(no subject)

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 674 bytes --]

Hi, first time mailer here.

Lately I've grown curious about SELinux and I would like to be able to
install it on my Archlinux. There are packages in the AUR repo but those
are from before glibc-2.16, with the update the packages broke. I have
successfully build and installed libselinux and libsepol  but now it's turn
for pam with selinux enabled which fails with the complain that it doesn't
know rlim size in the pam_unix_passwd.c file.

I posted this in the G+ group trying to figure out if is a bug in pam or in
SELinux and the guys there told me to post it here.

The AUR package I try to use to build pam is
https://aur.archlinux.org/packages/selinux-pam/ .

Thanks

[-- Attachment #2: Type: text/html, Size: 809 bytes --]

Re: pam_selinux

[Stephen Smalley]

On 02/09/2013 02:21 PM, Brian Iván Martínez wrote:
> Hi, first time mailer here.
>
> Lately I've grown curious about SELinux and I would like to be able to
> install it on my Archlinux. There are packages in the AUR repo but those
> are from before glibc-2.16, with the update the packages broke. I have
> successfully build and installed libselinux and libsepol  but now it's
> turn for pam with selinux enabled which fails with the complain that it
> doesn't know rlim size in the pam_unix_passwd.c file.
>
> I posted this in the G+ group trying to figure out if is a bug in pam or
> in SELinux and the guys there told me to post it here.
>
> The AUR package I try to use to build pam is
> https://aur.archlinux.org/packages/selinux-pam/ .

Can you post the actual error output?  And provide more details about 
what versions you are using?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: pam_selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 2102 bytes --]

Yes, thank you, first of all, and second, one user (the maintainer of the
package) found a patch from Fedora that, for now, seems to be working fine,
but that is not the problem now, the problem is with systemd wich doesn't
compile. The PKGBUILD file says it is version 197 and it applies 2 patches,
use-split-usr-path.patch and
0001-dbus-fix-serialization-of-calendar-timers.patch, then it configures
with the next flags:

--enable-introspection
--enable-gtk-doc
--enable-selinux
--disable-audit
--disable-ima

When I try to build using those files (from
https://aur.archlinux.org/packages/selinux-systemd/) it gets stuck in the
configure part stating:

checking for SELINUX... no
configure: error: *** SELinux support requested but libraries not found

I think it just doesn't find SELinux but then how can I fix it? the only
dirs passed to configure are:

--libexecdir=/usr/lib
--localstatedir=/var
--sysconfdir=/etc

The PKGFILE may be more explicit than me.


2013/2/11 Stephen Smalley <sds@tycho.nsa.gov>

> On 02/09/2013 02:21 PM, Brian Iván Martínez wrote:
>
>> Hi, first time mailer here.
>>
>> Lately I've grown curious about SELinux and I would like to be able to
>> install it on my Archlinux. There are packages in the AUR repo but those
>> are from before glibc-2.16, with the update the packages broke. I have
>> successfully build and installed libselinux and libsepol  but now it's
>> turn for pam with selinux enabled which fails with the complain that it
>> doesn't know rlim size in the pam_unix_passwd.c file.
>>
>> I posted this in the G+ group trying to figure out if is a bug in pam or
>> in SELinux and the guys there told me to post it here.
>>
>> The AUR package I try to use to build pam is
>> https://aur.archlinux.org/**packages/selinux-pam/<https://aur.archlinux.org/packages/selinux-pam/>.
>>
>
> Can you post the actual error output?  And provide more details about what
> versions you are using?
>
>
>


-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 2715 bytes --]

Re: systemd selinux

[Stephen Smalley]

On 02/11/2013 02:17 PM, Brian Iván Martínez wrote:
> Yes, thank you, first of all, and second, one user (the maintainer of
> the package) found a patch from Fedora that, for now, seems to be
> working fine, but that is not the problem now, the problem is with
> systemd wich doesn't compile. The PKGBUILD file says it is version 197
> and it applies 2 patches, use-split-usr-path.patch and
> 0001-dbus-fix-serialization-of-calendar-timers.patch, then it configures
> with the next flags:
>
> --enable-introspection
> --enable-gtk-doc
> --enable-selinux
> --disable-audit
> --disable-ima
>
> When I try to build using those files (from
> https://aur.archlinux.org/packages/selinux-systemd/) it gets stuck in
> the configure part stating:
>
> checking for SELINUX... no
> configure: error: *** SELinux support requested but libraries not found
>
> I think it just doesn't find SELinux but then how can I fix it? the only
> dirs passed to configure are:
>
> --libexecdir=/usr/lib
> --localstatedir=/var
> --sysconfdir=/etc
>
> The PKGFILE may be more explicit than me.

Do you have a /usr/lib/pkgconfig/libselinux.pc or 
/usr/lib64/pkgconfig/libselinux.pc file?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 1574 bytes --]

yes, I have a /usr/lib/pkgconfig/libselinux.pc , mm I'm using a 64bit
system, does that matter?


2013/2/11 Stephen Smalley <sds@tycho.nsa.gov>

> On 02/11/2013 02:17 PM, Brian Iván Martínez wrote:
>
>> Yes, thank you, first of all, and second, one user (the maintainer of
>> the package) found a patch from Fedora that, for now, seems to be
>> working fine, but that is not the problem now, the problem is with
>> systemd wich doesn't compile. The PKGBUILD file says it is version 197
>> and it applies 2 patches, use-split-usr-path.patch and
>> 0001-dbus-fix-serialization-**of-calendar-timers.patch, then it
>> configures
>> with the next flags:
>>
>> --enable-introspection
>> --enable-gtk-doc
>> --enable-selinux
>> --disable-audit
>> --disable-ima
>>
>> When I try to build using those files (from
>> https://aur.archlinux.org/**packages/selinux-systemd/<https://aur.archlinux.org/packages/selinux-systemd/>)
>> it gets stuck in
>> the configure part stating:
>>
>> checking for SELINUX... no
>> configure: error: *** SELinux support requested but libraries not found
>>
>> I think it just doesn't find SELinux but then how can I fix it? the only
>> dirs passed to configure are:
>>
>> --libexecdir=/usr/lib
>> --localstatedir=/var
>> --sysconfdir=/etc
>>
>> The PKGFILE may be more explicit than me.
>>
>
> Do you have a /usr/lib/pkgconfig/libselinux.**pc or /usr/lib64/pkgconfig/*
> *libselinux.pc file?
>
>
>


-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 2094 bytes --]

Re: systemd selinux

[Stephen Smalley]

On 02/11/2013 02:31 PM, Brian Iván Martínez wrote:
> yes, I have a /usr/lib/pkgconfig/libselinux.pc , mm I'm using a 64bit
> system, does that matter?

Don't think so.  I think that is just a difference between Arch and 
Fedora - 32-bit in /usr/lib32 and 64-bit in /usr/lib vs 32-bit in 
/usr/lib and 64-bit in /usr/lib64.

What does:
$ pkg-config --print-errors libselinux
$ echo $?

display?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 678 bytes --]

the first doesn't display anything and the second displays a 0 (zero)


2013/2/11 Stephen Smalley <sds@tycho.nsa.gov>

> On 02/11/2013 02:31 PM, Brian Iván Martínez wrote:
>
>> yes, I have a /usr/lib/pkgconfig/libselinux.**pc , mm I'm using a 64bit
>> system, does that matter?
>>
>
> Don't think so.  I think that is just a difference between Arch and Fedora
> - 32-bit in /usr/lib32 and 64-bit in /usr/lib vs 32-bit in /usr/lib and
> 64-bit in /usr/lib64.
>
> What does:
> $ pkg-config --print-errors libselinux
> $ echo $?
>
> display?
>
>
>


-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 1164 bytes --]

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 960 bytes --]

I did use the makepkg command to test, should I try to ./configure my self?


2013/2/11 Brian Iván Martínez <xangelux@gmail.com>

> the first doesn't display anything and the second displays a 0 (zero)
>
>
> 2013/2/11 Stephen Smalley <sds@tycho.nsa.gov>
>
>> On 02/11/2013 02:31 PM, Brian Iván Martínez wrote:
>>
>>> yes, I have a /usr/lib/pkgconfig/libselinux.**pc , mm I'm using a 64bit
>>> system, does that matter?
>>>
>>
>> Don't think so.  I think that is just a difference between Arch and
>> Fedora - 32-bit in /usr/lib32 and 64-bit in /usr/lib vs 32-bit in /usr/lib
>> and 64-bit in /usr/lib64.
>>
>> What does:
>> $ pkg-config --print-errors libselinux
>> $ echo $?
>>
>> display?
>>
>>
>>
>
>
> --
> Ellos se ríen de mi por que soy diferente, yo me río de ellos por que
> todos son iguales-- J. Davis
>



-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 1771 bytes --]

Re: systemd selinux

[Stephen Smalley]

On 02/11/2013 03:22 PM, Brian Iván Martínez wrote:
> I did use the makepkg command to test, should I try to ./configure my self?

Looks like systemd requires a specific version of libselinux.
http://lists.freedesktop.org/archives/systemd-devel/2012-September/006621.html


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

I'll talk to the maintainer, we are in 2.1.0 right now, I'll see how to
update the package, for libselinux. Any patch that should be added to the
2.1.9 or any better version?


2013/2/11 Stephen Smalley <sds@tycho.nsa.gov>

> On 02/11/2013 03:22 PM, Brian Iván Martínez wrote:
>
>> I did use the makepkg command to test, should I try to ./configure my
>> self?
>>
>
> Looks like systemd requires a specific version of libselinux.
> http://lists.freedesktop.org/**archives/systemd-devel/2012-**
> September/006621.html<http://lists.freedesktop.org/archives/systemd-devel/2012-September/006621.html>
>
>


-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 1230 bytes --]

Re: systemd selinux

[Stephen Smalley]

On 02/11/2013 03:54 PM, Brian Iván Martínez wrote:
> I'll talk to the maintainer, we are in 2.1.0 right now, I'll see how to
> update the package, for libselinux. Any patch that should be added to
> the 2.1.9 or any better version?

You should use the latest release from:
http://userspace.selinuxproject.org/trac/wiki/Releases
which would put you at libselinux 2.1.12.





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

Ok, I will try it, thanks, I'll be sure to come back if anything happends


2013/2/11 Stephen Smalley <sds@tycho.nsa.gov>

> On 02/11/2013 03:54 PM, Brian Iván Martínez wrote:
>
>> I'll talk to the maintainer, we are in 2.1.0 right now, I'll see how to
>> update the package, for libselinux. Any patch that should be added to
>> the 2.1.9 or any better version?
>>
>
> You should use the latest release from:
> http://userspace.**selinuxproject.org/trac/wiki/**Releases<http://userspace.selinuxproject.org/trac/wiki/Releases>
> which would put you at libselinux 2.1.12.
>
>
>
>
>


-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 1233 bytes --]

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 1196 bytes --]

Me bothering again, I'm trying to build libselinux 2.1.12 and in the make
step I get the error undefined pcre_free, pcre_free_study, pcre_compile,
pcre_study and pcre_exec in the file label_file.c , is there a patch to be
applied or configuration needed or a bug?

Thanks again


2013/2/11 Brian Iván Martínez <xangelux@gmail.com>

> Ok, I will try it, thanks, I'll be sure to come back if anything happends
>
>
> 2013/2/11 Stephen Smalley <sds@tycho.nsa.gov>
>
>> On 02/11/2013 03:54 PM, Brian Iván Martínez wrote:
>>
>>> I'll talk to the maintainer, we are in 2.1.0 right now, I'll see how to
>>> update the package, for libselinux. Any patch that should be added to
>>> the 2.1.9 or any better version?
>>>
>>
>> You should use the latest release from:
>> http://userspace.**selinuxproject.org/trac/wiki/**Releases<http://userspace.selinuxproject.org/trac/wiki/Releases>
>> which would put you at libselinux 2.1.12.
>>
>>
>>
>>
>>
>
>
> --
> Ellos se ríen de mi por que soy diferente, yo me río de ellos por que
> todos son iguales-- J. Davis
>



-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 2056 bytes --]

Re: systemd selinux

[Stephen Smalley]

On 02/11/2013 06:01 PM, Brian Iván Martínez wrote:
> Me bothering again, I'm trying to build libselinux 2.1.12 and in the
> make step I get the error undefined pcre_free, pcre_free_study,
> pcre_compile, pcre_study and pcre_exec in the file label_file.c , is
> there a patch to be applied or configuration needed or a bug?

Requires libpcre.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 941 bytes --]

Ok, I have fixed most of the packages, I just need to update
policycoreutils, how can I build it so it is integraded with systemd (maybe
create a Unit for restorecond) I only have the package from
https://aur.archlinux.org/packages/selinux-usr-policycoreutils/ to guide
me, but there is an restorecond provided and I'm not sure that will work,
everything is implemented to work with sysvinit scripts.


2013/2/12 Stephen Smalley <sds@tycho.nsa.gov>

> On 02/11/2013 06:01 PM, Brian Iván Martínez wrote:
>
>> Me bothering again, I'm trying to build libselinux 2.1.12 and in the
>> make step I get the error undefined pcre_free, pcre_free_study,
>> pcre_compile, pcre_study and pcre_exec in the file label_file.c , is
>> there a patch to be applied or configuration needed or a bug?
>>
>
> Requires libpcre.
>
>


-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 1486 bytes --]

Re: systemd selinux

[Stephen Smalley]

On 02/12/2013 07:53 PM, Brian Iván Martínez wrote:
> Ok, I have fixed most of the packages, I just need to update
> policycoreutils, how can I build it so it is integraded with systemd
> (maybe create a Unit for restorecond) I only have the package from
> https://aur.archlinux.org/packages/selinux-usr-policycoreutils/ to guide
> me, but there is an restorecond provided and I'm not sure that will
> work, everything is implemented to work with sysvinit scripts.

restorecond isn't required for SELinux operation.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 1840 bytes --]

Thanks for the help, I found the fedora package for policycoreutils and
copied the unit file to make the daemon run in every boot, you said it
wasn't necessary but it would be nice to have working everything I can and
even if I have the time and energy after this getting the gui tools too.
Anyway, I've downloaded the selinux notebook and the first thing I notice
is the change in the directories so I'm running thinking selinux was in
/selinux and no it isn't, should I erase the entry in the fstab or should I
change it to point to /sys/fs/selinux?. Another thing is, I installed an
old policy wich is sysvinit compatible but now I can't boot in enforcing
because it complains about not finding /dev/shm to boot (in permissive is
fine), in the IRC one guy helped me (I'm really sorry, I forgot the
username) and said it could be a policy issue so I should install a new one
either from Fedora's lates packages or from Tresys and then try to create
one based on those. My question is, could that be the issue or should I
search somewhere else?


2013/2/13 Stephen Smalley <sds@tycho.nsa.gov>

> On 02/12/2013 07:53 PM, Brian Iván Martínez wrote:
>
>> Ok, I have fixed most of the packages, I just need to update
>> policycoreutils, how can I build it so it is integraded with systemd
>> (maybe create a Unit for restorecond) I only have the package from
>> https://aur.archlinux.org/**packages/selinux-usr-**policycoreutils/<https://aur.archlinux.org/packages/selinux-usr-policycoreutils/>to guide
>> me, but there is an restorecond provided and I'm not sure that will
>> work, everything is implemented to work with sysvinit scripts.
>>
>
> restorecond isn't required for SELinux operation.
>
>


-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 2368 bytes --]

Re: systemd selinux

[Stephen Smalley]

On 02/17/2013 01:43 AM, Brian Iván Martínez wrote:
> Thanks for the help, I found the fedora package for policycoreutils and
> copied the unit file to make the daemon run in every boot, you said it
> wasn't necessary but it would be nice to have working everything I can
> and even if I have the time and energy after this getting the gui tools
> too. Anyway, I've downloaded the selinux notebook and the first thing I
> notice is the change in the directories so I'm running thinking selinux
> was in /selinux and no it isn't, should I erase the entry in the fstab
> or should I change it to point to /sys/fs/selinux?. Another thing is, I
> installed an old policy wich is sysvinit compatible but now I can't boot
> in enforcing because it complains about not finding /dev/shm to boot (in
> permissive is fine), in the IRC one guy helped me (I'm really sorry, I
> forgot the username) and said it could be a policy issue so I should
> install a new one either from Fedora's lates packages or from Tresys and
> then try to create one based on those. My question is, could that be the
> issue or should I search somewhere else?

You don't need it in fstab because systemd calls libselinux 
selinux_init_load_policy() which will automatically try to mount 
selinuxfs on /sys/fs/selinux first, and then fall back to /selinux if 
that directory does not exist (which would be the case on older kernels).

Updating to a recent policy certainly wouldn't hurt.  But for policy 
issues, you should:
a) post your actual denials,
b) take your questions to the refpolicy list,
http://oss.tresys.com/mailman/listinfo/refpolicy


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: systemd selinux

[Brian Iván Martínez]

[-- Attachment #1: Type: text/plain, Size: 2109 bytes --]

Thanks Stephen, I think it is policy related, I'm too new to this so I
better find some time to read the selinux notebook and learn about policies
before asking stupid questions, anything you recommend?


2013/2/19 Stephen Smalley <sds@tycho.nsa.gov>

> On 02/17/2013 01:43 AM, Brian Iván Martínez wrote:
>
>> Thanks for the help, I found the fedora package for policycoreutils and
>> copied the unit file to make the daemon run in every boot, you said it
>> wasn't necessary but it would be nice to have working everything I can
>> and even if I have the time and energy after this getting the gui tools
>> too. Anyway, I've downloaded the selinux notebook and the first thing I
>> notice is the change in the directories so I'm running thinking selinux
>> was in /selinux and no it isn't, should I erase the entry in the fstab
>> or should I change it to point to /sys/fs/selinux?. Another thing is, I
>> installed an old policy wich is sysvinit compatible but now I can't boot
>> in enforcing because it complains about not finding /dev/shm to boot (in
>> permissive is fine), in the IRC one guy helped me (I'm really sorry, I
>> forgot the username) and said it could be a policy issue so I should
>> install a new one either from Fedora's lates packages or from Tresys and
>> then try to create one based on those. My question is, could that be the
>> issue or should I search somewhere else?
>>
>
> You don't need it in fstab because systemd calls libselinux
> selinux_init_load_policy() which will automatically try to mount selinuxfs
> on /sys/fs/selinux first, and then fall back to /selinux if that directory
> does not exist (which would be the case on older kernels).
>
> Updating to a recent policy certainly wouldn't hurt.  But for policy
> issues, you should:
> a) post your actual denials,
> b) take your questions to the refpolicy list,
> http://oss.tresys.com/mailman/**listinfo/refpolicy<http://oss.tresys.com/mailman/listinfo/refpolicy>
>
>


-- 
Ellos se ríen de mi por que soy diferente, yo me río de ellos por que todos
son iguales-- J. Davis

[-- Attachment #2: Type: text/html, Size: 2659 bytes --]