FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-30-2010, 07:36 PM
Mr Dash Four
 
Default SELinux and Shorewall with IPSets

> You would need to edit the source, and rebuild modified selinux-policy
> packages. The port declaration is located in
> policy/modules/kernel/corenetwork.te.in.
>

Building the RPMs went OK, though the image build failed miserably!

I am getting the following errors when trying to install my
(custom-built) selinux-policy and selinux-policy-targeted rpms:

=============Errors when executing rpm -ivh selinux-policy*.rpm on the
image======================
libsemanage.semanage_install_active: setfiles returned error code 1.
(Permission denied).
libsemanage.semanage_install_active: Could not copy
/etc/selinux/targeted/modules/active/policy.kern to
/etc/selinux/targeted/policy/policy.24. (No such file or directory).
semodule: Failed!
libsemanage.semanage_read_policydb: Could not open kernel policy
/etc/selinux/targeted/modules/active/policy.kern for reading. (No such
file or directory).
/usr/sbin/semanage: Could not test MLS enabled status
================================================== =============================

Looking at my syslog I am getting the following:


============syslog================================ ====
Jun 30 20:06:36 xp1 kernel: type=1401 audit(1277924796.734:30578):
security_compute_sid: invalid context
unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.706:30579):
security_compute_sid: invalid context
unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.740:30580):
security_compute_sid: invalid context
unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
================================================== ===

I presume my currently running SELinux does not like something when I
try to install SELinux on the image. I presume it is something to do
with the fact that its own 'selinux-policy' somehow differs from the one
I built from source.

When I actually log on the image itself (with qemu) and try running
"semanage port -l | grep ssh" I am getting this:

======================================
libsemanage.semanage_read_policydb: Could not open kernel policy
/etc/selinux/targeted/modules/active/policy.kern for reading. (No such
file or directory).
/usr/sbin/semanage: Could not test MLS enabled status
======================================


The interesting thing is that my "semanage fcontext" command to change
ipset SELinux attributes have been executed - these attributes are changed.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 07:46 PM
Dominick Grift
 
Default SELinux and Shorewall with IPSets

On 06/30/2010 09:36 PM, Mr Dash Four wrote:
>
>> You would need to edit the source, and rebuild modified selinux-policy
>> packages. The port declaration is located in
>> policy/modules/kernel/corenetwork.te.in.
>>
>
> Building the RPMs went OK, though the image build failed miserably!
>
> I am getting the following errors when trying to install my
> (custom-built) selinux-policy and selinux-policy-targeted rpms:
>
> =============Errors when executing rpm -ivh selinux-policy*.rpm on the
> image======================
> libsemanage.semanage_install_active: setfiles returned error code 1.
> (Permission denied).
> libsemanage.semanage_install_active: Could not copy
> /etc/selinux/targeted/modules/active/policy.kern to
> /etc/selinux/targeted/policy/policy.24. (No such file or directory).
> semodule: Failed!
> libsemanage.semanage_read_policydb: Could not open kernel policy
> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
> file or directory).
> /usr/sbin/semanage: Could not test MLS enabled status
> ================================================== =============================
>
>
> Looking at my syslog I am getting the following:
>
>
> ============syslog================================ ====
> Jun 30 20:06:36 xp1 kernel: type=1401 audit(1277924796.734:30578):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
> Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.706:30579):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
> Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.740:30580):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
> ================================================== ===
>
> I presume my currently running SELinux does not like something when I
> try to install SELinux on the image. I presume it is something to do
> with the fact that its own 'selinux-policy' somehow differs from the one
> I built from source.
>
> When I actually log on the image itself (with qemu) and try running
> "semanage port -l | grep ssh" I am getting this:
>
> ======================================
> libsemanage.semanage_read_policydb: Could not open kernel policy
> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
> file or directory).
> /usr/sbin/semanage: Could not test MLS enabled status
> ======================================
>
>
> The interesting thing is that my "semanage fcontext" command to change
> ipset SELinux attributes have been executed - these attributes are changed.

hmm... i am not sure about this but maybe:

role system_r types setfiles_mac_t;

helps here..

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 07:48 PM
Mr Dash Four
 
Default SELinux and Shorewall with IPSets

> hmm... i am not sure about this but maybe:
>
> role system_r types setfiles_mac_t;
>
> helps here..
>
What do you mean?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 07:49 PM
Dominick Grift
 
Default SELinux and Shorewall with IPSets

On 06/30/2010 09:36 PM, Mr Dash Four wrote:

>
> When I actually log on the image itself (with qemu) and try running
> "semanage port -l | grep ssh" I am getting this:
>
> ======================================
> libsemanage.semanage_read_policydb: Could not open kernel policy
> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
> file or directory).
> /usr/sbin/semanage: Could not test MLS enabled status
> ======================================

I have seen and heard about this a couple of times before but i was
never able to produce this myself.

I have no clue about that missing file or directory message
(/etc/selinux/targeted/modules/active/policy.kern)

>
>
> The interesting thing is that my "semanage fcontext" command to change
> ipset SELinux attributes have been executed - these attributes are changed.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 07:53 PM
Dominick Grift
 
Default SELinux and Shorewall with IPSets

On 06/30/2010 09:48 PM, Mr Dash Four wrote:
>
>> hmm... i am not sure about this but maybe:
>>
>> role system_r types setfiles_mac_t;
>>
>> helps here..
>>
> What do you mean?


Is says "security_compute_sid: invalid context
unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023"

I think that may be because system_r cannot be used for setfiles_mac_t.
Looking at the policy i could not find anywhere where system_r would be
allowed the setfiles_mac_t domain.

So by adding that rule , the system_r role should be allowed the
setfiles_mac_t domain, making the context valid.

But its just a guess.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 07:58 PM
Dominick Grift
 
Default SELinux and Shorewall with IPSets

On 06/30/2010 09:48 PM, Mr Dash Four wrote:
>
>> hmm... i am not sure about this but maybe:
>>
>> role system_r types setfiles_mac_t;
>>
>> helps here..
>>
> What do you mean?

Add that rule to the running policy:


policy_module(myseutils, 1.0.0)
gen_require(`
type setfiles_mac_t;
role system_r;
')
role system_r types setfiles_mac_t;

...
make -f /usr/share/selinux/devel/Makefile myseutils.pp
sudo semodule -i myseutils.pp

Again, this is a shot in the dark...

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 08:15 PM
Dominick Grift
 
Default SELinux and Shorewall with IPSets

On 06/30/2010 09:36 PM, Mr Dash Four wrote:

> Looking at my syslog I am getting the following:
>
>
> ============syslog================================ ====
> Jun 30 20:06:36 xp1 kernel: type=1401 audit(1277924796.734:30578):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
> Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.706:30579):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
> Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.740:30580):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:setfiles_exec_t:s0 tclass=process
> ================================================== ===

this is what i committed to my branch that might fix that:

------------------------ policy/modules/apps/livecd.te
------------------------
index 4e69cdf..5d1084a 100644
@@ -23,7 +23,7 @@

domain_ptrace_all_domains(livecd_t)

-seutil_domtrans_setfiles_mac(livecd_t)
+seutil_run_setfiles_mac(livecd_t, system_r)

manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 08:35 PM
Mr Dash Four
 
Default SELinux and Shorewall with IPSets

>> When I actually log on the image itself (with qemu) and try running
>> "semanage port -l | grep ssh" I am getting this:
>>
>> ======================================
>> libsemanage.semanage_read_policydb: Could not open kernel policy
>> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
>> file or directory).
>> /usr/sbin/semanage: Could not test MLS enabled status
>> ======================================
>>
>
> I have seen and heard about this a couple of times before but i was
> never able to produce this myself.
>
> I have no clue about that missing file or directory message
> (/etc/selinux/targeted/modules/active/policy.kern)
>
I will have a wild stab at it...This might be able to reproduce the error...

If you have the time you can build a small test image using the livecd
tools. You need to have the livecd-tools packages installed though. You
also need qemu as well. Create and save this test kickstart file:

===========test-sel.ks========================
auth --useshadow --passalgo=md5
bootloader --location=mbr --timeout=5
firewall --disabled
install
logging --level=info
part / --size 1024 --fstype=ext3
repo --cost=1 --name=fedora
--mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=$basearch
repo --cost=2 --name=updates
--mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f13&arch=$basearch
#repo --cost=3 --name=livna
--baseurl=http://rpm.livna.org/repo/13/$basearch/
repo --cost=4 --name=rpmfusion-free
--mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-13&arch=$basearch
repo --cost=5 --name=rpmfusion-free-updates
--mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-released-13&arch=$basearch
repo --cost=6 --name=rpmfusion-nonfree
--mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-13&arch=$basearch
repo --cost=7 --name=rpmfusion-nonfree-updates
--mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-updates-released-13&arch=$basearch

# login: root; pwd: root_test
rootpw --plaintext root_test
selinux --enforcing
skipx
text

%packages --nobase --excludedocs

#vital tools
kernel
bash
#selinux-policy
#selinux-policy-targeted
policycoreutils
libsemanage
checkpolicy
policycoreutils-python

#essential tools
rsyslog
vim-minimal


%post --nochroot

# selinux-policy-*.rpm = custom-built policies (must exist!)
rpm -ivh --root $INSTALL_ROOT ~/selinux-policy-*.rpm
%end

%post
/sbin/restorecon -rip /
%end
==========================================

Then, make sure you have the (customised) selinux-policy files and from
the command line execute the following:

livecd-creator -c test-sel.ks -f test-image

It will download the necessary packages and build the image
(test-image.iso). Check for the above errors when it comes to install
the selinux-policy files (I am assuming that on the machine you are
building the image your SELinux is in enforced mode and using the
targeted policy). Also check your syslog.

When the image is built, you can log in to the new system with qemu:

qemu -m 512 test-image.iso

Login as root with password "root_test" as specified in the above
kicktart file. Once there, try to execute semanage and see what happens...

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 08:56 PM
Mr Dash Four
 
Default SELinux and Shorewall with IPSets

>>> hmm... i am not sure about this but maybe:
>>>
>>> role system_r types setfiles_mac_t;
>>>
>>> helps here..
>>>
>>>
>> What do you mean?
>>
>
> Add that rule to the running policy:
>
>
> policy_module(myseutils, 1.0.0)
> gen_require(`
> type setfiles_mac_t;
> role system_r;
> ')
> role system_r types setfiles_mac_t;
>
> ...
> make -f /usr/share/selinux/devel/Makefile myseutils.pp
> sudo semodule -i myseutils.pp
>
> Again, this is a shot in the dark...
>
YES!

This did the trick - no errors and when I log in with qemu and type
"semanage port -l | grep ssh" I am getting my own port and nothing else
(I did just one modification to see whether it will work). Brilliant!
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 09:00 PM
Mr Dash Four
 
Default SELinux and Shorewall with IPSets

> this is what i committed to my branch that might fix that:
>
> ------------------------ policy/modules/apps/livecd.te
> ------------------------
> index 4e69cdf..5d1084a 100644
> @@ -23,7 +23,7 @@
>
> domain_ptrace_all_domains(livecd_t)
>
> -seutil_domtrans_setfiles_mac(livecd_t)
> +seutil_run_setfiles_mac(livecd_t, system_r)
>
> manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
> manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>
>

Do I save this as ~/rpmbuld/SOURCES/DG-SELinux.patch and then apply it
to my custom selinux-policy?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 12:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org