Problems with policy-1.26

Problems with policy-1.26

[Goo GGooo]

Hi all,
I have downloaded selinuc 1.26 and am trying to use it with linuxkernel 2.6.12.6. Unfortunately I have problems with policy-1.26. Whendoing "make install" I'm constantly getting complaints about missing/etc/libuser.conf:
/etc/selinux # make installBuilding file contexts files...Validating file contexts files .../usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20file_contexts/file_contextsinstall -m 644 tmp/system.users /etc/selinux/strict/users/system.usersinstall -m 644 tmp/customizable_types/etc/selinux/strict/contexts/customizable_typesinstall -m 644 tmp/port_types /etc/selinux/strict/contexts/port_typesInstalling file contexts files...install -m 644 file_contexts/homedir_template/etc/selinux/strict/contexts/files/homedir_templateinstall -m 644 file_contexts/file_contexts/etc/selinux/strict/contexts/files/file_contextsgrep: /etc/libuser.conf: No such file or directoryYou do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=/var/lib is already defined in /etc/selinux/strict/contexts/files/file_contexts,/usr/sbin/genhomedircon will not create a new context.
Then with "make load" I'm getting error w.r.t. missing/etc/selinux/targeted/users//{local.users,system.users}, while/etc/selinux/targeted/users is a file, not a directory containing anyfiles:
# make loadLoading Policy .../usr/sbin/load_policy /etc/selinux/strict/policy/policy.20sepol_genusers: Can't load system.users:  Not a directory/usr/sbin/load_policy:  Error while setting user configuration from/etc/selinux/targeted/users//{local.users,system.users}:  Not adirectorysepol_genbools_array:  boolean secure_mode_insmod no longer in policysepol_genbools_array:  boolean secure_mode_policyload no longer in policy/usr/sbin/load_policy:  Warning!  Unable to reset all booleans/usr/sbin/load_policy:  security_load_policy failedmake: *** [tmp/load] Error 3
What am I doing wrong?
Thanks!
Goo

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with policy-1.26

[Stephen Smalley]

On Mon, 2005-11-07 at 01:06 +1300, Goo GGooo wrote:
> Hi all,
> I have downloaded selinuc 1.26 and am trying to use it with linuxkernel 2.6.12.6. Unfortunately I have problems with policy-1.26. Whendoing "make install" I'm constantly getting complaints about missing/etc/libuser.conf:
> /etc/selinux # make installBuilding file contexts files...Validating file contexts files .../usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20file_contexts/file_contextsinstall -m 644 tmp/system.users /etc/selinux/strict/users/system.usersinstall -m 644 tmp/customizable_types/etc/selinux/strict/contexts/customizable_typesinstall -m 644 tmp/port_types /etc/selinux/strict/contexts/port_typesInstalling file contexts files...install -m 644 file_contexts/homedir_template/etc/selinux/strict/contexts/files/homedir_templateinstall -m 644 file_contexts/file_contexts/etc/selinux/strict/contexts/files/file_contextsgrep: /etc/libuser.conf: No such file or directoryYou do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=/var/lib is already defined in /etc/selinux/strict/contexts/files/file_contexts,/usr/sbin/genhomedircon will not create a new context.
> Then with "make load" I'm getting error w.r.t. missing/etc/selinux/targeted/users//{local.users,system.users}, while/etc/selinux/targeted/users is a file, not a directory containing anyfiles:
> # make loadLoading Policy .../usr/sbin/load_policy /etc/selinux/strict/policy/policy.20sepol_genusers: Can't load system.users:  Not a directory/usr/sbin/load_policy:  Error while setting user configuration from/etc/selinux/targeted/users//{local.users,system.users}:  Not adirectorysepol_genbools_array:  boolean secure_mode_insmod no longer in policysepol_genbools_array:  boolean secure_mode_policyload no longer in policy/usr/sbin/load_policy:  Warning!  Unable to reset all booleans/usr/sbin/load_policy:  security_load_policy failedmake: *** [tmp/load] Error 3
> What am I doing wrong?

Hi,

>From your message, it sounds like you are trying to install the last
nsa.gov SELinux release (which was made 7 Sep 2005) on a system that is
already running SELinux.  What is your distro?  If you are running a
distro that already includes SELinux support (e.g. Fedora, Hardened
Gentoo), then you should just use the policy package that comes with
your distro.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with policy-1.26

[Goo GGooo]

On 11/10/05, Stephen Smalley <sds@tycho.nsa.gov> wrote:> On Mon, 2005-11-07 at 01:06 +1300, Goo GGooo wrote:> > Hi all,> > I have downloaded selinuc 1.26 and am trying to use it with linuxkernel 2.6.12.6. Unfortunately I have problems with policy-1.26. Whendoing "make install" I'm constantly getting complaints about missing/etc/libuser.conf:> > /etc/selinux # make installBuilding file contexts files...Validating file contexts files .../usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20file_contexts/file_contextsinstall -m 644 tmp/system.users /etc/selinux/strict/users/system.usersinstall -m 644 tmp/customizable_types/etc/selinux/strict/contexts/customizable_typesinstall -m 644 tmp/port_types /etc/selinux/strict/contexts/port_typesInstalling file contexts files...install -m 644 file_contexts/homedir_template/etc/selinux/strict/contexts/files/homedir_templateinstall -m 644 file_contexts/file_contexts/etc/selinux/strict/contexts/files/file_contextsgrep: /etc/libuser.conf: No such file or directoryYou do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=/var/lib is already defined in /etc/selinux/strict/contexts/files/file_contexts,/usr/sbin/genhomedircon will not create a new context.> > Then with "make load" I'm getting error w.r.t. missing/etc/selinux/targeted/users//{local.users,system.users}, while/etc/selinux/targeted/users is a file, not a directory containing anyfiles:> > # make loadLoading Policy .../usr/sbin/load_policy /etc/selinux/strict/policy/policy.20sepol_genusers: Can't load system.users:  Not a directory/usr/sbin/load_policy:  Error while setting user configuration from/etc/selinux/targeted/users//{local.users,system.users}:  Not adirectorysepol_genbools_array:  boolean secure_mode_insmod no longer in policysepol_genbools_array:  boolean secure_mode_policyload no longer in policy/usr/sbin/load_policy:  Warning!  Unable to reset all booleans/usr/sbin/load_policy:  security_load_policy failedmake: *** [tmp/load] Error 3> > What am I doing wrong?>> Hi,>> From your message, it sou!
nds like you are trying to install the last> nsa.gov SELinux release (which was made 7 Sep 2005) on a system that is> already running SELinux.  What is your distro?
It's OpenSUSE 10.0 which comes only with libselinux-1.23.11 and noother SElinux related packages. So I downloaded the rest of them fromhttp://www.cip.ifi.lmu.de/~bleher/selinux/suse/ and tried to configureit with the policies provided on that website as well as withpolicy-1.26. Failing that I deinstalled all the RPMs again andcompiled SElinux from sources from nsa.gov. However still having theproblems described above.
All I want to achieve for now is permitting everything for everyone(even in enforcing mode) and then harden some network-facing daemonslike Apache or Bind, i.e. use the targeted policy. But I can't evenstart playing with that as I can't load the sample policy :-(
Any other ideas on how to continue? Using something else than OpenSUSE10.0 isn't unfortunately possible.
Thanks
Goo

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with policy-1.26

[Stephen Smalley]

On Thu, 2005-11-10 at 11:13 +1300, Goo GGooo wrote:
> It's OpenSUSE 10.0 which comes only with libselinux-1.23.11 and
> noother SElinux related packages. So I downloaded the rest of them
> fromhttp://www.cip.ifi.lmu.de/~bleher/selinux/suse/ and tried to
> configureit with the policies provided on that website as well as
> withpolicy-1.26. Failing that I deinstalled all the RPMs again
> andcompiled SElinux from sources from nsa.gov. However still having
> theproblems described above.
> All I want to achieve for now is permitting everything for
> everyone(even in enforcing mode) and then harden some network-facing
> daemonslike Apache or Bind, i.e. use the targeted policy. But I can't
> evenstart playing with that as I can't load the sample policy :-(
> Any other ideas on how to continue? Using something else than
> OpenSUSE10.0 isn't unfortunately possible.

Newlines are helpful when reading emails ;)

I'd encourage you to work with Thomas Bleher to get his packages working
for you, as he has been packaging SELinux for SuSE for his own use for
some time, as well as contributing to the upstream SELinux.

That said, I don't know if he has ever created a targeted policy for
SuSE.  Note that although the Fedora targeted policy is built from the
same source tree, the build sequence for it isn't part of the upstream
policy Makefile - the targeted policy spec file applies a
targeted-specific policy patch, selectively enables and disables
particular .te files, and overwrites certain files with the contents of
the policy/targeted subdirectory (as well as applying MCS conversion now
in rawhide, but that likely isn't relevant to you).  So you would want
to look at what the spec file does (available from the public Fedora CVS
tree), or even grab a copy of the Fedora targeted policy SRPM.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with policy-1.26

[Thomas Bleher]

* Goo GGooo <googgooo@gmail.com> [2005-11-06 13:20]:
> Hi all,

> I have downloaded selinuc 1.26 and am trying to use it with
> linuxkernel 2.6.12.6. Unfortunately I have problems with policy-1.26.
> Whendoing "make install" I'm constantly getting complaints about
> missing/etc/libuser.conf:

Indeed, /etc/libuser.conf is missing from SUSE; I did not notice before
because I don't use genhomedircon. You can fix genhomedircon to work on
SUSE (I think it can get the relevant info from /etc/default/useradd),
or you can just borrow the file from Fedora (see eg
http://wftp.tu-chemnitz.de/pub/linux/fedora-core/development/i386/Fedora/RPMS/libuser-0.54.1-1.i386.rpm )

Good Luck!
Thomas

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.