[gentoo-hardened] Does strict policy work?

[gentoo-hardened] Does strict policy work?

[Shaochun Wang]

I tried to work with strict policy on enforcing mode. And almost all
services can't function as expected. Any help?


-- 
Shaochun Wang <scwang@ios.ac.cn>

Jabber: fungusw@jabber.org

Re: [gentoo-hardened] Does strict policy work?

[Ошурков Евгений Сергеевич]

[-- Attachment #1: Type: text/plain, Size: 12 bytes --]

unsubscribe

[-- Attachment #2: Type: text/html, Size: 16 bytes --]

Re: [gentoo-hardened] Does strict policy work?

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 566 bytes --]

On Mon, 2009-02-02 at 14:40 +0800, Shaochun Wang wrote:
> I tried to work with strict policy on enforcing mode. And almost all
> services can't function as expected. Any help?

You'll have to be more specific.  But one thing to note is that it
hasn't been updated for baselayout-2 (which should be masked on the
selinux profiles).

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-hardened] Does strict policy work?

[Shaochun Wang]

Now I changed to targeted policy, and it seems more easy to tame than
strict policy. Becuase  I use LVM to manage my disk and the
filesystem's root is on an LVM partition, I need to use initramfs to
make the kernel to recognize my root partiton. Without SELinux
enforcing, everything works; but with it, system hangs with the
following message:

	* Filesystem couldn't be fixed :(
	Give root password for maintenance
	...

After giving the root password, I got a shell. Executing df command, I
found my root is mounted on two devices:

	Filesystem 	... 	Mounted on
	rootfs			/
	/dev/vg0/slash		/

I use busybox in my initramfs. The initramfs of my system can be
downloaded from http://lcs.ios.ac.cn/~scwang/docs/initramfs.tar.gz

Any help on initramfs with SELinux support?

BTW, it seems that SELinux support of Gentoo is dying!

On Tue, Feb 03, 2009 at 09:23:45AM -0500, Chris PeBenito wrote:
> On Mon, 2009-02-02 at 14:40 +0800, Shaochun Wang wrote:
> > I tried to work with strict policy on enforcing mode. And almost all
> > services can't function as expected. Any help?
> 
> You'll have to be more specific.  But one thing to note is that it
> hasn't been updated for baselayout-2 (which should be masked on the
> selinux profiles).
> 
> -- 
> Chris PeBenito
> <pebenito@gentoo.org>
> Developer,
> Hardened Gentoo Linux
>  
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
> Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243



-- 
Shaochun Wang <scwang@ios.ac.cn>

Jabber: fungusw@jabber.org

Re: [gentoo-hardened] Does strict policy work?

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 2587 bytes --]

On Tue, 2009-02-03 at 23:11 +0800, Shaochun Wang wrote:
> Now I changed to targeted policy, and it seems more easy to tame than
> strict policy. Becuase  I use LVM to manage my disk and the
> filesystem's root is on an LVM partition, I need to use initramfs to
> make the kernel to recognize my root partiton. Without SELinux
> enforcing, everything works; but with it, system hangs with the
> following message:
> 
> 	* Filesystem couldn't be fixed :(
> 	Give root password for maintenance
> 	...

I'd bet that the device node has the wrong label (/dev/vg0/slash).

> After giving the root password, I got a shell. Executing df command, I
> found my root is mounted on two devices:
> 
> 	Filesystem 	... 	Mounted on
> 	rootfs			/
> 	/dev/vg0/slash		/
> 
> I use busybox in my initramfs. The initramfs of my system can be
> downloaded from http://lcs.ios.ac.cn/~scwang/docs/initramfs.tar.gz
> 
> Any help on initramfs with SELinux support?

We don't have any guides for that.  Getting the initialization correct,
with all processes and objects created having the right context can be
extremely tricky.  The longer objects, like device nodes, have the wrong
the context, the more likely you will have problems.  So its best for
objects to be created with the right context, but that requires the
policy to be loaded.  But the policy is on the root partition.  So after
the policy is loaded, you have to relabel any objects created ASAP.

> BTW, it seems that SELinux support of Gentoo is dying!

I'm not sure why you feel this way.  If you really feel that is the
case, then you should find ways to contribute.

> On Tue, Feb 03, 2009 at 09:23:45AM -0500, Chris PeBenito wrote:
> > On Mon, 2009-02-02 at 14:40 +0800, Shaochun Wang wrote:
> > > I tried to work with strict policy on enforcing mode. And almost all
> > > services can't function as expected. Any help?
> > 
> > You'll have to be more specific.  But one thing to note is that it
> > hasn't been updated for baselayout-2 (which should be masked on the
> > selinux profiles).
> > 
> > -- 
> > Chris PeBenito
> > <pebenito@gentoo.org>
> > Developer,
> > Hardened Gentoo Linux
> >  
> > Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
> > Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243
> 
> 
> 

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]