FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-15-2008, 05:50 PM
Eric Paris
 
Default livecd-creator + selinux

So I'm still stumbling along in the dark trying to get livecd-creator to
build me a nice new F10 image inside an F10 host. I've actually got an
image that built and runs, but not without its issues.

my kickstart file has:
auth --enableshadow --enablemd5
rootpw redhat

but the livecd always has x for the password in /etc/password and * for
the password in /etc/shadow. No ideas here I must admit. I'm highly
doubtful its selinux since it happens in permissive and enforcing. I
have just been booting into single user, calling passwd, init 3, and
logging in to play around in my live image....


3 errors/issues/quirks in building/running my livecd

1) libsemanage.dbase_llist_query: could not query record value
I'm told empty table, but I don't know what that means

2) /usr/sbin/semanage: Invalid prefix user
This pops out when semanage calls:
if selinux.security_check_context("system_ubject_r: %s_home_t:s0" % prefix) != 0:
I assume this has to do with my bastardized /selinux inside the chroot.
Should we just make it != 0 && != -ENOENT or whatever the error is we
get there?

3) When booting I get 3 messages that say:
inode_doinit_with_dentry: no dentry for dev=dm-0 ino=8345
The 3 inodes in question correspond to
/etc/udev
/etc/udev/rules.d
/etc/udev/rules.d/50-udev-default.rules

no clues where this is coming from. I don't see it when I booted my
host system....



Anyway, at this point I want clues/help/suggestions on how to create my
hacked up /selinux inside the chroot. Right now all I'm going is
creating it on the host system and bind mounting it into the chroot. I
really should be creating this inside creator.py. All that needs to be
inside it is 3 files. copies of mls and policyvers from the host
system and load is a chrfile of /dev/null. I could just create those in
the livecd image and they will get mounted on top of when its running,
but I don't want to waste the 50 bytes or whatever it would take. Any
good suggests on how to build this temp? Or where I could clean it out
later?

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-15-2008, 07:30 PM
Stephen Smalley
 
Default livecd-creator + selinux

On Thu, 2008-05-15 at 13:50 -0400, Eric Paris wrote:
> So I'm still stumbling along in the dark trying to get livecd-creator to
> build me a nice new F10 image inside an F10 host. I've actually got an
> image that built and runs, but not without its issues.
>
> my kickstart file has:
> auth --enableshadow --enablemd5
> rootpw redhat
>
> but the livecd always has x for the password in /etc/password and * for
> the password in /etc/shadow. No ideas here I must admit. I'm highly
> doubtful its selinux since it happens in permissive and enforcing. I
> have just been booting into single user, calling passwd, init 3, and
> logging in to play around in my live image....

No ideas here - hopefully the livecd folks can help you with that one.

>
> 3 errors/issues/quirks in building/running my livecd
>
> 1) libsemanage.dbase_llist_query: could not query record value
> I'm told empty table, but I don't know what that means

Looking at selinux-policy.spec, I see that it runs semanage login -l and
semanage user -l in its scriptlets. If it does that and there are no
user or login entries defined yet, then you'd get that error I think.
Not sure if that means that something went wrong earlier or if it is
normal/legitimate. Dan?

> 2) /usr/sbin/semanage: Invalid prefix user
> This pops out when semanage calls:
> if selinux.security_check_context("system_ubject_r: %s_home_t:s0" % prefix) != 0:
> I assume this has to do with my bastardized /selinux inside the chroot.
> Should we just make it != 0 && != -ENOENT or whatever the error is we
> get there?

That should work, and this check should really be replaced by a new
libsemanage interface that checks against the target policy rather than
the host policy, like the mls enabled test.

> 3) When booting I get 3 messages that say:
> inode_doinit_with_dentry: no dentry for dev=dm-0 ino=8345
> The 3 inodes in question correspond to
> /etc/udev
> /etc/udev/rules.d
> /etc/udev/rules.d/50-udev-default.rules

Happens when SELinux is setting up pre-existing inodes upon initial
policy load and it cannot find a dentry for the inode and thus cannot
invoke the ->getxattr method on it. Likely harmless. When/if the
files are subsequently looked up, the inodes should get set up at that
time upon the d_instantiate/d_splice_alias.

> no clues where this is coming from. I don't see it when I booted my
> host system....
>
>
>
> Anyway, at this point I want clues/help/suggestions on how to create my
> hacked up /selinux inside the chroot. Right now all I'm going is
> creating it on the host system and bind mounting it into the chroot. I
> really should be creating this inside creator.py. All that needs to be
> inside it is 3 files. copies of mls and policyvers from the host
> system and load is a chrfile of /dev/null. I could just create those in
> the livecd image and they will get mounted on top of when its running,
> but I don't want to waste the 50 bytes or whatever it would take. Any
> good suggests on how to build this temp? Or where I could clean it out
> later?
>
> -Eric
--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-15-2008, 08:33 PM
Eric Paris
 
Default livecd-creator + selinux

#4 At the end of the rpm transaction when everything is installed it
calls restorecon and I get one for (I assume) every file almost all of
which look like:

/sbin/restorecon reset /srv context system_ubject_r:var_t:s0->system_ubject_r:var_t:s0

Notice nothing changed? Again I assume its my hack of a /selinux which
causes it and I'll try to run down why, but maybe someone else sees that
quickly.

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-15-2008, 08:47 PM
Stephen Smalley
 
Default livecd-creator + selinux

On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote:
> #4 At the end of the rpm transaction when everything is installed it
> calls restorecon and I get one for (I assume) every file almost all of
> which look like:
>
> /sbin/restorecon reset /srv context system_ubject_r:var_t:s0->system_ubject_r:var_t:s0
>
> Notice nothing changed? Again I assume its my hack of a /selinux which
> causes it and I'll try to run down why, but maybe someone else sees that
> quickly.

That suggests it is being called with the -f (force) flag from
e.g. /sbin/fixfiles. selinux-policy.spec does a
fixfiles -C file_contexts.pre restore

fixfiles -C does a diff between the old and new file contexts
configurations and applies restorecon to the result. There is some
serious magic in there, and it is all Dan's fault

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-15-2008, 09:05 PM
Bill Nottingham
 
Default livecd-creator + selinux

Eric Paris (eparis@redhat.com) said:
> So I'm still stumbling along in the dark trying to get livecd-creator to
> build me a nice new F10 image inside an F10 host. I've actually got an
> image that built and runs, but not without its issues.
>
> my kickstart file has:
> auth --enableshadow --enablemd5
> rootpw redhat
>
> but the livecd always has x for the password in /etc/password and * for
> the password in /etc/shadow. No ideas here I must admit. I'm highly
> doubtful its selinux since it happens in permissive and enforcing. I
> have just been booting into single user, calling passwd, init 3, and
> logging in to play around in my live image....

LiveCD has no root password. AFAIK, it just ignores that line.

Bill

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-15-2008, 09:20 PM
Eric Paris
 
Default livecd-creator + selinux

On Thu, 2008-05-15 at 16:47 -0400, Stephen Smalley wrote:
> On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote:
> > #4 At the end of the rpm transaction when everything is installed it
> > calls restorecon and I get one for (I assume) every file almost all of
> > which look like:
> >
> > /sbin/restorecon reset /srv context system_ubject_r:var_t:s0->system_ubject_r:var_t:s0
> >
> > Notice nothing changed? Again I assume its my hack of a /selinux which
> > causes it and I'll try to run down why, but maybe someone else sees that
> > quickly.
>
> That suggests it is being called with the -f (force) flag from
> e.g. /sbin/fixfiles. selinux-policy.spec does a
> fixfiles -C file_contexts.pre restore
>
> fixfiles -C does a diff between the old and new file contexts
> configurations and applies restorecon to the result. There is some
> serious magic in there, and it is all Dan's fault

ok, in the livecd-creator kickstart.py I see

if os.path.exists(self.path("/sbin/restorecon")):
self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])

So there is our -F. Is there a way to get it to fix "user" without
getting it to fix "things that aren't wrong"

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-15-2008, 10:30 PM
Douglas McClendon
 
Default livecd-creator + selinux

Stephen Smalley wrote:

On Thu, 2008-05-15 at 13:50 -0400, Eric Paris wrote:

So I'm still stumbling along in the dark trying to get livecd-creator to
build me a nice new F10 image inside an F10 host. I've actually got an
image that built and runs, but not without its issues.

my kickstart file has:
auth --enableshadow --enablemd5
rootpw redhat


As Bill said, the handling of rootpw is non-intuitive from a historical
kickstart perspective. I once suggested changing the kickstarts in
livecd-tools to explicitly have rootpw lines (and then nuke the pw in
%post), such that they would be generic fully automated kickstarts.
People disagreed. (though what you observed is a bug that can be fixed
without heeding my suggestion)



3) When booting I get 3 messages that say:
inode_doinit_with_dentry: no dentry for dev=dm-0 ino=8345
The 3 inodes in question correspond to
/etc/udev
/etc/udev/rules.d
/etc/udev/rules.d/50-udev-default.rules


Happens when SELinux is setting up pre-existing inodes upon initial
policy load and it cannot find a dentry for the inode and thus cannot
invoke the ->getxattr method on it. Likely harmless. When/if the
files are subsequently looked up, the inodes should get set up at that
time upon the d_instantiate/d_splice_alias.


I've seen these messages forever, though didn't realize till now that
they were an selinux related issue. If they are truly harmless, can
someone remove the code that spits out the message please?


FYI- note that what is going on with that file is that it is being
modified by the initramfs before policy is loaded-


see do_live_from_base_loop in /usr/lib/livecd-creator/mayflower, i.e.
stuff like this-


echo "KERNEL=="hd[a-z]", BUS=="ide", SYSFS{removable}=="1",
ATTRS{media}=="cdrom", PROGRAM="/lib/udev/vol_id -l %N",
RESULT=="$CDLABEL", SYMLINK+="live"" >>
/sysroot/etc/udev/rules.d/50-udev*







no clues where this is coming from. I don't see it when I booted my
host system....



Anyway, at this point I want clues/help/suggestions on how to create my
hacked up /selinux inside the chroot.


Out of curiosity, if someone feels like answering- are there any plans
for selinux to support chroots in the sense of policy and even
enabled/disabled being completely different between the host and the
chroot? Seems like "chroot /mnt/sysimage rpm <some rpm commoand>" ought
to 'just work(tm)'. But maybe I'm expecting too much functionality from
a default fedora system.


-dmc


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-16-2008, 11:56 AM
Daniel J Walsh
 
Default livecd-creator + selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
| On Thu, 2008-05-15 at 16:47 -0400, Stephen Smalley wrote:
|> On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote:
|>> #4 At the end of the rpm transaction when everything is installed it
|>> calls restorecon and I get one for (I assume) every file almost all of
|>> which look like:
|>>
|>> /sbin/restorecon reset /srv context
system_ubject_r:var_t:s0->system_ubject_r:var_t:s0
|>>
|>> Notice nothing changed? Again I assume its my hack of a /selinux which
|>> causes it and I'll try to run down why, but maybe someone else sees that
|>> quickly.
|> That suggests it is being called with the -f (force) flag from
|> e.g. /sbin/fixfiles. selinux-policy.spec does a
|> fixfiles -C file_contexts.pre restore
|>
|> fixfiles -C does a diff between the old and new file contexts
|> configurations and applies restorecon to the result. There is some
|> serious magic in there, and it is all Dan's fault
|
| ok, in the livecd-creator kickstart.py I see
|
| if os.path.exists(self.path("/sbin/restorecon")):
| self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F",
"-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
|
| So there is our -F. Is there a way to get it to fix "user" without
| getting it to fix "things that aren't wrong"
|
| -Eric
|
Remove the -v

Although this looks wrong and makes no sense in restorecon/setfiles.


/*
* Do not relabel the file if the matching specification is
* <<none>> or the file is already labeled according to the
* specification.
*/
if ((strcmp(newcon, "<<none>>") == 0) ||
(context && (strcmp(context, newcon) == 0) && !force)) {
freecon(context);
goto out;
}

The !force check should be removed. It makes no send to relabel in the
case of the context being the same or the context being none.

Should be


/*
* Do not relabel the file if the matching specification is
* <<none>> or the file is already labeled according to the
* specification.
*/
if ((strcmp(newcon, "<<none>>") == 0) ||
(context && (strcmp(context, newcon) == 0)) {
freecon(context);
goto out;
}


I will provide a patch and update.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgtdmgACgkQrlYvE4MpobOtqgCgq0rDD7Be3h 4Vb5hJDrvMebsf
6bAAoKaeIQqTknhhKaZHRehxsLQU4i0u
=0LXA
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-16-2008, 11:57 AM
Stephen Smalley
 
Default livecd-creator + selinux

On Thu, 2008-05-15 at 17:20 -0400, Eric Paris wrote:
> On Thu, 2008-05-15 at 16:47 -0400, Stephen Smalley wrote:
> > On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote:
> > > #4 At the end of the rpm transaction when everything is installed it
> > > calls restorecon and I get one for (I assume) every file almost all of
> > > which look like:
> > >
> > > /sbin/restorecon reset /srv context system_ubject_r:var_t:s0->system_ubject_r:var_t:s0
> > >
> > > Notice nothing changed? Again I assume its my hack of a /selinux which
> > > causes it and I'll try to run down why, but maybe someone else sees that
> > > quickly.
> >
> > That suggests it is being called with the -f (force) flag from
> > e.g. /sbin/fixfiles. selinux-policy.spec does a
> > fixfiles -C file_contexts.pre restore
> >
> > fixfiles -C does a diff between the old and new file contexts
> > configurations and applies restorecon to the result. There is some
> > serious magic in there, and it is all Dan's fault
>
> ok, in the livecd-creator kickstart.py I see
>
> if os.path.exists(self.path("/sbin/restorecon")):
> self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
>
> So there is our -F. Is there a way to get it to fix "user" without
> getting it to fix "things that aren't wrong"

I think we should change setfiles/restorecon to just not do that even
with -F. IIRC, changing it to always invoke setfilecon even if the
contexts were the same was motivated by the problem we used to have
where the in-core label and the on-disk xattr could get out of sync.

Patch below. Note that restorecon is just a link to setfiles that
presents a different default user interface and behaviors (ever since I
coalesced them).

Index: policycoreutils/setfiles/setfiles.c
================================================== =================
--- policycoreutils/setfiles/setfiles.c (revision 2879)
+++ policycoreutils/setfiles/setfiles.c (working copy)
@@ -495,7 +495,7 @@
* specification.
*/
if ((strcmp(newcon, "<<none>>") == 0) ||
- (context && (strcmp(context, newcon) == 0) && !force)) {
+ (context && (strcmp(context, newcon) == 0))) {
freecon(context);
goto out;
}


--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-16-2008, 11:58 AM
Daniel J Walsh
 
Default livecd-creator + selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
| On Thu, 2008-05-15 at 17:20 -0400, Eric Paris wrote:
|> On Thu, 2008-05-15 at 16:47 -0400, Stephen Smalley wrote:
|>> On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote:
|>>> #4 At the end of the rpm transaction when everything is installed it
|>>> calls restorecon and I get one for (I assume) every file almost all of
|>>> which look like:
|>>>
|>>> /sbin/restorecon reset /srv context
system_ubject_r:var_t:s0->system_ubject_r:var_t:s0
|>>>
|>>> Notice nothing changed? Again I assume its my hack of a /selinux which
|>>> causes it and I'll try to run down why, but maybe someone else sees
that
|>>> quickly.
|>> That suggests it is being called with the -f (force) flag from
|>> e.g. /sbin/fixfiles. selinux-policy.spec does a
|>> fixfiles -C file_contexts.pre restore
|>>
|>> fixfiles -C does a diff between the old and new file contexts
|>> configurations and applies restorecon to the result. There is some
|>> serious magic in there, and it is all Dan's fault
|> ok, in the livecd-creator kickstart.py I see
|>
|> if os.path.exists(self.path("/sbin/restorecon")):
|> self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F",
"-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
|>
|> So there is our -F. Is there a way to get it to fix "user" without
|> getting it to fix "things that aren't wrong"
|
| I think we should change setfiles/restorecon to just not do that even
| with -F. IIRC, changing it to always invoke setfilecon even if the
| contexts were the same was motivated by the problem we used to have
| where the in-core label and the on-disk xattr could get out of sync.
|
| Patch below. Note that restorecon is just a link to setfiles that
| presents a different default user interface and behaviors (ever since I
| coalesced them).
|
| Index: policycoreutils/setfiles/setfiles.c
| ================================================== =================
| --- policycoreutils/setfiles/setfiles.c (revision 2879)
| +++ policycoreutils/setfiles/setfiles.c (working copy)
| @@ -495,7 +495,7 @@
| * specification.
| */
| if ((strcmp(newcon, "<<none>>") == 0) ||
| - (context && (strcmp(context, newcon) == 0) && !force)) {
| + (context && (strcmp(context, newcon) == 0))) {
| freecon(context);
| goto out;
| }
|
|
Same patch almost simultaneous, it must be right.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgtduMACgkQrlYvE4MpobMn1gCg341q6CJQ2y Dq7JPCcYVJn9ZQ
/fcAn3I/rokQZcqP/S/ilO4fLFkTsRNB
=ioXI
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:18 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org