FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-05-2012, 04:26 PM
Moray Henderson
 
Default Detecting MLS mode

Is there an easy way for a script to detect whether MLS mode is enabled?

On CentOS 5 whether running normally or in Anaconda's rescue mode,
SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is no
/etc/selinux/mls directory and cat /selinux/mls prints "1".

However, with CentOS running normally a command to set a context works,
while from rescue mode the same command fails with "cannot setup default
context" unless I add and :s0 MLS piece. That's fine when I'm doing things
manually, but I'd like a script to detect whether it's being run in an
environment that needs the :s0 added. I don't want to just add :s0 all the
time, in case it's already there in the context string I'm trying to set.


Moray.
"To err is human; to purr, feline."






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2012, 07:15 PM
Stephen Smalley
 
Default Detecting MLS mode

On Mon, 2012-03-05 at 17:26 +0000, Moray Henderson wrote:
> Is there an easy way for a script to detect whether MLS mode is enabled?
>
> On CentOS 5 whether running normally or in Anaconda's rescue mode,
> SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is no
> /etc/selinux/mls directory and cat /selinux/mls prints "1".
>
> However, with CentOS running normally a command to set a context works,
> while from rescue mode the same command fails with "cannot setup default
> context" unless I add and :s0 MLS piece. That's fine when I'm doing things
> manually, but I'd like a script to detect whether it's being run in an
> environment that needs the :s0 added. I don't want to just add :s0 all the
> time, in case it's already there in the context string I'm trying to set.

Technically you should always provide the MLS piece if /selinux/mls is 1
(is_selinux_mls_enabled() in C or selinux.is_selinux_mls_enabled() in
python). The only reason you get away with not specifying it in
multi-user mode is that mcstransd is running.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-06-2012, 02:03 PM
Moray Henderson
 
Default Detecting MLS mode

> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: 05 March 2012 20:16
>
> On Mon, 2012-03-05 at 17:26 +0000, Moray Henderson wrote:
> > Is there an easy way for a script to detect whether MLS mode is
> enabled?
> >
> > On CentOS 5 whether running normally or in Anaconda's rescue mode,
> > SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is no
> > /etc/selinux/mls directory and cat /selinux/mls prints "1".
> >
> > However, with CentOS running normally a command to set a context
> works,
> > while from rescue mode the same command fails with "cannot setup
> default
> > context" unless I add and :s0 MLS piece. That's fine when I'm doing
> things
> > manually, but I'd like a script to detect whether it's being run in
> an
> > environment that needs the :s0 added. I don't want to just add :s0
> all the
> > time, in case it's already there in the context string I'm trying to
> set.
>
> Technically you should always provide the MLS piece if /selinux/mls is
> 1
> (is_selinux_mls_enabled() in C or selinux.is_selinux_mls_enabled() in
> python). The only reason you get away with not specifying it in
> multi-user mode is that mcstransd is running.

Thanks Stephen. So if /selinux/mls is 1 a suitable way to fetch the full context of (say) everything in root whether we're in single or multi-user mode would be:

SUFFIX=`/bin/ps -C mcstransd > /dev/null && echo :s0`
find / -maxdepth 1 -printf "%p: %Z${SUFFIX}
"

It won't be run on a system that actually uses MLS, so I can get away with hardwiring the :s0.


Moray.
“To err is human; to purr, feline.”




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-06-2012, 02:20 PM
Stephen Smalley
 
Default Detecting MLS mode

On Tue, 2012-03-06 at 15:03 +0000, Moray Henderson wrote:
> > From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> > Sent: 05 March 2012 20:16
> >
> > On Mon, 2012-03-05 at 17:26 +0000, Moray Henderson wrote:
> > > Is there an easy way for a script to detect whether MLS mode is
> > enabled?
> > >
> > > On CentOS 5 whether running normally or in Anaconda's rescue mode,
> > > SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is no
> > > /etc/selinux/mls directory and cat /selinux/mls prints "1".
> > >
> > > However, with CentOS running normally a command to set a context
> > works,
> > > while from rescue mode the same command fails with "cannot setup
> > default
> > > context" unless I add and :s0 MLS piece. That's fine when I'm doing
> > things
> > > manually, but I'd like a script to detect whether it's being run in
> > an
> > > environment that needs the :s0 added. I don't want to just add :s0
> > all the
> > > time, in case it's already there in the context string I'm trying to
> > set.
> >
> > Technically you should always provide the MLS piece if /selinux/mls is
> > 1
> > (is_selinux_mls_enabled() in C or selinux.is_selinux_mls_enabled() in
> > python). The only reason you get away with not specifying it in
> > multi-user mode is that mcstransd is running.
>
> Thanks Stephen. So if /selinux/mls is 1 a suitable way to fetch the full context of (say) everything in root whether we're in single or multi-user mode would be:
>
> SUFFIX=`/bin/ps -C mcstransd > /dev/null && echo :s0`
> find / -maxdepth 1 -printf "%p: %Z${SUFFIX}
"
>
> It won't be run on a system that actually uses MLS, so I can get away with hardwiring the :s0.

Maybe I'm misreading it, but the logic seems the opposite of what you
want presently.

Also, as a caveat, while CentOS 5 might be stripping the :s0 entirely
when mcstrans is running, it appears that on modern Fedora (and thus
likely CentOS 6), it is just translating it to :SystemLow.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-06-2012, 02:57 PM
Moray Henderson
 
Default Detecting MLS mode

> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: 06 March 2012 15:21
>
> On Tue, 2012-03-06 at 15:03 +0000, Moray Henderson wrote:
> > > From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> > > Sent: 05 March 2012 20:16
> > >
> > > On Mon, 2012-03-05 at 17:26 +0000, Moray Henderson wrote:
> > > > Is there an easy way for a script to detect whether MLS mode is
> > > enabled?
> > > >
> > > > On CentOS 5 whether running normally or in Anaconda's rescue
> mode,
> > > > SELINUX=enforcing (or permissive), SELINUXTYPE=targeted, there is
> no
> > > > /etc/selinux/mls directory and cat /selinux/mls prints "1".
> > > >
> > > > However, with CentOS running normally a command to set a context
> > > works,
> > > > while from rescue mode the same command fails with "cannot setup
> > > default
> > > > context" unless I add and :s0 MLS piece. That's fine when I'm
> doing
> > > things
> > > > manually, but I'd like a script to detect whether it's being run
> in
> > > an
> > > > environment that needs the :s0 added. I don't want to just add
> :s0
> > > all the
> > > > time, in case it's already there in the context string I'm trying
> to
> > > set.
> > >
> > > Technically you should always provide the MLS piece if /selinux/mls
> is
> > > 1
> > > (is_selinux_mls_enabled() in C or selinux.is_selinux_mls_enabled()
> in
> > > python). The only reason you get away with not specifying it in
> > > multi-user mode is that mcstransd is running.
> >
> > Thanks Stephen. So if /selinux/mls is 1 a suitable way to fetch the
> full context of (say) everything in root whether we're in single or
> multi-user mode would be:
> >
> > SUFFIX=`/bin/ps -C mcstransd > /dev/null && echo :s0`
> > find / -maxdepth 1 -printf "%p: %Z${SUFFIX}
"
> >
> > It won't be run on a system that actually uses MLS, so I can get away
> with hardwiring the :s0.
>
> Maybe I'm misreading it, but the logic seems the opposite of what you
> want presently.>
> Also, as a caveat, while CentOS 5 might be stripping the :s0 entirely
> when mcstrans is running, it appears that on modern Fedora (and thus
> likely CentOS 6), it is just translating it to :SystemLow.

This is CentOS 5-specific: looks like I'll have to rewrite all sorts of things when we go up to 6 :-)

What I'm aiming for is a script that can be run in both single- and multi- user modes to collect a full context string which will be valid for multi- or single- user mode. So in multi-user mode, where the OS doesn't display the MLS context, I need to add it; while in single-user mode it's already there and I shouldn't add it again. Once I've got the full string including MLS piece, I can use it anywhere to set a context as you said earlier.


Moray.
“To err is human; to purr, feline.”




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org