Problem Setting Policy To Enforcing Mode

Problem Setting Policy To Enforcing Mode

[Rahul Jain]

[-- Attachment #1: Type: text/plain, Size: 692 bytes --]

Hi All,
 
This is the first time I am writing to this mailing list in hope of receiving help. I am trying to port reference policy by tresys on Montavista. I am able to run the policy well in permmisive mode with no avc messages in audit log, kern.log or messages. But when I put the policy into enforcing mode my system fails to boot, reason seems to be problem with init process. I am not able to debug the problem because no avc messages are generated for the same, probably because the issue comes up even before logging deamons start. Is there anyway I can debug my policy and log the avc messages from the very beginning of the system startup.
 
Rahul Jain
Rahul Jain  


      

[-- Attachment #2: Type: text/html, Size: 938 bytes --]

Re: Problem Setting Policy To Enforcing Mode

[Justin P. Mattock]

On Fri, 2008-11-21 at 06:59 -0800, Rahul Jain wrote:
> Hi All,
>  
> This is the first time I am writing to this mailing list in hope of
> receiving help. I am trying to port reference policy by tresys on
> Montavista. I am able to run the policy well in permmisive mode with
> no avc messages in audit log, kern.log or messages. But when I put the
> policy into enforcing mode my system fails to boot, reason seems to
> be problem with init process. I am not able to debug the problem
> because no avc messages are generated for the same, probably because
> the issue comes up even before logging deamons start. Is there anyway
> I can debug my policy and log the avc messages from the very beginning
> of the system startup.
>  
> Rahul Jain
> Rahul Jain  
> 

Have you tyied the command "make enableaudit"
should open the policy up more and generate avc's.
regards;

-- 
Justin P. Mattock <justinmattock@gmail.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem Setting Policy To Enforcing Mode

[Stephen Smalley]

On Fri, 2008-11-21 at 06:59 -0800, Rahul Jain wrote:
> Hi All,
>  
> This is the first time I am writing to this mailing list in hope of
> receiving help. I am trying to port reference policy by tresys on
> Montavista. I am able to run the policy well in permmisive mode with
> no avc messages in audit log, kern.log or messages. But when I put the
> policy into enforcing mode my system fails to boot, reason seems to
> be problem with init process. I am not able to debug the problem
> because no avc messages are generated for the same, probably because
> the issue comes up even before logging deamons start. Is there anyway
> I can debug my policy and log the avc messages from the very beginning
> of the system startup.
>  
> Rahul Jain
> Rahul Jain  

If you boot the system in permissive mode, check to see if you have a
policy loaded and whether your filesystem is labeled correctly.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem Setting Policy To Enforcing Mode

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rahul Jain wrote:
> Hi All,
>  
> This is the first time I am writing to this mailing list in hope of receiving help. I am trying to port reference policy by tresys on Montavista. I am able to run the policy well in permmisive mode with no avc messages in audit log, kern.log or messages. But when I put the policy into enforcing mode my system fails to boot, reason seems to be problem with init process. I am not able to debug the problem because no avc messages are generated for the same, probably because the issue comes up even before logging deamons start. Is there anyway I can debug my policy and log the avc messages from the very beginning of the system startup.
>  
> Rahul Jain
> Rahul Jain  
> 
> 
>       
AVC Messages should come to the screen.

Try semodule -DB to turn off dontaudit rules.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkknDs4ACgkQrlYvE4MpobMW1wCfXWKS0t678aMoumM3izMLMhEk
RPEAn25rhlfbw8Opq3FZymzRsUKsShFi
=DlJu
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Problem Setting Policy To Enforcing Mode

[Rahul Jain]

[-- Attachment #1: Type: text/plain, Size: 951 bytes --]

Thankyou all for your kind help.
 
Finally I was able to boot my policy. As suggested, I removed dontaudit rules from my policy by doing "make enableaudit". Then I did some quick fixes and was finally able to boot the policy. However I am still facing some issues:
Firstly - My syslog daemon takes too long to start almost 10 min. Please note my test systems are high end multiprocessor express servers with 8 GB of RAM.
Secondly: I am not able to come back to permissive mode, not even by login as sysadm_r role. My file system is read only and so I am not able to edit the /etc/selinux/config file. "setenforce" command temperoraly puts the policy in permissive mode but still config file could not be edited. I even tried it in linux single user mode, but the problem persists. Is it the property of the tresys reference policy or my policy is still not behaving properly?
I reallly appreciate your kind help
 
Thanks 
Rahul    


      

[-- Attachment #2: Type: text/html, Size: 1232 bytes --]

Re: Problem Setting Policy To Enforcing Mode

[Justin P. Mattock]

On Sat, 2008-11-22 at 03:09 -0800, Rahul Jain wrote:
> Thankyou all for your kind help.
>  
> Finally I was able to boot my policy. As suggested, I removed
> dontaudit rules from my policy by doing "make enableaudit". Then I did
> some quick fixes and was finally able to boot the policy. However I am
> still facing some issues:
> Firstly - My syslog daemon takes too long to start almost 10 min.
> Please note my test systems are high end multiprocessor express
> servers with 8 GB of RAM.
> Secondly: I am not able to come back to permissive mode, not even
> by login as sysadm_r role. My file system is read only and so I am not
> able to edit the /etc/selinux/config file. "setenforce" command
> temperoraly puts the policy in permissive mode but still config file
> could not be edited. I even tried it in linux single user mode,
> but the problem persists. Is it the property of the tresys reference
> policy or my policy is still not behaving properly?
> I reallly appreciate your kind help
>  
> Thanks 
> Rahul    
> 

Cool, glad to hear you're up and running.
Like what Stephen had mentioned, you should check and
make sure the files are labeled correctly. before doing a 
make enable audit.(this way you don't strip down you're policy);
With the syslog either you have it installed incorrectly, or 
there still is denials showing up causing syslog to partially
work. i.g. I usually do a "rm /var/log/syslog, touch /var/log/syslog,
reboot, audit2allow -i /var/log/syslog", to see any dbus avc's
(that is if dbus is running correctly); most likely if 
you are booting into permissive and syslog start's right up, as opposed
to enforcing, then there's a denial floating around that needs to be
allowed. As for setting permissive mode,
what is you're initial context?
(i.g. id -Z once you've started up.);

regards;

-- 
Justin P. Mattock <justinmattock@gmail.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem Setting Policy To Enforcing Mode

[Stephen Smalley]

On Sat, 2008-11-22 at 03:09 -0800, Rahul Jain wrote:
> Thankyou all for your kind help.
>  
> Finally I was able to boot my policy. As suggested, I removed
> dontaudit rules from my policy by doing "make enableaudit". Then I did
> some quick fixes and was finally able to boot the policy. However I am
> still facing some issues:
> Firstly - My syslog daemon takes too long to start almost 10 min.
> Please note my test systems are high end multiprocessor express
> servers with 8 GB of RAM.
> Secondly: I am not able to come back to permissive mode, not even
> by login as sysadm_r role. My file system is read only and so I am not
> able to edit the /etc/selinux/config file. "setenforce" command
> temperoraly puts the policy in permissive mode but still config file
> could not be edited. I even tried it in linux single user mode,
> but the problem persists. Is it the property of the tresys reference
> policy or my policy is still not behaving properly?
> I reallly appreciate your kind help
>  
> Thanks 
> Rahul    
> 

Boot with enforcing=0 on the kernel command line, resolve any denials by
fixing your filesystem labeling and/or your policy configuration, then
reboot.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Problem Setting Policy To Enforcing Mode

[Rahul Jain]

[-- Attachment #1: Type: text/plain, Size: 693 bytes --]

Hi All,
 
Thanks you all, for your kind support. After your suggestion I was able to fix all my problems. So to put my policy in enforcing mode I deleted the "dontaudit" rule using "make enableaudit' . Then I did the fixes. My syslogd was taking long time to start because there were still some avc messages left, I fixed them and issue got resolved.  I was able to come back to permissive by adjusting the DAC permissions of the /etc/selinux/config file. My initial context on login was root:sysadm_r:sysadm_t. I checked the "sestatus" to see that my policy got loaded and that it is enforcing mode.
 
So finally my policy is up and running. 
 
Thanks and Regards
Rahul 
 


      

[-- Attachment #2: Type: text/html, Size: 953 bytes --]

Re: Problem Setting Policy To Enforcing Mode

[Justin P. Mattock]

On Mon, 2008-11-24 at 09:37 -0800, Rahul Jain wrote:
> Hi All,
>  
> Thanks you all, for your kind support. After your suggestion I was
> able to fix all my problems. So to put my policy in enforcing mode I
> deleted the "dontaudit" rule using "make enableaudit' . Then I did the
> fixes. My syslogd was taking long time to start because there were
> still some avc messages left, I fixed them and issue got resolved.  I
> was able to come back to permissive by adjusting the DAC permissions
> of the /etc/selinux/config file. My initial context on login was
> root:sysadm_r:sysadm_t. I checked the "sestatus" to see that my policy
> got loaded and that it is enforcing mode.
>  
> So finally my policy is up and running. 
>  
> Thanks and Regards
> Rahul 
>  
> 

Cool, glad you're up and running.

regards;


-- 
Justin P. Mattock <justinmattock@gmail.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.