sysvinit doesnt see libselinux/libsepol (LFS system);

sysvinit doesnt see libselinux/libsepol (LFS system);

[Justin Mattock]

I'm in the process of creating a linux from scratch system.
(able to startx so far);
when looking at:
ldd /sbin/init
I dont see any info on
libselinux or libsepol.
I did apply a patch that I found by a simple
google(but results in an unable to sync error when there is no
policy present, as well as a simple copy of a policy from another machine
resulted the same error);
Is there a clean patch for sysvinit_2.86.ds1.orig.tar.gz
(I just grabbed any sysvinit from either deb/or ubuntu);
or even better, a sysvinit(version) that has a built-in command like
xserver does(--enable-selinux);
appreciate the time.

regards;

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sysvinit doesnt see libselinux/libsepol (LFS system);

[Russell Coker]

On Sun, 15 Feb 2009, Justin Mattock <justinmattock@gmail.com> wrote:
> I'm in the process of creating a linux from scratch system.
> when looking at:
> ldd /sbin/init
> I dont see any info on
> libselinux or libsepol.
[...]
> Is there a clean patch for sysvinit_2.86.ds1.orig.tar.gz
> (I just grabbed any sysvinit from either deb/or ubuntu);
> or even better, a sysvinit(version) that has a built-in command like
> xserver does(--enable-selinux);
> appreciate the time.

# ldd /sbin/init |grep selin
        libselinux.so.1 => /lib/libselinux.so.1 (0xb7f3f000)

The above is from a stock Debian/Lenny system.  The patch (.diff.gz file) for 
that will have the SE Linux code you need.

Incidentally the Debian patch in question is version 61.  I suspect that some 
of those 61 releases have other code that you might desire.  So I suggest 
that even disregarding the fact that the SE Linux code you require is in the 
diff, it's something you would want anyway.

Also let's keep the issues of the X server and init entirely separate.  The 
part of your message which referenced X confused me.  When you do tackle the 
X issue (after you have solved your init problem) please make sure to include 
the relevant part of the "ps axZ" output.

> but results in an unable to sync error when there is no
> policy present

That sounds like you have SELINUX=enforcing in /etc/selinux/config.  Try 
SELINUX=permissive until you have things working reasonably well.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sysvinit doesnt see libselinux/libsepol (LFS system);

[Justin Mattock]

On Sun, Feb 15, 2009 at 6:39 PM, Russell Coker <russell@coker.com.au> wrote:
> On Sun, 15 Feb 2009, Justin Mattock <justinmattock@gmail.com> wrote:
>> I'm in the process of creating a linux from scratch system.
>> when looking at:
>> ldd /sbin/init
>> I dont see any info on
>> libselinux or libsepol.
> [...]
>> Is there a clean patch for sysvinit_2.86.ds1.orig.tar.gz
>> (I just grabbed any sysvinit from either deb/or ubuntu);
>> or even better, a sysvinit(version) that has a built-in command like
>> xserver does(--enable-selinux);
>> appreciate the time.
>
> # ldd /sbin/init |grep selin
>        libselinux.so.1 => /lib/libselinux.so.1 (0xb7f3f000)
>

this is what I always check for in any installation I do.
this time I get nothing.


> The above is from a stock Debian/Lenny system.  The patch (.diff.gz file) for
> that will have the SE Linux code you need.
>

yeah it looks like there is no code with the package that I have
 to make the policy load.
(need to patch the package);

> Incidentally the Debian patch in question is version 61.  I suspect that some
> of those 61 releases have other code that you might desire.  So I suggest
> that even disregarding the fact that the SE Linux code you require is in the
> diff, it's something you would want anyway.
>

I'm not sure(brain is fried from unpackaging/compilling packages all-day);

> Also let's keep the issues of the X server and init entirely separate.  The
> part of your message which referenced X confused me.  When you do tackle the
> X issue (after you have solved your init problem) please make sure to include
> the relevant part of the "ps axZ" output.

I will as soon as I get things configured.
As for the X server I just was using that as an example for a config
option that it has for selinux for sysv

>
>> but results in an unable to sync error when there is no
>> policy present
>
> That sounds like you have SELINUX=enforcing in /etc/selinux/config.  Try
> SELINUX=permissive until you have things working reasonably well.
>

I think that's what happened..
I'll try it again,and see if this was the mistake.

> --
> russell@coker.com.au
> http://etbe.coker.com.au/          My Main Blog
> http://doc.coker.com.au/           My Documents Blog
>

Thanks for the info.
I have a look at my init to make sure things
are in order. Then Ill post ps auxZ for you.

regards;

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sysvinit doesnt see libselinux/libsepol (LFS system);

[Justin Mattock]

On Sun, Feb 15, 2009 at 10:08 PM, Justin Mattock
<justinmattock@gmail.com> wrote:
> On Sun, Feb 15, 2009 at 6:39 PM, Russell Coker <russell@coker.com.au> wrote:
>> On Sun, 15 Feb 2009, Justin Mattock <justinmattock@gmail.com> wrote:
>>> I'm in the process of creating a linux from scratch system.
>>> when looking at:
>>> ldd /sbin/init
>>> I dont see any info on
>>> libselinux or libsepol.
>> [...]
>>> Is there a clean patch for sysvinit_2.86.ds1.orig.tar.gz
>>> (I just grabbed any sysvinit from either deb/or ubuntu);
>>> or even better, a sysvinit(version) that has a built-in command like
>>> xserver does(--enable-selinux);
>>> appreciate the time.
>>
>> # ldd /sbin/init |grep selin
>>        libselinux.so.1 => /lib/libselinux.so.1 (0xb7f3f000)
>>
>
> this is what I always check for in any installation I do.
> this time I get nothing.
>
>
>> The above is from a stock Debian/Lenny system.  The patch (.diff.gz file) for
>> that will have the SE Linux code you need.
>>
>
> yeah it looks like there is no code with the package that I have
>  to make the policy load.
> (need to patch the package);
>
>> Incidentally the Debian patch in question is version 61.  I suspect that some
>> of those 61 releases have other code that you might desire.  So I suggest
>> that even disregarding the fact that the SE Linux code you require is in the
>> diff, it's something you would want anyway.
>>
>
> I'm not sure(brain is fried from unpackaging/compilling packages all-day);
>
>> Also let's keep the issues of the X server and init entirely separate.  The
>> part of your message which referenced X confused me.  When you do tackle the
>> X issue (after you have solved your init problem) please make sure to include
>> the relevant part of the "ps axZ" output.
>
> I will as soon as I get things configured.
> As for the X server I just was using that as an example for a config
> option that it has for selinux for sysv
>
>>
>>> but results in an unable to sync error when there is no
>>> policy present
>>
>> That sounds like you have SELINUX=enforcing in /etc/selinux/config.  Try
>> SELINUX=permissive until you have things working reasonably well.
>>
>
> I think that's what happened..
> I'll try it again,and see if this was the mistake.
>
>> --
>> russell@coker.com.au
>> http://etbe.coker.com.au/          My Main Blog
>> http://doc.coker.com.au/           My Documents Blog
>>
>
> Thanks for the info.
> I have a look at my init to make sure things
> are in order. Then Ill post ps auxZ for you.
>
> regards;
>
> --
> Justin P. Mattock
>

Alright;
to make things less confusing, here's some urls that I found
to load the policy with sysvinit:

http://repos.archlinux.org/viewvc.cgi/community/system/selinux-sysvinit/sysvinit-init.c.diff?view=log&root=community&pathrev=CURRENT

http://www.mail-archive.com/pkg-sysvinit-devel@lists.alioth.debian.org/msg00663.html

The issue I have is using dpkg/or apt-get already has the right
patch applied and init already compiled in, in accordance to the distro.
doing a (LFS) tutorial, under the documentation
has me building everything from the source.
(a lot of work, but worth the learning experience);

I just need to find a right suitable patch for sysvinit to load the policy
during boot so I can get refpolicy compiled in accordance to
to the system.
under /etc/*
(LFS) looks similar to redhat  i.g.
/etc/rc.d/init.d/(lfs-bootscripts);
but not sure if this matters or not.

In any case, I suppose I can just copy /sbin/init from an existing
debian system but, then I might have issues with the
arch being different.

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sysvinit doesnt see libselinux/libsepol (LFS system);

[Russell Coker]

On Tue, 17 Feb 2009, Justin Mattock <justinmattock@gmail.com> wrote:
> The issue I have is using dpkg/or apt-get already has the right
> patch applied and init already compiled in, in accordance to the distro.

If you take the original source plus the Debian patch and use it in place of 
the original source for your LFS build then it should be fine.

> doing a (LFS) tutorial, under the documentation
> has me building everything from the source.
> (a lot of work, but worth the learning experience);

It's also a learning experience to contribute to the integration of SE Linux 
in a major distribution such as Debian, Gentoo, or Fedora.  I think that in 
the long run there would be more benefits to both you personally and the 
community if you were to contribute to one of these projects.  I suggest that 
you choose Debian, but I admit to being biased in this regard.  ;)

> In any case, I suppose I can just copy /sbin/init from an existing
> debian system but, then I might have issues with the
> arch being different.

No, that should work.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sysvinit doesnt see libselinux/libsepol (LFS system);

[Justin Mattock]

On Mon, Feb 16, 2009 at 2:35 PM, Russell Coker <russell@coker.com.au> wrote:
> On Tue, 17 Feb 2009, Justin Mattock <justinmattock@gmail.com> wrote:
>> The issue I have is using dpkg/or apt-get already has the right
>> patch applied and init already compiled in, in accordance to the distro.
>
> If you take the original source plus the Debian patch and use it in place of
> the original source for your LFS build then it should be fine.
>

I took the original source from the debian sid site + 40_selinux.patch
and saw no signs of loading a policy.
heres the location of the patch:
http://patch-tracking.debian.net/package/sysvinit/2.86.ds1-61
maybe I should add some more patches besides 40_selinux.

>> doing a (LFS) tutorial, under the documentation
>> has me building everything from the source.
>> (a lot of work, but worth the learning experience);
>
> It's also a learning experience to contribute to the integration of SE Linux
> in a major distribution such as Debian, Gentoo, or Fedora.  I think that in
> the long run there would be more benefits to both you personally and the
> community if you were to contribute to one of these projects.  I suggest that
> you choose Debian, but I admit to being biased in this regard.  ;)
>

Well I did a debootstrap installation a few days ago, but then
said to myself how do I do all the stuff that debootstrap does.
then one thing led to the next, weeks later and here I am.
as a side note:
one of the main goals right
(as a test) is to see what happens to the system when one
atomically sync's all the libs/apps to the processor using
CFLAGS etc..(curious to see the performance as well as
any kind of bug fixes);

>> In any case, I suppose I can just copy /sbin/init from an existing
>> debian system but, then I might have issues with the
>> arch being different.
>
> No, that should work.
>

to my amazement it did work
(I compile sysv normally on the new system then just copied
init from a running debian to the new system).

on the other hand I'm seeing other issues at the moment besides init:
I dont have any file labels i.g. ls -Z shows:(/bin as an example)

drwxr-xr-x  2  root root ?  4096 Feb 16 22:38 bin
that question mark is on all files.
if I do a id -Z
id: --context (-Z) works only on a SELinux-enabled kernel
(keep in mind I still have to configure my /etc/ group/passwd
files, so this might have something to do with it);


> --
> russell@coker.com.au
> http://etbe.coker.com.au/          My Main Blog
> http://doc.coker.com.au/           My Documents Blog
>

Overall SELinux does load and there are avc being generated.
I think I just need to start from the beginning and make sure things
are proper.


-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.