* [gentoo-hardened] Does strict policy work? @ 2009-02-02 6:40 Shaochun Wang 2009-02-03 12:28 ` Ошурков Евгений Сергеевич 2009-02-03 14:23 ` Chris PeBenito 0 siblings, 2 replies; 5+ messages in thread From: Shaochun Wang @ 2009-02-02 6:40 UTC (permalink / raw To: gentoo-hardened I tried to work with strict policy on enforcing mode. And almost all services can't function as expected. Any help? -- Shaochun Wang <scwang@ios.ac.cn> Jabber: fungusw@jabber.org ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] Does strict policy work? 2009-02-02 6:40 [gentoo-hardened] Does strict policy work? Shaochun Wang @ 2009-02-03 12:28 ` Ошурков Евгений Сергеевич 2009-02-03 14:23 ` Chris PeBenito 1 sibling, 0 replies; 5+ messages in thread From: Ошурков Евгений Сергеевич @ 2009-02-03 12:28 UTC (permalink / raw To: gentoo-hardened [-- Attachment #1: Type: text/plain, Size: 12 bytes --] unsubscribe [-- Attachment #2: Type: text/html, Size: 16 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] Does strict policy work? 2009-02-02 6:40 [gentoo-hardened] Does strict policy work? Shaochun Wang 2009-02-03 12:28 ` Ошурков Евгений Сергеевич @ 2009-02-03 14:23 ` Chris PeBenito 2009-02-03 15:11 ` Shaochun Wang 1 sibling, 1 reply; 5+ messages in thread From: Chris PeBenito @ 2009-02-03 14:23 UTC (permalink / raw To: gentoo-hardened [-- Attachment #1: Type: text/plain, Size: 566 bytes --] On Mon, 2009-02-02 at 14:40 +0800, Shaochun Wang wrote: > I tried to work with strict policy on enforcing mode. And almost all > services can't function as expected. Any help? You'll have to be more specific. But one thing to note is that it hasn't been updated for baselayout-2 (which should be masked on the selinux profiles). -- Chris PeBenito <pebenito@gentoo.org> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 197 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] Does strict policy work? 2009-02-03 14:23 ` Chris PeBenito @ 2009-02-03 15:11 ` Shaochun Wang 2009-02-03 20:09 ` Chris PeBenito 0 siblings, 1 reply; 5+ messages in thread From: Shaochun Wang @ 2009-02-03 15:11 UTC (permalink / raw To: gentoo-hardened Now I changed to targeted policy, and it seems more easy to tame than strict policy. Becuase I use LVM to manage my disk and the filesystem's root is on an LVM partition, I need to use initramfs to make the kernel to recognize my root partiton. Without SELinux enforcing, everything works; but with it, system hangs with the following message: * Filesystem couldn't be fixed :( Give root password for maintenance ... After giving the root password, I got a shell. Executing df command, I found my root is mounted on two devices: Filesystem ... Mounted on rootfs / /dev/vg0/slash / I use busybox in my initramfs. The initramfs of my system can be downloaded from http://lcs.ios.ac.cn/~scwang/docs/initramfs.tar.gz Any help on initramfs with SELinux support? BTW, it seems that SELinux support of Gentoo is dying! On Tue, Feb 03, 2009 at 09:23:45AM -0500, Chris PeBenito wrote: > On Mon, 2009-02-02 at 14:40 +0800, Shaochun Wang wrote: > > I tried to work with strict policy on enforcing mode. And almost all > > services can't function as expected. Any help? > > You'll have to be more specific. But one thing to note is that it > hasn't been updated for baselayout-2 (which should be masked on the > selinux profiles). > > -- > Chris PeBenito > <pebenito@gentoo.org> > Developer, > Hardened Gentoo Linux > > Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 > Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 -- Shaochun Wang <scwang@ios.ac.cn> Jabber: fungusw@jabber.org ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] Does strict policy work? 2009-02-03 15:11 ` Shaochun Wang @ 2009-02-03 20:09 ` Chris PeBenito 0 siblings, 0 replies; 5+ messages in thread From: Chris PeBenito @ 2009-02-03 20:09 UTC (permalink / raw To: gentoo-hardened [-- Attachment #1: Type: text/plain, Size: 2587 bytes --] On Tue, 2009-02-03 at 23:11 +0800, Shaochun Wang wrote: > Now I changed to targeted policy, and it seems more easy to tame than > strict policy. Becuase I use LVM to manage my disk and the > filesystem's root is on an LVM partition, I need to use initramfs to > make the kernel to recognize my root partiton. Without SELinux > enforcing, everything works; but with it, system hangs with the > following message: > > * Filesystem couldn't be fixed :( > Give root password for maintenance > ... I'd bet that the device node has the wrong label (/dev/vg0/slash). > After giving the root password, I got a shell. Executing df command, I > found my root is mounted on two devices: > > Filesystem ... Mounted on > rootfs / > /dev/vg0/slash / > > I use busybox in my initramfs. The initramfs of my system can be > downloaded from http://lcs.ios.ac.cn/~scwang/docs/initramfs.tar.gz > > Any help on initramfs with SELinux support? We don't have any guides for that. Getting the initialization correct, with all processes and objects created having the right context can be extremely tricky. The longer objects, like device nodes, have the wrong the context, the more likely you will have problems. So its best for objects to be created with the right context, but that requires the policy to be loaded. But the policy is on the root partition. So after the policy is loaded, you have to relabel any objects created ASAP. > BTW, it seems that SELinux support of Gentoo is dying! I'm not sure why you feel this way. If you really feel that is the case, then you should find ways to contribute. > On Tue, Feb 03, 2009 at 09:23:45AM -0500, Chris PeBenito wrote: > > On Mon, 2009-02-02 at 14:40 +0800, Shaochun Wang wrote: > > > I tried to work with strict policy on enforcing mode. And almost all > > > services can't function as expected. Any help? > > > > You'll have to be more specific. But one thing to note is that it > > hasn't been updated for baselayout-2 (which should be masked on the > > selinux profiles). > > > > -- > > Chris PeBenito > > <pebenito@gentoo.org> > > Developer, > > Hardened Gentoo Linux > > > > Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 > > Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 > > > -- Chris PeBenito <pebenito@gentoo.org> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 197 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-02-03 20:09 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-02-02 6:40 [gentoo-hardened] Does strict policy work? Shaochun Wang 2009-02-03 12:28 ` Ошурков Евгений Сергеевич 2009-02-03 14:23 ` Chris PeBenito 2009-02-03 15:11 ` Shaochun Wang 2009-02-03 20:09 ` Chris PeBenito
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox