FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-08-2008, 01:48 PM
Jan Kasprzak
 
Default Postfix avcs ( Enabling SELinux on a custom kernel)

Stephen Smalley wrote:
: Easier way to do that is:
: audit2allow -M localpostfix
: That creates the .te file, runs it through checkmodule, and runs it
: through semodule_package, leaving you with the .pp file.

OK, thanks.

: > but when I try to load it using "semodule -i localpostfix.pp",
: > the semodule command hangs for several minutes, eating almost 100 % CPU.
: > After that, it fails with
: >
: > libsemanage.dbase_llist_query: could not query record value (No such file or directory).
:
: Hmmm...that's interesting. Usually that means you are missing a config
: file in the policy store. Are you starting from the stock Fedora policy
: or your own custom policy? Also, did it actually fail or just issue
: that warning and proceed?

Well, this system has been running for several years and upgraded
through several Fedora releases (altough SELinux has never been in use there).
Now I have decided to enable SELinux (together with an upgrade to F9),
so I have installed Fedora (or Fedora updates) packages of SELinux tools,
targeted policy, etc. So yes, the starting point was the stock F9 setup,
but I cannot say it is a fresh F9 install.

Running find /etc/selinux -print on that system and on
just installed and updated F9 system leads to this diff:

diff /tmp/list.upgraded /tmp/list.fresh
70d69
< /etc/selinux/targeted/modules/active/modules/localpostfix.pp
115a115
> /etc/selinux/targeted/modules/active/seusers
117a118,119
> /etc/selinux/targeted/modules/active/users_extra.local
> /etc/selinux/targeted/modules/active/users.local
120,207d121
< /etc/selinux/targeted/modules/tmp
< /etc/selinux/targeted/modules/tmp/base.pp
< /etc/selinux/targeted/modules/tmp/commit_num
[... and lot other files in .../tmp, because semodule -i localpostfix.pp
has been running at that time ...]

Semodule -i does not fail per se - it returns 0 to the shell.
However, Postfix still does not work, and AVCs similar to the original ones
are still logged into the audit.log.

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-08-2008, 02:16 PM
Jan Kasprzak
 
Default Postfix avcs ( Enabling SELinux on a custom kernel)

Jan Kasprzak wrote:
: > /etc/selinux/targeted/modules/active/seusers
: > /etc/selinux/targeted/modules/active/users_extra.local
: > /etc/selinux/targeted/modules/active/users.local

I have copied those three files from the fresh F9 system
to the system in question, and it seems that after semodule -i localpostfix.pp
Postfix finally works. However, the "semodule -i localpostfix.pp"
command still takes 2-3 minutes of CPU time to finish. At least
it doesn't complain anymore.

# time semodule -i localpostfix.pp

real 2m55.839s
user 2m54.195s
sys 0m1.593s
# echo $?
0


-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-08-2008, 02:19 PM
Stephen Smalley
 
Default Postfix avcs ( Enabling SELinux on a custom kernel)

On Tue, 2008-07-08 at 16:16 +0200, Jan Kasprzak wrote:
> Jan Kasprzak wrote:
> : > /etc/selinux/targeted/modules/active/seusers
> : > /etc/selinux/targeted/modules/active/users_extra.local
> : > /etc/selinux/targeted/modules/active/users.local
>
> I have copied those three files from the fresh F9 system
> to the system in question, and it seems that after semodule -i localpostfix.pp
> Postfix finally works. However, the "semodule -i localpostfix.pp"
> command still takes 2-3 minutes of CPU time to finish. At least
> it doesn't complain anymore.
>
> # time semodule -i localpostfix.pp
>
> real 2m55.839s
> user 2m54.195s
> sys 0m1.593s
> # echo $?
> 0

Can you check whether you have expand-check = 0
in /etc/selinux/semanage.conf? If not present or commented out, add it
and retry.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-09-2008, 02:10 PM
Jan Kasprzak
 
Default Postfix avcs ( Enabling SELinux on a custom kernel)

Stephen Smalley wrote:
: Can you check whether you have expand-check = 0
: in /etc/selinux/semanage.conf? If not present or commented out, add it
: and retry.

There was no such option in semanage.conf. After adding it,
semodule -i took 13.2 seconds (9.7 user, 3.5 sys) on an otherwise
idle machine (2x dual-core opteron 2222 3.0 GHz). With this option
commented out, it was 175.8 real, 174.2 user, 1.6 sys).

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-09-2008, 02:21 PM
Stephen Smalley
 
Default Postfix avcs ( Enabling SELinux on a custom kernel)

On Wed, 2008-07-09 at 16:10 +0200, Jan Kasprzak wrote:
> Stephen Smalley wrote:
> : Can you check whether you have expand-check = 0
> : in /etc/selinux/semanage.conf? If not present or commented out, add it
> : and retry.
>
> There was no such option in semanage.conf. After adding it,
> semodule -i took 13.2 seconds (9.7 user, 3.5 sys) on an otherwise
> idle machine (2x dual-core opteron 2222 3.0 GHz). With this option
> commented out, it was 175.8 real, 174.2 user, 1.6 sys).

If you did a clean install, expand-check=0 should be present by default
in semanage.conf as of F9 and later I believe. Or they could even make
it the default value in libsemanage in Fedora if they wanted to do so
(defined by libsemanage/src/conf_parse.y:semanage_conf_init()) so that
it doesn't even require the semanage.conf setting.

With expand-check=1 (default in the absence of any semanage.conf
option), neverallow rule checking and type hierarchy checking is applied
on every transaction to revalidate the updated policy, which is quite
expensive. Consequently, Fedora has switched to disabling it at
runtime. They still ought to be doing it during policy build though,
but I don't see that (requires running make validate during the
refpolicy build). Dan?

I'd actually be curious to see how much of that time is due to
neverallow vs. hierarchy checking, given that we ought to disable
hierarchy checking since it isn't being used presently and has to be
reworked for explicit hierarchy anyway.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org