* [gentoo-hardened] SELinux (targeted policy) and invalid context @ 2010-11-15 0:44 luc nac 2010-11-15 1:14 ` Chris Richards 0 siblings, 1 reply; 5+ messages in thread From: luc nac @ 2010-11-15 0:44 UTC (permalink / raw To: gentoo-hardened Thanks to all of you who have been interested in my previous message. I'm encountering much more problems than expected and I can't find a forum where to discuss about SELinux in Gentoo. I didn't find much help in this one http://forums.gentoo.org/viewforum-f-18.html . If this is not the right place to ask help, please tell me! Now I'm trying to install the targeted policy but I can't succeed. Trying to relabel the filesystem I obtain an error: localhost ~ # rlpkg -a -r Relabeling filesystem types: ext2 ext3 jfs xfs /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21 has invalid context user_u:object_r:user_tmp_t /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32 has invalid context root:object_r:user_tmp_t Scanning for shared libraries with text relocations... 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations... 0 binaries with text relocations detected. The same error appears trying to emerge any package. Commenting this line: /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t in /etc/selinux/targeted/contexts/files/homedir_template and then launching the genhomedircon command, successive rlpk (and emerge) succeed until next reboot. I think that this is a bad solution! In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3 (section 3.f. Setfiles error messages ) it's written that "If /selinux is mounted, then most likely there is new policy that has not yet been loaded; therefore, the contexts have not yet become valid." I emerged a lot of modules, much more than needed considering that this is a Gentoo stage 3 system. localhost ~ # equery list selinux- [ Searching for package 'selinux-' in all categories among: ] * installed packages [I--] [ ] sec-policy/selinux-apache-20070928 (0) [I--] [ ] sec-policy/selinux-arpwatch-20070928 (0) [I--] [ ] sec-policy/selinux-base-policy-20070928 (0) [I--] [ ] sec-policy/selinux-bind-20070928 (0) [I--] [ ] sec-policy/selinux-dbus-20070928 (0) [I--] [ ] sec-policy/selinux-desktop-20070928 (0) [I--] [ ] sec-policy/selinux-dhcp-20070928 (0) [I--] [ ] sec-policy/selinux-dnsmasq-20070928 (0) [I--] [ ] sec-policy/selinux-games-20070928 (0) [I--] [ ] sec-policy/selinux-gnupg-20070928 (0) [I--] [ ] sec-policy/selinux-gpm-20070928 (0) [I--] [ ] sec-policy/selinux-logrotate-20070928 (0) [I--] [ ] sec-policy/selinux-nfs-20070928 (0) [I--] [ ] sec-policy/selinux-openldap-20070928 (0) [I--] [ ] sec-policy/selinux-portmap-20070928 (0) [I--] [ ] sec-policy/selinux-samba-20070928 (0) [I--] [ ] sec-policy/selinux-sudo-20070928 (0) [I--] [ ] sec-policy/selinux-tcpd-20070928 (0) [I--] [ ] sec-policy/selinux-tftpd-20070928 (0) localhost ~ # semodule -l apache 1.8.0 arpwatch 1.4.0 bind 1.5.0 dbus 1.7.0 dhcp 1.4.0 dnsmasq 1.4.0 games 1.4.0 gpg 1.4.0 gpm 1.3.0 java 1.6.0 ldap 1.5.0 logrotate 1.6.0 mono 1.3.0 mozilla 1.4.0 mplayer 1.3.0 portmap 1.5.0 rpc 1.6.0 samba 1.6.0 sudo 1.2.0 tftp 1.5.0 wine 1.4.0 xfs 1.2.0 xserver 1.6.0 localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template HOME_DIR/.+ system_u:object_r:ROLE_home_t HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t HOME_ROOT/lost\+found/.* <<none>> HOME_DIR -d system_u:object_r:ROLE_home_dir_t HOME_ROOT -d system_u:object_r:home_root_t /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t HOME_ROOT/\.journal <<none>> HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] SELinux (targeted policy) and invalid context 2010-11-15 0:44 [gentoo-hardened] SELinux (targeted policy) and invalid context luc nac @ 2010-11-15 1:14 ` Chris Richards 2010-11-17 20:07 ` Sven Vermeulen 2010-11-17 20:41 ` luc nac 0 siblings, 2 replies; 5+ messages in thread From: Chris Richards @ 2010-11-15 1:14 UTC (permalink / raw To: gentoo-hardened On 11/14/2010 06:44 PM, luc nac wrote: > Thanks to all of you who have been interested in my previous message. > I'm encountering much more problems than expected and I can't find a > forum where to discuss about SELinux in Gentoo. I didn't find much > help in this one http://forums.gentoo.org/viewforum-f-18.html . If > this is not the right place to ask help, please tell me! > > Now I'm trying to install the targeted policy but I can't succeed. > Trying to relabel the filesystem I obtain an error: > localhost ~ # rlpkg -a -r > Relabeling filesystem types: ext2 ext3 jfs xfs > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21 > has invalid context user_u:object_r:user_tmp_t > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32 > has invalid context root:object_r:user_tmp_t > Scanning for shared libraries with text relocations... > 0 libraries with text relocations, 0 not relabeled. > Scanning for PIE binaries with text relocations... > 0 binaries with text relocations detected. > > The same error appears trying to emerge any package. > > Commenting this line: > /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t > in /etc/selinux/targeted/contexts/files/homedir_template > and then launching the genhomedircon command, successive rlpk (and > emerge) succeed until next reboot. > I think that this is a bad solution! > > In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3 > (section 3.f. Setfiles error messages ) it's written that "If /selinux > is mounted, then most likely there is new policy that has not yet been > loaded; therefore, the contexts have not yet become valid." > > I emerged a lot of modules, much more than needed considering that > this is a Gentoo stage 3 system. > > localhost ~ # equery list selinux- > [ Searching for package 'selinux-' in all categories among: ] > * installed packages > [I--] [ ] sec-policy/selinux-apache-20070928 (0) > [I--] [ ] sec-policy/selinux-arpwatch-20070928 (0) > [I--] [ ] sec-policy/selinux-base-policy-20070928 (0) > [I--] [ ] sec-policy/selinux-bind-20070928 (0) > [I--] [ ] sec-policy/selinux-dbus-20070928 (0) > [I--] [ ] sec-policy/selinux-desktop-20070928 (0) > [I--] [ ] sec-policy/selinux-dhcp-20070928 (0) > [I--] [ ] sec-policy/selinux-dnsmasq-20070928 (0) > [I--] [ ] sec-policy/selinux-games-20070928 (0) > [I--] [ ] sec-policy/selinux-gnupg-20070928 (0) > [I--] [ ] sec-policy/selinux-gpm-20070928 (0) > [I--] [ ] sec-policy/selinux-logrotate-20070928 (0) > [I--] [ ] sec-policy/selinux-nfs-20070928 (0) > [I--] [ ] sec-policy/selinux-openldap-20070928 (0) > [I--] [ ] sec-policy/selinux-portmap-20070928 (0) > [I--] [ ] sec-policy/selinux-samba-20070928 (0) > [I--] [ ] sec-policy/selinux-sudo-20070928 (0) > [I--] [ ] sec-policy/selinux-tcpd-20070928 (0) > [I--] [ ] sec-policy/selinux-tftpd-20070928 (0) > > localhost ~ # semodule -l > apache 1.8.0 > arpwatch 1.4.0 > bind 1.5.0 > dbus 1.7.0 > dhcp 1.4.0 > dnsmasq 1.4.0 > games 1.4.0 > gpg 1.4.0 > gpm 1.3.0 > java 1.6.0 > ldap 1.5.0 > logrotate 1.6.0 > mono 1.3.0 > mozilla 1.4.0 > mplayer 1.3.0 > portmap 1.5.0 > rpc 1.6.0 > samba 1.6.0 > sudo 1.2.0 > tftp 1.5.0 > wine 1.4.0 > xfs 1.2.0 > xserver 1.6.0 > > localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template > HOME_DIR/.+ system_u:object_r:ROLE_home_t > HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t > HOME_ROOT/lost\+found/.* <<none>> > HOME_DIR -d system_u:object_r:ROLE_home_dir_t > HOME_ROOT -d system_u:object_r:home_root_t > /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t > HOME_ROOT/\.journal <<none>> > HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t Ok, first and foremost, I haven't tested targeted policy (I'm still sorting strict policy). Second, the handbook states that you should use v2refpolicy. You are running the 20070928 policy, which is v1 policy and is very very old. I'm guessing you are working with an old system that hasn't been converted to v2refpolicy. Third, even with v2refpolicy, the current version in the tree is now almost a year old and has issues (which is part of what I'm working to sort out). TBH, I'm not entirely certain it will boot in enforcing mode, although targeted policy will stand a better chance of working than strict policy. I'm working as fast as I can. Unfortunately, my spare time is pretty, well, 'spare' and has been for some time. If you want to make your own ebuild, you can find where to pull the latest release policy from http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get the current development policy from the git repository at http://oss.tresys.com/git/refpolicy.git. Later, Gizmo ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] SELinux (targeted policy) and invalid context 2010-11-15 1:14 ` Chris Richards @ 2010-11-17 20:07 ` Sven Vermeulen 2010-11-17 20:41 ` luc nac 1 sibling, 0 replies; 5+ messages in thread From: Sven Vermeulen @ 2010-11-17 20:07 UTC (permalink / raw To: gentoo-hardened [-- Attachment #1: Type: text/plain, Size: 2239 bytes --] On Sun, Nov 14, 2010 at 07:14:49PM -0600, Chris Richards wrote: > Ok, first and foremost, I haven't tested targeted policy (I'm still > sorting strict policy). > Second, the handbook states that you should use v2refpolicy. You are > running the 20070928 policy, which is v1 policy and is very very old. > I'm guessing you are working with an old system that hasn't been > converted to v2refpolicy. > Third, even with v2refpolicy, the current version in the tree is now > almost a year old and has issues (which is part of what I'm working to > sort out). TBH, I'm not entirely certain it will boot in enforcing > mode, although targeted policy will stand a better chance of working > than strict policy. > > I'm working as fast as I can. Unfortunately, my spare time is pretty, > well, 'spare' and has been for some time. If you want to make your own > ebuild, you can find where to pull the latest release policy from > http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get > the current development policy from the git repository at > http://oss.tresys.com/git/refpolicy.git. If you're really adventurous, you can try using the ebuilds available on https://github.com/sjvermeu/gentoo.overlay/. With those, together with the changes as mentioned in http://blog.siphos.be/2010/10/selinux-enforcing-for-console-activity/ I am able to boot in enforcing mode, strict policy. To use the ebuilds (apart from setting http://github.com/sjvermeu/gentoo.overlay/raw/master/overlay.xml in your /etc/layman/layman.cfg file to be able to select sjvermeu), install sec-policy/selinux-policy (you'll need to unmask sec-policy/*) and you're almost ready to use ;-) I'm currently also having a few fixes not in the overlay yet (one for dhcpcd, one for gcc-config and one for portage) but am planning on integrating those as well. True, the current state in hardened is not easy to work with, and because not even the unstable packages are working, it's also hardly possible to create any documentation on it. However, I am planning on starting with documentation (even if based upon overlay ebuilds) soon - right after I get X working properly :p ) Wkr, Sven Vermeulen [-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] SELinux (targeted policy) and invalid context 2010-11-15 1:14 ` Chris Richards 2010-11-17 20:07 ` Sven Vermeulen @ 2010-11-17 20:41 ` luc nac 2010-11-17 21:30 ` Sven Vermeulen 1 sibling, 1 reply; 5+ messages in thread From: luc nac @ 2010-11-17 20:41 UTC (permalink / raw To: gentoo-hardened Now I am trying to use SELinux (targeted policy) in a brand new Gentoo stage3 (Kernel 2.6.32-hardened-r9), I tried all versions of selinux-base-policy available, but relabeling the file system always fails with the same error: "filespec_add: Conflicting specifications for ...". Am I still doing something wrong? The only thing that I can do to run SELinux in Gentoo is try to make my own ebuild? # rlpkg -a -r Relabeling filesystem types: ext2 ext3 jfs xfs filespec_add: conflicting specifications for /usr/bin/getconf and /usr/lib/misc/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using system_u:object_r:lib_t. filespec_eval: hash table stats: 251923 elements, 63077/65536 buckets used, longest chain length 8 Scanning for shared libraries with text relocations... 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations... 0 binaries with text relocations detected. # sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t Init context: system_u:system_r:init_t /sbin/agetty system_u:system_r:getty_t /usr/sbin/sshd system_u:system_r:sshd_t File contexts: Controlling term: unconfined_u:object_r:user_devpts_t /sbin/init system_u:object_r:init_exec_t /sbin/agetty system_u:object_r:getty_exec_t /bin/login system_u:object_r:login_exec_t /sbin/rc system_u:object_r:initrc_exec_t /sbin/runscript.sh system_u:object_r:initrc_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /bin/bash system_u:object_r:shell_exec_t /usr/bin/newrole system_u:object_r:newrole_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t # eselect profile list Available profile symlink targets: [1] default/linux/x86/10.0 [2] default/linux/x86/10.0/desktop [3] default/linux/x86/10.0/desktop/gnome [4] default/linux/x86/10.0/desktop/kde [5] default/linux/x86/10.0/developer [6] default/linux/x86/10.0/server [7] hardened/linux/x86/10.0 [8] selinux/2007.0/x86 [9] selinux/2007.0/x86/hardened [10] selinux/v2refpolicy/x86 [11] selinux/v2refpolicy/x86/desktop [12] selinux/v2refpolicy/x86/developer [13] selinux/v2refpolicy/x86/hardened * [14] selinux/v2refpolicy/x86/server # equery list -p selinux-base-policy [ Searching for package 'selinux-base-policy' in all categories among: ] * installed packages [I--] [ ~] sec-policy/selinux-base-policy-2.20091215 (0) * Portage tree (/usr/portage) [-P-] [ ~] sec-policy/selinux-base-policy-2.20090730 (0) [-P-] [ ~] sec-policy/selinux-base-policy-2.20090814 (0) [-P-] [M ] sec-policy/selinux-base-policy-20080525 (0) [-P-] [ ~] sec-policy/selinux-base-policy-20080525-r1 (0) # semodule -l apache 2.1.0 bind 1.10.0 gpg 2.2.1 java 2.2.0 local 1.0 mono 1.6.0 mozilla 2.1.1 mplayer 2.1.0 wine 1.6.0 xfs 1.6.0 xserver 3.3.1 On Mon, Nov 15, 2010 at 02:14, Chris Richards <gizmo@giz-works.com> wrote: > Ok, first and foremost, I haven't tested targeted policy (I'm still sorting > strict policy). > Second, the handbook states that you should use v2refpolicy. You are > running the 20070928 policy, which is v1 policy and is very very old. I'm > guessing you are working with an old system that hasn't been converted to > v2refpolicy. > Third, even with v2refpolicy, the current version in the tree is now almost > a year old and has issues (which is part of what I'm working to sort out). > TBH, I'm not entirely certain it will boot in enforcing mode, although > targeted policy will stand a better chance of working than strict policy. > > I'm working as fast as I can. Unfortunately, my spare time is pretty, well, > 'spare' and has been for some time. If you want to make your own ebuild, > you can find where to pull the latest release policy from > http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get the > current development policy from the git repository at > http://oss.tresys.com/git/refpolicy.git. > > Later, > Gizmo > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] SELinux (targeted policy) and invalid context 2010-11-17 20:41 ` luc nac @ 2010-11-17 21:30 ` Sven Vermeulen 0 siblings, 0 replies; 5+ messages in thread From: Sven Vermeulen @ 2010-11-17 21:30 UTC (permalink / raw To: gentoo-hardened [-- Attachment #1: Type: text/plain, Size: 1206 bytes --] On Wed, Nov 17, 2010 at 09:41:49PM +0100, luc nac wrote: > Now I am trying to use SELinux (targeted policy) in a brand new Gentoo > stage3 (Kernel 2.6.32-hardened-r9), I tried all versions of > selinux-base-policy available, but relabeling the file system always > fails with the same error: "filespec_add: Conflicting specifications > for ...". > Am I still doing something wrong? The only thing that I can do to run > SELinux in Gentoo is try to make my own ebuild? This is a cosmetic error and shouldn't really be an issue (though I don't have it myself with a more recent policy snapshot). It means that there are multiple rules that match the given file, and that the rules might apply a different label to the inode. You can see the matching rule(s) using matchpathcon I think: ~# matchpathcon /usr/lib/misc/glibc/getconf /usr/lib/misc/glibc/getconf system_u:object_r:lib_t > # rlpkg -a -r > Relabeling filesystem types: ext2 ext3 jfs xfs > filespec_add: conflicting specifications for /usr/bin/getconf and > /usr/lib/misc/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using > system_u:object_r:lib_t. Looks like it got the right one (unless I'm also running the wrong one ;-) Wkr, Sven Vermeulen [-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-11-17 22:03 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-11-15 0:44 [gentoo-hardened] SELinux (targeted policy) and invalid context luc nac 2010-11-15 1:14 ` Chris Richards 2010-11-17 20:07 ` Sven Vermeulen 2010-11-17 20:41 ` luc nac 2010-11-17 21:30 ` Sven Vermeulen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox