FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-11-2008, 03:02 PM
"prakash hallalli"
 
Default :- MLS policy enforcing mode problem when manully restart the system services.

HI ALL
I have configured SELinux on ContOS 5.1. I have configured the RBAC using MLS (Multilevel Security) Policy using enforcing mode. I am trying to restart the system services and they are not restarting and it is throwing some error message.


Steps to reproduce:

1 ) MLS Policy configuration.

1. Install selinux-policy-mls
2. Set SELINUXTYPE=MLS in /etc/selinux/config file
3. touch ./autorelabel; on root's home directory, and reboot the machine.

4. While machine is rebooting, change the GRUB parameter.
enforcing=0

2) Now system is in permissive mode and SELinux status is as follows.

[root@turtle11 ~]# sestatus
SELinux status:***************** enabled

SELinuxfs mount:*************** /selinux
Current mode:***************** * * permissive
Mode from config file:********* enforcing
Policy version:******************* 21
Policy from config file:******** mls


3) Restart the system services and they restart successfully.

[root@turtle11 ~]# service nfs restart
Shutting down NFS mountd:********************************* [* OK* ]
Shutting down NFS daemon:********************************* [* OK* ]

Shutting down NFS quotas:********************************* [* OK* ]
Shutting down NFS services:******************************* [* OK* ]
Starting NFS services:********************************** * * * [* OK* ]
Starting NFS quotas:************************************ * * * [* OK* ]

Starting NFS daemon:************************************* ** [* OK* ]
Starting NFS mountd:************************************ * * [* OK* ]

3) Now i am setting enforcing mode using setenforce command.
*
root@turtle11 ~]#setenforce 1

root@turtle11 ~]# sestatus
SELinux status:************ enabled
SELinuxfs mount:********* /selinux
Current mode:************** enforcing
Mode from config file:*** enforcing
Policy version:************* 21**

Policy from config file:** mls

4) a) Now system is in enforcing mode and i am trying to restart the system service. The restart will result in error message.

[root@turtle11 ~]# service nfs restart
nfs: unrecognized service


[root@turtle11 ~]# run_init /etc/init.d/nfs restart
Authenticating root.
Password: XXXXXX
run_init: incorrect password for root
authentication failed.
[root@turtle11 ~]#

[root@turtle11 ~]# run_init /etc/init.d/ldap restart

Authenticating root.
Password: XXXXXX
run_init: incorrect password for root
authentication failed.

5) I am using sysadm_r*

[root@turtle11 ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh

[root@turtle11 ~]#

6) This is i am getting /sbin/ausearch log messages.

[root@turtle11 ~]#/sbin/ausearch -i -m AVC -sv no
type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64 syscall=recvfrom success=no exit=-13(Permission denied) a0=5 a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)

type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc:* denied* { read } for* pid=3103 comm=dhcpd lport=1 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket


please help me. what is going on.

Thanks
Prakash.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-11-2008, 03:08 PM
Stephen Smalley
 
Default :- MLS policy enforcing mode problem when manully restart the system services.

On Wed, 2008-06-11 at 20:32 +0530, prakash hallalli wrote:
> HI ALL
> I have configured SELinux on ContOS 5.1. I have configured the RBAC
> using MLS (Multilevel Security) Policy using enforcing mode. I am
> trying to restart the system services and they are not restarting and
> it is throwing some error message.
>
> Steps to reproduce:
>
> 1 ) MLS Policy configuration.
>
> 1. Install selinux-policy-mls
> 2. Set SELINUXTYPE=MLS in /etc/selinux/config file
> 3. touch ./autorelabel; on root's home directory, and reboot the
> machine.

As others noted, this should have been touch /.autorelabel, not
touch ./autorelabel on root's home directory. But I don't think that is
relevant any more - you already manually relabeled.

> 4. While machine is rebooting, change the GRUB parameter.
> enforcing=0
>
> 2) Now system is in permissive mode and SELinux status is as follows.
>
> [root@turtle11 ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: mls
>
> 3) Restart the system services and they restart successfully.
>
> [root@turtle11 ~]# service nfs restart
> Shutting down NFS mountd: [ OK ]
> Shutting down NFS daemon: [ OK ]
> Shutting down NFS quotas: [ OK ]
> Shutting down NFS services: [ OK ]
> Starting NFS services: [
> OK ]
> Starting NFS quotas: [
> OK ]
> Starting NFS daemon: [ OK ]
> Starting NFS mountd: [ OK ]
>
> 3) Now i am setting enforcing mode using setenforce command.
>
> root@turtle11 ~]#setenforce 1
> root@turtle11 ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: mls
>
> 4) a) Now system is in enforcing mode and i am trying to restart the
> system service. The restart will result in error message.
>
> [root@turtle11 ~]# service nfs restart
> nfs: unrecognized service
>
> [root@turtle11 ~]# run_init /etc/init.d/nfs restart
> Authenticating root.
> Password: XXXXXX
> run_init: incorrect password for root
> authentication failed.
> [root@turtle11 ~]#
>
> [root@turtle11 ~]# run_init /etc/init.d/ldap restart
> Authenticating root.
> Password: XXXXXX
> run_init: incorrect password for root
> authentication failed.

This implies that the existing policy isn't allowing these domains to do
what they need to perform the authentication. Elsewhere you said you
are using ldap, so they may need additional permissions for the network
lookup.

> 5) I am using sysadm_r
>
> [root@turtle11 ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
> context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [root@turtle11 ~]#
>
> 6) This is i am getting /sbin/ausearch log messages.
>
> [root@turtle11 ~]#/sbin/ausearch -i -m AVC -sv no
> type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64
> syscall=recvfrom success=no exit=-13(Permission denied) a0=5
> a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd
> subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
> type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: denied
> { read } for pid=3103 comm=dhcpd lport=1
> scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
> tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket

On this one, as I said, dhcpd shouldn't be running in sysadm_t.
How did you start it?

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-12-2008, 12:14 PM
"prakash hallalli"
 
Default :- MLS policy enforcing mode problem when manully restart the system services.

HI All
I have to configure the Role-based access control (RBAC) for smbldap user.
How should i set the roles for users and which policy i should use?

Now i am using MLS Policy for configure the RBAC.
I am not sure this the correct way for configure the RBAC on CentOS 5.1.


Please help me what i am going wrong.

Thanks,
Prakash,

*




On Wed, Jun 11, 2008 at 8:38 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:



On Wed, 2008-06-11 at 20:32 +0530, prakash hallalli wrote:

> HI ALL

> I have configured SELinux on ContOS 5.1. I have configured the RBAC

> using MLS (Multilevel Security) Policy using enforcing mode. I am

> trying to restart the system services and they are not restarting and

> it is throwing some error message.

>

> Steps to reproduce:

>

> 1 ) MLS Policy configuration.

>

> 1. Install selinux-policy-mls

> 2. Set SELINUXTYPE=MLS in /etc/selinux/config file

> 3. touch ./autorelabel; on root's home directory, and reboot the

> machine.



As others noted, this should have been touch /.autorelabel, not

touch ./autorelabel on root's home directory. *But I don't think that is

relevant any more - you already manually relabeled.



> 4. While machine is rebooting, change the GRUB parameter.

> enforcing=0

>

> 2) Now system is in permissive mode and SELinux status is as follows.

>

> [root@turtle11 ~]# sestatus

> SELinux status: * * * * * * * * *enabled

> SELinuxfs mount: * * * * * * * */selinux

> Current mode: * * * * * * * * * * *permissive

> Mode from config file: * * * * *enforcing

> Policy version: * * * * * * * * * *21

> Policy from config file: * * * * mls

>

> 3) Restart the system services and they restart successfully.

>

> [root@turtle11 ~]# service nfs restart

> Shutting down NFS mountd: * * * * * * * * * * * * * * * * *[ *OK *]

> Shutting down NFS daemon: * * * * * * * * * * * * * * * * *[ *OK *]

> Shutting down NFS quotas: * * * * * * * * * * * * * * * * *[ *OK *]

> Shutting down NFS services: * * * * * * * * * * * * * * * *[ *OK *]

> Starting NFS services: * * * * * * * * * * * * * * * * * * * * [

> OK *]

> Starting NFS quotas: * * * * * * * * * * * * * * * * * * * * * [

> OK *]

> Starting NFS daemon: * * * * * * * * * * * * * * * * * * * * [ *OK *]

> Starting NFS mountd: * * * * * * * * * * * * * * * * * * * * [ *OK *]

>

> 3) Now i am setting enforcing mode using setenforce command.

>

> root@turtle11 ~]#setenforce 1

> root@turtle11 ~]# sestatus

> SELinux status: * * * * * * enabled

> SELinuxfs mount: * * * * */selinux

> Current mode: * * * * * * * enforcing

> Mode from config file: * *enforcing

> Policy version: * * * * * * *21

> Policy from config file: * mls

>

> 4) a) Now system is in enforcing mode and i am trying to restart the

> system service. The restart will result in error message.

>

> [root@turtle11 ~]# service nfs restart

> nfs: unrecognized service

>

> [root@turtle11 ~]# run_init /etc/init.d/nfs restart

> Authenticating root.

> Password: XXXXXX

> run_init: incorrect password for root

> authentication failed.

> [root@turtle11 ~]#

>

> [root@turtle11 ~]# run_init /etc/init.d/ldap restart

> Authenticating root.

> Password: XXXXXX

> run_init: incorrect password for root

> authentication failed.



This implies that the existing policy isn't allowing these domains to do

what they need to perform the authentication. *Elsewhere you said you

are using ldap, so they may need additional permissions for the network

lookup.



> 5) I am using sysadm_r

>

> [root@turtle11 ~]# id

> uid=0(root) gid=0(root)

> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)

> context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh

> [root@turtle11 ~]#

>

> 6) This is i am getting /sbin/ausearch log messages.

>

> [root@turtle11 ~]#/sbin/ausearch -i -m AVC -sv no

> type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64

> syscall=recvfrom success=no exit=-13(Permission denied) a0=5

> a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root

> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root

> tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd

> subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)

> type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: *denied

> { read } for *pid=3103 comm=dhcpd lport=1

> scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023

> tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket



On this one, as I said, dhcpd shouldn't be running in sysadm_t.

How did you start it?



--

Stephen Smalley

National Security Agency





--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-12-2008, 05:01 PM
Stephen Smalley
 
Default :- MLS policy enforcing mode problem when manully restart the system services.

On Thu, 2008-06-12 at 17:44 +0530, prakash hallalli wrote:
> HI All
> I have to configure the Role-based access control (RBAC) for smbldap
> user.
> How should i set the roles for users and which policy i should use?
>
> Now i am using MLS Policy for configure the RBAC.
> I am not sure this the correct way for configure the RBAC on CentOS
> 5.1.
>
> Please help me what i am going wrong.

If you only want support for user roles, then you don't need -mls
policy. You can use -strict policy (prior to F8), or in F8 or later you
can just map users to roles via semanage while using the default
targeted policy.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org