headers
C.J. Adams-Collier KF7BMP | 6 Feb 2012 05:26
Gravatar

SELinux on Wheezy

Hey folks,

I brought up a wheezy install on an alternate lvm root a couple of weeks
ago.  I turned SELinux on shortly thereafter.  I think I updated my
kernel, and now X won't start.  Could someone look at these logs with me
and help figure out what's going on?  Something showed up during boot
that said something about updating labels, but I didn't capture it.
Where should I look to find these boot logs, do you think?

http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log

Thank you in advance!

C.J.
Permalink | Reply |
headers
Stephen Smalley | 6 Feb 2012 16:39
Picon

Re: SELinux on Wheezy

On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> Hey folks,
> 
> I brought up a wheezy install on an alternate lvm root a couple of weeks
> ago.  I turned SELinux on shortly thereafter.  I think I updated my
> kernel, and now X won't start.  Could someone look at these logs with me
> and help figure out what's going on?  Something showed up during boot
> that said something about updating labels, but I didn't capture it.
> Where should I look to find these boot logs, do you think?
> 
> http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log

Are there any avc denials?  If running auditd, then use ausearch -m AVC.
Otherwise grep for avc: in your messages file or dmesg output.

What does sestatus report?

--

-- 
Stephen Smalley
National Security Agency
Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 6 Feb 2012 17:17
Gravatar

Re: SELinux on Wheezy

On Mon, 2012-02-06 at 10:39 -0500, Stephen Smalley wrote:
> On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > Hey folks,
> > 
> > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > kernel, and now X won't start.  Could someone look at these logs with me
> > and help figure out what's going on?  Something showed up during boot
> > that said something about updating labels, but I didn't capture it.
> > Where should I look to find these boot logs, do you think?
> > 
> > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> 
> Are there any avc denials?  If running auditd, then use ausearch -m AVC.
> Otherwise grep for avc: in your messages file or dmesg output.
> 
> What does sestatus report?

Thank you for your quick response, Stephan.

I'm using Evolution as my MUA and haven't got mutt set up on the new
system yet, so email and selinux are currently mutually exclusive.  I've
saved this email to a text file and will re-start the kernel with
selinux enabled, run these commands > log and re-boot.  I'm waiting on a
ferry that leaves in 15 minutes, so I won't have the results until I get
to my desk in Seattle after noon (-0800).

C.J.
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 7 Feb 2012 00:23
Gravatar

Re: SELinux on Wheezy

On Mon, 2012-02-06 at 08:17 -0800, C.J. Adams-Collier KF7BMP wrote:
> On Mon, 2012-02-06 at 10:39 -0500, Stephen Smalley wrote:
> > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > Hey folks,
> > > 
> > > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > > kernel, and now X won't start.  Could someone look at these logs with me
> > > and help figure out what's going on?  Something showed up during boot
> > > that said something about updating labels, but I didn't capture it.
> > > Where should I look to find these boot logs, do you think?
> > > 
> > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> > 
> > Are there any avc denials?  If running auditd, then use ausearch -m AVC.
> > Otherwise grep for avc: in your messages file or dmesg output.
> > 
> > What does sestatus report?
> 
> Thank you for your quick response, Stephan.
> 
> I'm using Evolution as my MUA and haven't got mutt set up on the new
> system yet, so email and selinux are currently mutually exclusive.  I've
> saved this email to a text file and will re-start the kernel with
> selinux enabled, run these commands > log and re-boot.  I'm waiting on a
> ferry that leaves in 15 minutes, so I won't have the results until I get
> to my desk in Seattle after noon (-0800).
> 
> C.J.
(Continue reading)

Permalink | Reply |
headers
Dominick Grift | 7 Feb 2012 00:48
Picon
Gravatar

Re: SELinux on Wheezy


> Stephen,
> 
> Here are the logs you requested:
> 
> http://www.colliertech.org/federal/nsa/avc-20120206T090101.log

Above logs exposes two bugs in your policy i believe.
Are you using the latest available policy?

possible temporary fixes:

echo "avc:  denied  { associate } for  pid=384 comm="restorecon"
name="shm" dev=devtmpfs ino=5266 scontext=system_u:object_r:tmpfs_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=filesystem" | audit2allow
-M myfs; sudo semodule -i myfs.pp

echo "avc:  denied  { syslog } for  pid=1824 comm="rsyslogd"
capability=34  scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=capability2" | audit2allow
-M mykernel; sudo semodule -i mykernel.pp
Permalink | Reply |
headers
Stephen Smalley | 7 Feb 2012 18:42
Picon

Re: SELinux on Wheezy

On Mon, 2012-02-06 at 15:23 -0800, C.J. Adams-Collier KF7BMP wrote:
> Here are the logs you requested:
> 
> http://www.colliertech.org/federal/nsa/avc-20120206T090101.log
> 
> http://www.colliertech.org/federal/nsa/sestatus-20120206T090618.log
> 
> It seems to me that the Debian SELinux docs could use some improvement.
> To this end, I have submitted an application to join the SELinux project
> on Alioth.  I will probably make some updates to the wiki pages as well.
> 
> I am going to install the packages which provide the tools you and
> Dominick recommended this morning and dig a little deeper as time
> permits.
> 
> Thank you again for taking the time to help me through this.

The avc message suggests that your processes are not running in the
right domains, which in turn suggests that perhaps your filesystems are
not correctly labeled.  sestatus -v should provide more information.

--

-- 
Stephen Smalley
National Security Agency
Permalink | Reply |
headers
Dominick Grift | 7 Feb 2012 19:44
Picon
Gravatar

Re: SELinux on Wheezy

On Tue, 2012-02-07 at 12:42 -0500, Stephen Smalley wrote:

> 
> The avc message suggests that your processes are not running in the
> right domains, which in turn suggests that perhaps your filesystems are
> not correctly labeled.  sestatus -v should provide more information.
> 

whoops yes i agree there. rsyslogd runs in the kernel_t domain.
Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 7 Feb 2012 19:55
Gravatar

Re: SELinux on Wheezy

On Tue, 2012-02-07 at 12:42 -0500, Stephen Smalley wrote:
> sestatus -v

Rebooting and running this command + logs.
Permalink | Reply |
headers
Russell Coker | 9 Feb 2012 14:17
Picon

Re: SELinux on Wheezy

On Tue, 7 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@...> wrote:
> It seems to me that the Debian SELinux docs could use some improvement.
> To this end, I have submitted an application to join the SELinux project
> on Alioth.  I will probably make some updates to the wiki pages as well.

I've approved that (sorry for the delay).  I look forward to seeing your work.

--

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
Permalink | Reply |
headers
Dominick Grift | 6 Feb 2012 16:56
Picon
Gravatar

Re: SELinux on Wheezy

On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> Hey folks,
> 
> I brought up a wheezy install on an alternate lvm root a couple of weeks
> ago.  I turned SELinux on shortly thereafter.  I think I updated my
> kernel, and now X won't start.  Could someone look at these logs with me
> and help figure out what's going on?  Something showed up during boot
> that said something about updating labels, but I didn't capture it.
> Where should I look to find these boot logs, do you think?
> 
> http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> 
> Thank you in advance!
> 
> C.J.
> 
> 

Seems to be an XACE issue.

> > /var/log/Xorg.56.log.old:[    46.050] SELinux: a property label lookup failed!
> > /var/log/Xorg.56.log.old:[    46.050] SELinux: Failed to set label property on window!

getsebool -a | xserver_object_manager

Does it work if you set it to off?

setsebool -P xserver_object_manager off

http://selinuxproject.org/page/NB_XWIN
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 6 Feb 2012 17:21
Gravatar

Re: SELinux on Wheezy

On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote:
> On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > Hey folks,
> > 
> > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > kernel, and now X won't start.  Could someone look at these logs with me
> > and help figure out what's going on?  Something showed up during boot
> > that said something about updating labels, but I didn't capture it.
> > Where should I look to find these boot logs, do you think?
> > 
> > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> > 
> > Thank you in advance!
> > 
> > C.J.
> > 
> > 
> 
> Seems to be an XACE issue.
> 
> > > /var/log/Xorg.56.log.old:[    46.050] SELinux: a property label lookup failed!
> > > /var/log/Xorg.56.log.old:[    46.050] SELinux: Failed to set label property on window!
> 
> getsebool -a | xserver_object_manager
> 
> Does it work if you set it to off?
> 
> setsebool -P xserver_object_manager off
>
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 7 Feb 2012 18:35
Gravatar

Re: SELinux on Wheezy

On Mon, 2012-02-06 at 08:21 -0800, C.J. Adams-Collier KF7BMP wrote:
> On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote:
> > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > Hey folks,
> > > 
> > > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > > kernel, and now X won't start.  Could someone look at these logs with me
> > > and help figure out what's going on?  Something showed up during boot
> > > that said something about updating labels, but I didn't capture it.
> > > Where should I look to find these boot logs, do you think?
> > > 
> > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> > > 
> > > Thank you in advance!
> > > 
> > > C.J.
> > > 
> > > 
> > 
> > Seems to be an XACE issue.
> > 
> > > > /var/log/Xorg.56.log.old:[    46.050] SELinux: a property label lookup failed!
> > > > /var/log/Xorg.56.log.old:[    46.050] SELinux: Failed to set label property on window!
> > 
> > getsebool -a | xserver_object_manager
> > 
> > Does it work if you set it to off?
> > 
> > setsebool -P xserver_object_manager off
(Continue reading)

Permalink | Reply |
headers
Stephen Smalley | 7 Feb 2012 18:47
Picon

Re: SELinux on Wheezy

On Tue, 2012-02-07 at 09:35 -0800, C.J. Adams-Collier KF7BMP wrote:
> On Mon, 2012-02-06 at 08:21 -0800, C.J. Adams-Collier KF7BMP wrote:
> > On Mon, 2012-02-06 at 16:56 +0100, Dominick Grift wrote:
> > > On Sun, 2012-02-05 at 20:26 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > > Hey folks,
> > > > 
> > > > I brought up a wheezy install on an alternate lvm root a couple of weeks
> > > > ago.  I turned SELinux on shortly thereafter.  I think I updated my
> > > > kernel, and now X won't start.  Could someone look at these logs with me
> > > > and help figure out what's going on?  Something showed up during boot
> > > > that said something about updating labels, but I didn't capture it.
> > > > Where should I look to find these boot logs, do you think?
> > > > 
> > > > http://www.colliertech.org/federal/nsa/selinux-20120205T2023PST.log
> > > > 
> > > > Thank you in advance!
> > > > 
> > > > C.J.
> > > > 
> > > > 
> > > 
> > > Seems to be an XACE issue.
> > > 
> > > > > /var/log/Xorg.56.log.old:[    46.050] SELinux: a property label lookup failed!
> > > > > /var/log/Xorg.56.log.old:[    46.050] SELinux: Failed to set label property on window!
> > > 
> > > getsebool -a | xserver_object_manager
> > > 
> > > Does it work if you set it to off?
> > >
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 7 Feb 2012 19:56
Gravatar

Re: SELinux on Wheezy

On Tue, 2012-02-07 at 12:47 -0500, Stephen Smalley wrote:
> semodule -l

Rebooting and running + logs.
Permalink | Reply |
headers
C.J. Adams-Collier | 7 Feb 2012 21:02
Gravatar

Re: SELinux on Wheezy

cjac <at> foxtrot:~$ scp ~/selinux/*20120207*.log 172.16.12.22:/var/www/colliertech.org/wiki/federal/nsa/

--

~/selinux/semodule_-l_20120207T110759.log:
apache	2.3.0	
dbus	1.15.0	
devicekit	1.1.0	
dmidecode	1.4.0	
exim	1.5.0	
ftp	1.13.0	
git	1.0	
gpg	2.4.0	
lda	1.9.0	
lvm	1.13.0	
netutils	1.11.0	
openvpn	1.10.0	
ptchown	1.1.0	
pythonsupport	0.0.1	
remotelogin	1.7.0	
rpc	1.13.0	
rpcbind	1.5.0	
rsync	1.11.0	
ssh	2.2.0	
sudo	1.8.0	
tcpd	1.4.0	
telnet	1.10.0	
tzdata	1.4.0	
unconfined	3.3.0
(Continue reading)

Permalink | Reply |
headers
Stephen Smalley | 7 Feb 2012 21:08
Picon

Re: SELinux on Wheezy

On Tue, 2012-02-07 at 12:02 -0800, C.J. Adams-Collier wrote:
> ~/selinux/semodule_-l_20120207T110759.log:
> apache	2.3.0	
> dbus	1.15.0	
> devicekit	1.1.0	
> dmidecode	1.4.0	
> exim	1.5.0	
> ftp	1.13.0	
> git	1.0	
> gpg	2.4.0	
> lda	1.9.0	
> lvm	1.13.0	
> netutils	1.11.0	
> openvpn	1.10.0	
> ptchown	1.1.0	
> pythonsupport	0.0.1	
> remotelogin	1.7.0	
> rpc	1.13.0	
> rpcbind	1.5.0	
> rsync	1.11.0	
> ssh	2.2.0	
> sudo	1.8.0	
> tcpd	1.4.0	
> telnet	1.10.0	
> tzdata	1.4.0	
> unconfined	3.3.0

So no xserver module, unless it happens to be part of your base module.
seinfo -txserver_t
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier | 7 Feb 2012 22:05
Gravatar

Re: SELinux on Wheezy

On Tue, Feb 07, 2012 at 03:08:25PM -0500, Stephen Smalley wrote:
> On Tue, 2012-02-07 at 12:02 -0800, C.J. Adams-Collier wrote:
> > ~/selinux/semodule_-l_20120207T110759.log:
> > apache	2.3.0	
> > dbus	1.15.0	
> > devicekit	1.1.0	
> > dmidecode	1.4.0	
> > exim	1.5.0	
> > ftp	1.13.0	
> > git	1.0	
> > gpg	2.4.0	
> > lda	1.9.0	
> > lvm	1.13.0	
> > netutils	1.11.0	
> > openvpn	1.10.0	
> > ptchown	1.1.0	
> > pythonsupport	0.0.1	
> > remotelogin	1.7.0	
> > rpc	1.13.0	
> > rpcbind	1.5.0	
> > rsync	1.11.0	
> > ssh	2.2.0	
> > sudo	1.8.0	
> > tcpd	1.4.0	
> > telnet	1.10.0	
> > tzdata	1.4.0	
> > unconfined	3.3.0
> 
> So no xserver module, unless it happens to be part of your base module.
> seinfo -txserver_t
(Continue reading)

Permalink | Reply |
headers
Stephen Smalley | 8 Feb 2012 14:24
Picon

Re: SELinux on Wheezy

On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> cjac <at> foxtrot:~$ sudo which seinfo
> cjac <at> foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> 0

seinfo is part of the setools package.

> Sounds reasonable.  Do I get policy from my distribution, or should I
> generate one myself?

Normally from your distribution, assuming the selinux packages for
Debian are still being maintained.

IIRC, the Debian selinux policy package tries to minimize the set of
installed policy modules based on the set of installed packages, but
that isn't an exact mapping and might be leaving you without a complete
policy.  Whereas Fedora installs all policy modules unconditionally.

If the .pp files are on your filesystem and just not installed into the
policy store, you can manually add them by running semodule -i on them.
Try listing the files installed from your policy packages and see if
xserver.pp is among them.  

> cjac <at> foxtrot:~$ dpkg -l | grep selinux-policy
> ii  selinux-policy-default               2:2.20110726-3                 Strict and Targeted variants of the SELinux policy
> ii  selinux-policy-dev                   2:2.20110726-3                 Headers from the SELinux reference policy for building modules
> ii  selinux-policy-doc                   2:2.20110726-3                 Documentation for the SELinux reference policy
> 
> cjac <at> foxtrot:~$ apt-cache search selinux-policy
> selinux-policy-default - Strict and Targeted variants of the SELinux policy
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 8 Feb 2012 18:39
Gravatar

Re: SELinux on Wheezy

On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > cjac <at> foxtrot:~$ sudo which seinfo
> > cjac <at> foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > 0
> 
> seinfo is part of the setools package.

$ apt-cache search -n setools
erlang-parsetools - Erlang/OTP parsing tools

Hmm.

Would it be safe to build seinfo from source and use it along with the
distro-installed tools?  If so, what's the git repo I should clone from?

> > Sounds reasonable.  Do I get policy from my distribution, or should I
> > generate one myself?
> 
> Normally from your distribution, assuming the selinux packages for
> Debian are still being maintained.

I believe they are.  I exchanged email with Russell about it not long
ago.  But then, gtkglarea is still officially maintained and I made the
first update in nearly a year 36 hours ago.  Perhaps the package needs 1
or more co-maintainers to improve coverage.

> IIRC, the Debian selinux policy package tries to minimize the set of
> installed policy modules based on the set of installed packages, but
> that isn't an exact mapping and might be leaving you without a complete
(Continue reading)

Permalink | Reply |
headers
Stephen Smalley | 8 Feb 2012 18:54
Picon

Re: SELinux on Wheezy

On Wed, 2012-02-08 at 09:39 -0800, C.J. Adams-Collier KF7BMP wrote:
> On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > > cjac <at> foxtrot:~$ sudo which seinfo
> > > cjac <at> foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > > 0
> > 
> > seinfo is part of the setools package.
> 
> $ apt-cache search -n setools
> erlang-parsetools - Erlang/OTP parsing tools
> 
> Hmm.
> 
> Would it be safe to build seinfo from source and use it along with the
> distro-installed tools?  If so, what's the git repo I should clone from?

Curious, as setools is packaged for Debian squeeze per
packages.debian.org.  Did the package go un-maintained before wheezy?

Upstream is at:
http://oss.tresys.com/projects/setools

> $ locate xserver.pp
> /usr/share/selinux/default/xserver.pp
> 
> I'll run semodule -i after this morning's reboot.  I installed mutt
> yesterday, so I'll work from the console until you folks sign off for
> the evening.
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 8 Feb 2012 20:45
Gravatar

Re: SELinux on Wheezy

On Wed, 2012-02-08 at 12:54 -0500, Stephen Smalley wrote:
> On Wed, 2012-02-08 at 09:39 -0800, C.J. Adams-Collier KF7BMP wrote:
> > On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> > > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > > > cjac <at> foxtrot:~$ sudo which seinfo
> > > > cjac <at> foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > > > 0
> > > 
> > > seinfo is part of the setools package.
> > 
> > $ apt-cache search -n setools
> > erlang-parsetools - Erlang/OTP parsing tools
> > 
> > Hmm.
> > 
> > Would it be safe to build seinfo from source and use it along with the
> > distro-installed tools?  If so, what's the git repo I should clone from?
> 
> Curious, as setools is packaged for Debian squeeze per
> packages.debian.org.  Did the package go un-maintained before wheezy?
> 
> Upstream is at:
> http://oss.tresys.com/projects/setools

cjac <at> foxtrot:/usr/src/git/debian/setools$ git log | head -5
commit 22a5d3e451d8a1e60a3c746466c865e63089a92a
Merge: fa238f0 149e283
Author: Manoj Srivastava <srivasta@...>
Date:   Tue Jul 20 23:10:06 2010 -0700
(Continue reading)

Permalink | Reply |
headers
Stephen Smalley | 8 Feb 2012 21:17
Picon

Re: SELinux on Wheezy

On Wed, 2012-02-08 at 11:45 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > $ locate xserver.pp
> > > /usr/share/selinux/default/xserver.pp
> > > 
> > > I'll run semodule -i after this morning's reboot.  I installed mutt
> > > yesterday, so I'll work from the console until you folks sign off for
> > > the evening.
> > 
> > I'd suggest installing all of the .pp files to ensure you aren't missing
> > anything else.  The man page for semodule has some examples of how to
> > install all modules from a directory.
> 
> What's the best way to do this at boot?

You just do it once and it remains until/unless you remove it with
semodule -r.  No need to do it on each boot.  Normally it is done when
you install the policy package, but since your policy package apparently
didn't install all modules, I'm suggesting that you do so manually.  

cd /usr/share/selinux/default
ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
should install them all.

--

-- 
Stephen Smalley
National Security Agency
Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 8 Feb 2012 22:32
Gravatar

Re: SELinux on Wheezy

On Wed, 2012-02-08 at 15:17 -0500, Stephen Smalley wrote:
> On Wed, 2012-02-08 at 11:45 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > > $ locate xserver.pp
> > > > /usr/share/selinux/default/xserver.pp
> > > > 
> > > > I'll run semodule -i after this morning's reboot.  I installed mutt
> > > > yesterday, so I'll work from the console until you folks sign off for
> > > > the evening.
> > > 
> > > I'd suggest installing all of the .pp files to ensure you aren't missing
> > > anything else.  The man page for semodule has some examples of how to
> > > install all modules from a directory.
> > 
> > What's the best way to do this at boot?
> 
> You just do it once and it remains until/unless you remove it with
> semodule -r.  No need to do it on each boot.  Normally it is done when
> you install the policy package, but since your policy package apparently
> didn't install all modules, I'm suggesting that you do so manually.  
> 
> cd /usr/share/selinux/default
> ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
> should install them all.

Okay.  Do these ever get purged under any other circumstances?  I noted
that when I booted without selinux enabled and then with it enabled, the
filesystem was re-labeled.  Does anything else get triggered in this
situation?  Specifically, do policies get removed?

It looks like the alsa.pp is failing, so my working and slightly
(Continue reading)

Permalink | Reply |
headers
Russell Coker | 9 Feb 2012 14:08
Picon

Re: SELinux on Wheezy

On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@...> wrote:
> Okay.  Do these ever get purged under any other circumstances?

Generally no.  The only case where modules are automatically removed is when 
you upgrade the policy package and you have obsolate modules installed.  This 
is generally to prevent upgrades from failing.

> I noted
> that when I booted without selinux enabled and then with it enabled, the
> filesystem was re-labeled.  Does anything else get triggered in this
> situation?  Specifically, do policies get removed?

No.  That will never happen.

--

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
Permalink | Reply |
headers
Stephen Smalley | 9 Feb 2012 14:55
Picon

Re: SELinux on Wheezy

On Wed, 2012-02-08 at 13:32 -0800, C.J. Adams-Collier KF7BMP wrote:
> Okay.  Do these ever get purged under any other circumstances?  I noted
> that when I booted without selinux enabled and then with it enabled, the
> filesystem was re-labeled.  Does anything else get triggered in this
> situation?  Specifically, do policies get removed?

No.

> It looks like the alsa.pp is failing, so my working and slightly
> modified command was:

That's interesting, and it might explain why your policy didn't get
fully installed originally.  Is that alsa.pp file from the current
selinux-policy package or is it a leftover of an older one?  What is the
error you get with it?  It should be removed if it doesn't work.

>         $ pushd /usr/share/selinux/default
>         $ time sudo \
>         semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'`
>         
>         real	0m24.148s
>         user	0m23.249s
>         sys	0m0.628s
>         
> This seems like it would take slightly less time than piping the output
> of ls to xargs, since it only runs semodule once.
> 
>         $ time ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp' | \
>         xargs sudo semodule -b base.pp -i 
>
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 9 Feb 2012 18:34
Gravatar

Re: SELinux on Wheezy

On Thu, 2012-02-09 at 08:55 -0500, Stephen Smalley wrote:
> On Wed, 2012-02-08 at 13:32 -0800, C.J. Adams-Collier KF7BMP wrote:
> > Okay.  Do these ever get purged under any other circumstances?  I noted
> > that when I booted without selinux enabled and then with it enabled, the
> > filesystem was re-labeled.  Does anything else get triggered in this
> > situation?  Specifically, do policies get removed?
> 
> No.
> 
> > It looks like the alsa.pp is failing, so my working and slightly
> > modified command was:
> 
> That's interesting, and it might explain why your policy didn't get
> fully installed originally.  Is that alsa.pp file from the current
> selinux-policy package or is it a leftover of an older one?  What is the
> error you get with it?  It should be removed if it doesn't work.

cjac <at> foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp
/usr/share/selinux/default/alsa.pp                                            OK
cjac <at> foxtrot:~$ 

How do I check for an error.  Not on STDOUT or STDERR it seems...  This
may be one of the strangest, least useful error message I've ever seen.
But it's got stiff competition.

cjac <at> foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp | sudo
xargs semodule -i
semodule:  Failed on OK!

> >         $ pushd /usr/share/selinux/default
(Continue reading)

Permalink | Reply |
headers
Stephen Smalley | 9 Feb 2012 18:53
Picon

Re: SELinux on Wheezy

On Thu, 2012-02-09 at 09:34 -0800, C.J. Adams-Collier KF7BMP wrote:
> > That's interesting, and it might explain why your policy didn't get
> > fully installed originally.  Is that alsa.pp file from the current
> > selinux-policy package or is it a leftover of an older one?  What is the
> > error you get with it?  It should be removed if it doesn't work.
> 
> cjac <at> foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp
> /usr/share/selinux/default/alsa.pp                                            OK
> cjac <at> foxtrot:~$ 
> 
> How do I check for an error.  Not on STDOUT or STDERR it seems...  This
> may be one of the strangest, least useful error message I've ever seen.
> But it's got stiff competition.
>
> cjac <at> foxtrot:~$ locate alsa.pp | xargs dpkg -S | awk -F: '{print $1}' | xargs debsums | grep alsa.pp | sudo
xargs semodule -i
> semodule:  Failed on OK!

I'm not sure what you are trying to do, but the above command will
ultimately call semodule -i on both alsa.pp and the "OK" string from the
output above, and as OK is not a module or even a file it naturally
fails.  I just wanted to know what semodule -i alsa.pp reports, since
you said it failed in some way.

> > Feel free to submit a patch for the EXAMPLES section in the semodule man
> > page.  Even better would be to improve semodule so that it automatically
> > detects the base module and handles it so that you can just do semodule
> > -i *.pp in all cases and not have to worry about filtering the list and
> > handling base specially.
>
(Continue reading)

Permalink | Reply |
headers
Russell Coker | 9 Feb 2012 14:05
Picon

Re: SELinux on Wheezy

On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@...> wrote:
> On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > > cjac <at> foxtrot:~$ sudo which seinfo
> > > cjac <at> foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > > 0
> > 
> > seinfo is part of the setools package.
> 
> $ apt-cache search -n setools
> erlang-parsetools - Erlang/OTP parsing tools
> 
> Hmm.

# apt-cache search -n setools
erlang-parsetools - Erlang/OTP parsing tools
libsetools-java - SETools Java bindings (architecture-independent)
libsetools-jni - SETools Java bindings (architecture-dependent)
libsetools-tcl - SETools Tcl bindings
python-setools - SETools Python bindings
setools - tools for Security Enhanced Linux policy analysis

Works for me when tracking unstable.

http://bugs.debian.org/cgi-bin/pkgreport.cgi?package=setools

But it's got a grave bug and an important bug.  CJ Would you like to help in 
fixing these?  It's probably not going to be any more difficult than building 
your own copy from upstream source.
(Continue reading)

Permalink | Reply |
headers
C.J. Adams-Collier KF7BMP | 9 Feb 2012 17:40
Gravatar

Re: SELinux on Wheezy

On Fri, 2012-02-10 at 00:05 +1100, Russell Coker wrote:
> On Thu, 9 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@...> wrote:
> > On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote:
> > > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote:
> > > > cjac <at> foxtrot:~$ sudo which seinfo
> > > > cjac <at> foxtrot:~$ apt-file search seinfo | grep bin | wc -l
> > > > 0
> > > 
> > > seinfo is part of the setools package.
> > 
> > $ apt-cache search -n setools
> > erlang-parsetools - Erlang/OTP parsing tools
> > 
> > Hmm.
> 
> # apt-cache search -n setools
> erlang-parsetools - Erlang/OTP parsing tools
> libsetools-java - SETools Java bindings (architecture-independent)
> libsetools-jni - SETools Java bindings (architecture-dependent)
> libsetools-tcl - SETools Tcl bindings
> python-setools - SETools Python bindings
> setools - tools for Security Enhanced Linux policy analysis
> 
> Works for me when tracking unstable.

I was hoping you wouldn't say that.  I like the sound of wheezy better
than sid.  I guess my 

$ cat /etc/debian_version
(Continue reading)

Permalink | Reply |
headers
Russell Coker | 9 Feb 2012 14:12
Picon

Re: SELinux on Wheezy

On Tue, 7 Feb 2012, "C.J. Adams-Collier KF7BMP" <cjac@...> wrote:
> > Does it work if you set it to off?
> >
> > 
> >
> > setsebool -P xserver_object_manager off
> >
> > 
> >
> > http://selinuxproject.org/page/NB_XWIN
> 
> Thank you Dominick.  I will give this a try when I re-boot.
> 
> Russell, do you think this is something we should patch in to the xorg
> debian packaging?

Yes, I want to get XACE supported.  It's just a matter of time...

--

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
Permalink | Reply |

Gmane