Amon]

Looks like X windows has really stuck it's tentacles
into the policy. I can't compile one without it. Something
in the macros that I haven't tracked down yet:

ERROR: unknown type initrc_xserver_tmp_t' at token ':' on line 6198:
allow sysadm_uml_t initrc_xserver_tmp_t:dir search;

so I removed uml.te, which I didn't need anyway. Next run
I've now got:

ERROR: unknown type sysadm_xserver_t' at token ':' on line 7525:
allow sysadm_xserver_t xserver_tmpfile:dir { read getattr lock search ioctl add name remove_name write };

This is just some examples. I've been fighting this
all morning without finding a set that works without 
any X. (Hardly need X for a machine that normally doesn't
even have a terminal on it, and when it does it's an old
dumb b&w character only glass tty)

I haven't specifically seen where the problem is coming
from yet: everything seems to have ifdef's around it
on startx.te or xserver.te but I've not gone through
every file.

I'll keep at it, but suggestions are welcome. 
-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Diyab]

Dale Amon wrote:
> Looks like X windows has really stuck it's tentacles
> into the policy. I can't compile one without it. Something
> in the macros that I haven't tracked down yet:
> 
> ERROR: unknown type initrc_xserver_tmp_t' at token ':' on line 6198:
> allow sysadm_uml_t initrc_xserver_tmp_t:dir search;
> 
> so I removed uml.te, which I didn't need anyway. Next run
> I've now got:
> 
> ERROR: unknown type sysadm_xserver_t' at token ':' on line 7525:
> allow sysadm_xserver_t xserver_tmpfile:dir { read getattr lock search ioctl add name remove_name write };
> 
> This is just some examples. I've been fighting this
> all morning without finding a set that works without 
> any X. (Hardly need X for a machine that normally doesn't
> even have a terminal on it, and when it does it's an old
> dumb b&w character only glass tty)
> 
> I haven't specifically seen where the problem is coming
> from yet: everything seems to have ifdef's around it
> on startx.te or xserver.te but I've not gone through
> every file.
> 
> I'll keep at it, but suggestions are welcome. 

I ran into a similar problem with postgresql.te which contains a 
can_exec statement with dpkg_exec_t that does not have an ifdef around 
it.  So unless you include dpkg.te you get an error attempting to 
compile the policy.  Easiest thing to do from what I've found is to grep 
the everything in domains/program for the context that is giving the error.

Timothy,

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Diyab]

Russell Coker wrote:

> On Tue, 4 Nov 2003 00:38, Diyab wrote:
> 
>>I ran into a similar problem with postgresql.te which contains a
>>can_exec statement with dpkg_exec_t that does not have an ifdef around
>>it.  So unless you include dpkg.te you get an error attempting to
>>compile the policy.  Easiest thing to do from what I've found is to grep
>>the everything in domains/program for the context that is giving the error.
> 
> 
> I fixed that error some time ago.
> 
> One thing I have been considering is writing some scripts to check for such 
> errors.
> 
> My initial thought was to try compiling all combinations of packages.  But 
> that would involve hundreds of thousands of compilations.  So my current idea 
> is to m4 process each .te file with only the macro files and then search for 
> type declarations.  Then make a list of all .te files which reference those 
> types or attributes that they posess.  Then once the list of inter-dependence 
> between policy files is prepared it should be only a few hundred compilations 
> needed to prove that the policy will compile in all valid configurations.
> 

This is true.  I did not mean to imply that it had not been fixed but I 
did not specifically state that it had or had not, my apologies.

Timothy,

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Dale Amon]

On Tue, Nov 04, 2003 at 01:15:57AM +1100, Russell Coker wrote:
> > ERROR: unknown type sysadm_xserver_t' at token ':' on line 7525:
> > allow sysadm_xserver_t xserver_tmpfile:dir { read getattr lock search ioctl
> > add name remove_name write };
> 
> The policy needs some work in that area.
> 
> The root cause is that you included startx.te without xserver.te.  If you add 
> xserver.te or remove startx.te then it should compile.

Actually, the root case is the package script. It
runs through a list of domain/programs but doesn't
know to remove misc/startx.te. Going from that
to manually fiddling left me with a 'priming effect'.
I never even thought to look in misc.

Here's one that might interest Steve: load_policy can 
totally lock up a small memory machine if the binary 
policy is large.

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Dale Amon]

On Tue, Nov 04, 2003 at 01:40:04AM +1100, Russell Coker wrote:
> My initial thought was to try compiling all combinations of packages.  But 
> that would involve hundreds of thousands of compilations.  So my current idea 
> is to m4 process each .te file with only the macro files and then search for 
> type declarations.  Then make a list of all .te files which reference those 
> types or attributes that they posess.  Then once the list of inter-dependence 
> between policy files is prepared it should be only a few hundred compilations 
> needed to prove that the policy will compile in all valid configurations.

Isn't this a dual with the halting problem? ;-)

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Stephen Smalley]

On Mon, 2003-11-03 at 10:27, Dale Amon wrote:
> Here's one that might interest Steve: load_policy can 
> totally lock up a small memory machine if the binary 
> policy is large.

What was the memory size and the policy size?  load_policy follows
the same approach as init_module (in 2.6); it vmalloc's a region
for the entire binary policy, copies it from userspace into this region,
converts and extracts the data into the policy runtime data structures,
and then vfree's the copy.  If the initial vmalloc fails (or any
subsequent kmalloc or vmalloc for the runtime data structures fails),
all of the memory allocated during the load should be freed and it
should just fail with errno ENOMEM (and the system should continue
operating under the old policy, which isn't freed until after the new
policy has been fully loaded, sanity checked, and "installed" as the
active policy).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Stephen Smalley]

On Mon, 2003-11-03 at 10:29, Dale Amon wrote:
> On Tue, Nov 04, 2003 at 01:40:04AM +1100, Russell Coker wrote:
> > My initial thought was to try compiling all combinations of packages.  But 
> > that would involve hundreds of thousands of compilations.  So my current idea 
> > is to m4 process each .te file with only the macro files and then search for 
> > type declarations.  Then make a list of all .te files which reference those 
> > types or attributes that they posess.  Then once the list of inter-dependence 
> > between policy files is prepared it should be only a few hundred compilations 
> > needed to prove that the policy will compile in all valid configurations.

What exactly are you trying to achieve that isn't provided by Colin's
policy regression testing support (i.e. 'make check-all')?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Dale Amon]

On Mon, Nov 03, 2003 at 11:15:23AM -0500, Stephen Smalley wrote:
> On Mon, 2003-11-03 at 10:27, Dale Amon wrote:
> > Here's one that might interest Steve: load_policy can 
> > totally lock up a small memory machine if the binary 
> > policy is large.
> 
> What was the memory size and the policy size?  load_policy follows

16MB RAM on a 486DX. I've got a couple of them I use
for firewalls and testing. Poor little fellers were
about to get chucked in the skip.

I haven't got the policy size. I'll have to reset the
test system back to 'virgin' to get back to it. But 
it's easy enough to reproduce. Just take Russ's selinux-default-policy
package and answer Y to everything (I installed it and other
packages via a script the first time).

Disk makes noises for awhile, machine works away...
and then a 'top' screen I'm watching on vt2
freezes and then you can't do anything but hit the
power switch.

I 'cured' the problem by paring down the policy
to minimum size, and that loads just fine.

Note, if it is of interest, this is all being
done manually. kernel is booted with selinux=1,
but not with an initrd; I then

	mount -t selinuxfs none /selinux
	cd /etc/selinux; make install
	make load

What I'm actually working on is trying to get
an initial root file labeling working with a 
reiserfs... yeah, I finally got a round tuit. 

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 773 bytes --]

On Mon, 2003-11-03 at 11:48, Russell Coker wrote:

> Thanks for that reference, I have run check-all and fixed bugs in my policy 
> tree related to updfstab, kudzu, and netsaint.  Colin, I have found what 
> appears to be a minor bug in check-all, I get the following error related to 
> mount:
> 
> Testing authbind.te...
> Testing authbind.te...success.
> make[1]: *** No rule to make target `presymlink/mount.te', needed by 
> `presymlink/automount.te'.  Stop.

This is due to the fact that automount.te has a Depends: mount.te, but
this is unnecessary since mount.te is included in the core
(non-optional) policy.  Deleting that Depends: line should make it work.
I'll try to come up with a patch soonish to make Depends: on core policy
work though.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: default policy package

[Howard Holm]

On Mon, 2003-11-03 at 14:27, Colin Walters wrote:
> On Mon, 2003-11-03 at 11:48, Russell Coker wrote:
> 
> > Thanks for that reference, I have run check-all and fixed bugs in my policy 
> > tree related to updfstab, kudzu, and netsaint.  Colin, I have found what 
> > appears to be a minor bug in check-all, I get the following error related to 
> > mount:
> > 
> > Testing authbind.te...
> > Testing authbind.te...success.
> > make[1]: *** No rule to make target `presymlink/mount.te', needed by 
> > `presymlink/automount.te'.  Stop.
> 
> This is due to the fact that automount.te has a Depends: mount.te, but
> this is unnecessary since mount.te is included in the core
> (non-optional) policy.  Deleting that Depends: line should make it work.
> I'll try to come up with a patch soonish to make Depends: on core policy
> work though.

The Depends line has been fixed for a while (at least since the last
release) in the example policy at nsa.gov.  I've been using make
check-all for a while.  It's very useful, but it has some strange
behaviors.  I've noticed that often I can run check-all on a broken
policy and it will run fine.  Running it a second or third time will
cause the error to be generated.  Running make checkunused/file.te seems
to work in a more deterministic way.  I haven't had a chance to try and
track down the problem with check-all though.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Howard Holm]

On Mon, 2003-11-03 at 08:38, Diyab wrote:
> Dale Amon wrote:
> > Looks like X windows has really stuck it's tentacles
> > into the policy. I can't compile one without it. Something
> > in the macros that I haven't tracked down yet:
> > 
> > ERROR: unknown type initrc_xserver_tmp_t' at token ':' on line 6198:
> > allow sysadm_uml_t initrc_xserver_tmp_t:dir search;
> > 
> > so I removed uml.te, which I didn't need anyway. Next run
> > I've now got:
> > 
> > ERROR: unknown type sysadm_xserver_t' at token ':' on line 7525:
> > allow sysadm_xserver_t xserver_tmpfile:dir { read getattr lock search ioctl add name remove_name write };
> > 
> > This is just some examples. I've been fighting this
> > all morning without finding a set that works without 
> > any X. (Hardly need X for a machine that normally doesn't
> > even have a terminal on it, and when it does it's an old
> > dumb b&w character only glass tty)
> > 
> > I haven't specifically seen where the problem is coming
> > from yet: everything seems to have ifdef's around it
> > on startx.te or xserver.te but I've not gone through
> > every file.
> > 
> > I'll keep at it, but suggestions are welcome. 
> 
> I ran into a similar problem with postgresql.te which contains a 
> can_exec statement with dpkg_exec_t that does not have an ifdef around 
> it.  So unless you include dpkg.te you get an error attempting to 
> compile the policy.  Easiest thing to do from what I've found is to grep 
> the everything in domains/program for the context that is giving the error.
> 
> Timothy,

The most recent release of the default policy on nsa.gov has the ifdef
isolating the can_exec statement.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: default policy package

[Dale Amon]

On Mon, Nov 03, 2003 at 05:37:10PM +0000, Dale Amon wrote:
> On Mon, Nov 03, 2003 at 11:15:23AM -0500, Stephen Smalley wrote:
> > On Mon, 2003-11-03 at 10:27, Dale Amon wrote:
> > > Here's one that might interest Steve: load_policy can 
> > > totally lock up a small memory machine if the binary 
> > > policy is large.
> > 
> > What was the memory size and the policy size?  load_policy follows

I got a chance to rebuild one today. This should be nearly the
same size as the one I tested the other day, certainly within
a few percent.

-rw-r--r--    1 root     root      2943339 Nov  4 17:04 policy.15

The memory size was 16M, as I noted yesterday.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.