* [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
@ 2011-09-16 15:58 ` Daniel J Walsh
0 siblings, 0 replies; 29+ messages in thread
From: Daniel J Walsh @ 2011-09-16 15:58 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
>> ps -eZ |grep sshd
> I dont have sshd running, but here is ps auxZ to give you an idea
> of what I am seeing: http://fpaste.org/u6IB/
>
> if I adjust /etc/pam.d/login and add select_context to
> pam_selinux.so then do init 3 in lilo I am able to have the
> context justin:staff_r:staff_t:s0 the way it should. but as soon
> as I init 5 gdm starts up, and everything goes back to
> name:staff_r:insmod_t:s0
>
> I think I am either missing a boolean to have the transisiton
> runing properly, and/or pam.d or some config file somewhere needs
> to be adjusted. keep in mind refpolicy has no patches added to
> it(not sure if I need any for systemd), just plain git pull
> etc...
>
> Justin P. Mattock
Well since you don't have a init_t running, I think your problem
starts there. Looks like your system is badly mislabeled or something
in init is broken. I take it this is not a Red Hat Based OS?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5zciMACgkQrlYvE4MpobOs4wCcD/KSvuhb5GxhPCZcMEDGI1dD
X70AnR2OLyUzsaLlDRmP0jm7ABwzFHBj
=aH02
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-16 15:58 ` Daniel J Walsh
@ 2011-09-16 16:11 ` Guido Trentalancia
-1 siblings, 0 replies; 29+ messages in thread
From: Guido Trentalancia @ 2011-09-16 16:11 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Justin P. Mattock, tresys, SE-Linux
On Fri, 2011-09-16 at 11:58 -0400, Daniel J Walsh wrote:
> On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
> > On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> >> ps -eZ |grep sshd
> > I dont have sshd running, but here is ps auxZ to give you an idea
> > of what I am seeing: http://fpaste.org/u6IB/
> >
> > if I adjust /etc/pam.d/login and add select_context to
> > pam_selinux.so then do init 3 in lilo I am able to have the
> > context justin:staff_r:staff_t:s0 the way it should. but as soon
> > as I init 5 gdm starts up, and everything goes back to
> > name:staff_r:insmod_t:s0
> >
> > I think I am either missing a boolean to have the transisiton
> > runing properly, and/or pam.d or some config file somewhere needs
> > to be adjusted. keep in mind refpolicy has no patches added to
> > it(not sure if I need any for systemd), just plain git pull
> > etc...
> >
> > Justin P. Mattock
> Well since you don't have a init_t running, I think your problem
> starts there. Looks like your system is badly mislabeled or something
> in init is broken. I take it this is not a Red Hat Based OS?
Also please post the actual label of the init executable:
ls -lZ /sbin/init
or wherever that is.
It should be init_exec_t.
Init is the father of all processes, if it hasn't transitioned properly
to init_t soon after booting up, then it all goes tits up...
- check the label above;
- try relabeling the whole filesystem;
- try the init_systemd boolean if you are using systemd as init.
Please keep up informed on the progress.
Guido
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread
* [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
@ 2011-09-16 16:11 ` Guido Trentalancia
0 siblings, 0 replies; 29+ messages in thread
From: Guido Trentalancia @ 2011-09-16 16:11 UTC (permalink / raw)
To: refpolicy
On Fri, 2011-09-16 at 11:58 -0400, Daniel J Walsh wrote:
> On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
> > On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> >> ps -eZ |grep sshd
> > I dont have sshd running, but here is ps auxZ to give you an idea
> > of what I am seeing: http://fpaste.org/u6IB/
> >
> > if I adjust /etc/pam.d/login and add select_context to
> > pam_selinux.so then do init 3 in lilo I am able to have the
> > context justin:staff_r:staff_t:s0 the way it should. but as soon
> > as I init 5 gdm starts up, and everything goes back to
> > name:staff_r:insmod_t:s0
> >
> > I think I am either missing a boolean to have the transisiton
> > runing properly, and/or pam.d or some config file somewhere needs
> > to be adjusted. keep in mind refpolicy has no patches added to
> > it(not sure if I need any for systemd), just plain git pull
> > etc...
> >
> > Justin P. Mattock
> Well since you don't have a init_t running, I think your problem
> starts there. Looks like your system is badly mislabeled or something
> in init is broken. I take it this is not a Red Hat Based OS?
Also please post the actual label of the init executable:
ls -lZ /sbin/init
or wherever that is.
It should be init_exec_t.
Init is the father of all processes, if it hasn't transitioned properly
to init_t soon after booting up, then it all goes tits up...
- check the label above;
- try relabeling the whole filesystem;
- try the init_systemd boolean if you are using systemd as init.
Please keep up informed on the progress.
Guido
^ permalink raw reply [flat|nested] 29+ messages in thread
* [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-16 15:58 ` Daniel J Walsh
(?)
(?)
@ 2011-09-16 16:11 ` Justin P. Mattock
-1 siblings, 0 replies; 29+ messages in thread
From: Justin P. Mattock @ 2011-09-16 16:11 UTC (permalink / raw)
To: refpolicy
On 09/16/2011 08:58 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
>> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
>>> ps -eZ |grep sshd
>> I dont have sshd running, but here is ps auxZ to give you an idea
>> of what I am seeing: http://fpaste.org/u6IB/
>>
>> if I adjust /etc/pam.d/login and add select_context to
>> pam_selinux.so then do init 3 in lilo I am able to have the
>> context justin:staff_r:staff_t:s0 the way it should. but as soon
>> as I init 5 gdm starts up, and everything goes back to
>> name:staff_r:insmod_t:s0
>>
>> I think I am either missing a boolean to have the transisiton
>> runing properly, and/or pam.d or some config file somewhere needs
>> to be adjusted. keep in mind refpolicy has no patches added to
>> it(not sure if I need any for systemd), just plain git pull
>> etc...
>>
>> Justin P. Mattock
> Well since you don't have a init_t running, I think your problem
> starts there. Looks like your system is badly mislabeled or something
> in init is broken. I take it this is not a Red Hat Based OS?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5zciMACgkQrlYvE4MpobOs4wCcD/KSvuhb5GxhPCZcMEDGI1dD
> X70AnR2OLyUzsaLlDRmP0jm7ABwzFHBj
> =aH02
> -----END PGP SIGNATURE-----
the system is fedora 15 nothing tweaked on it. just refpolicy from git
targeted form fedora works fine,
just thought I would give refpolicy-git a try.
think I need to read up on systemd
ls -Z /lib/systemd looks like this:
http://fpaste.org/WOFw/
wondering if maybe /etc/security/pam_env.conf is capable of putting me
into the right context, but then again if
this is just a label issue, then pam_env.conf is not touched.
Justin P. Mattock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110916/38c817a7/attachment-0001.html
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-16 15:58 ` Daniel J Walsh
` (2 preceding siblings ...)
(?)
@ 2011-09-23 16:30 ` Guido Trentalancia
2011-09-23 17:38 ` Daniel J Walsh
-1 siblings, 1 reply; 29+ messages in thread
From: Guido Trentalancia @ 2011-09-23 16:30 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Justin P. Mattock, SE-Linux
On Fri, 2011-09-16 at 11:58 -0400, Daniel J Walsh wrote:
> On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
> > On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> >> ps -eZ |grep sshd
> > I dont have sshd running, but here is ps auxZ to give you an idea
> > of what I am seeing: http://fpaste.org/u6IB/
> >
> > if I adjust /etc/pam.d/login and add select_context to
> > pam_selinux.so then do init 3 in lilo I am able to have the
> > context justin:staff_r:staff_t:s0 the way it should. but as soon
> > as I init 5 gdm starts up, and everything goes back to
> > name:staff_r:insmod_t:s0
> >
> > I think I am either missing a boolean to have the transisiton
> > runing properly, and/or pam.d or some config file somewhere needs
> > to be adjusted. keep in mind refpolicy has no patches added to
> > it(not sure if I need any for systemd), just plain git pull
> > etc...
> >
> > Justin P. Mattock
> Well since you don't have a init_t running, I think your problem
> starts there. Looks like your system is badly mislabeled or something
> in init is broken. I take it this is not a Red Hat Based OS?
I'd actually like to take this opportunity to stress once again that in
my opinion the system boot/init process should fail irreversibly as soon
as the init process has failed to transition to its own designated
context from the initial kernel context.
Regards,
Guido
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 16:30 ` Guido Trentalancia
@ 2011-09-23 17:38 ` Daniel J Walsh
2011-09-23 19:09 ` Guido Trentalancia
0 siblings, 1 reply; 29+ messages in thread
From: Daniel J Walsh @ 2011-09-23 17:38 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: Justin P. Mattock, SE-Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/23/2011 12:30 PM, Guido Trentalancia wrote:
> On Fri, 2011-09-16 at 11:58 -0400, Daniel J Walsh wrote:
>> On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
>>> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
>>>> ps -eZ |grep sshd
>>> I dont have sshd running, but here is ps auxZ to give you an
>>> idea of what I am seeing: http://fpaste.org/u6IB/
>>>
>>> if I adjust /etc/pam.d/login and add select_context to
>>> pam_selinux.so then do init 3 in lilo I am able to have the
>>> context justin:staff_r:staff_t:s0 the way it should. but as
>>> soon as I init 5 gdm starts up, and everything goes back to
>>> name:staff_r:insmod_t:s0
>>>
>>> I think I am either missing a boolean to have the transisiton
>>> runing properly, and/or pam.d or some config file somewhere
>>> needs to be adjusted. keep in mind refpolicy has no patches
>>> added to it(not sure if I need any for systemd), just plain git
>>> pull etc...
>>>
>>> Justin P. Mattock
>> Well since you don't have a init_t running, I think your problem
>> starts there. Looks like your system is badly mislabeled or
>> something in init is broken. I take it this is not a Red Hat
>> Based OS?
>
> I'd actually like to take this opportunity to stress once again
> that in my opinion the system boot/init process should fail
> irreversibly as soon as the init process has failed to transition
> to its own designated context from the initial kernel context.
>
> Regards,
>
> Guido
>
>
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
>
>
Well it does crash if you are in enforcing mode on RHEL and Fedora boxes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk58xB4ACgkQrlYvE4MpobOknQCgvZvYJt8MWanDw1B64Ch7pcfk
TXQAoLu6vU0y6Bk7wj8oTE4anrnArCXM
=ztXT
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 17:38 ` Daniel J Walsh
@ 2011-09-23 19:09 ` Guido Trentalancia
2011-09-23 20:45 ` Eric Paris
0 siblings, 1 reply; 29+ messages in thread
From: Guido Trentalancia @ 2011-09-23 19:09 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE-Linux
On Fri, 2011-09-23 at 13:38 -0400, Daniel J Walsh wrote:
> On 09/23/2011 12:30 PM, Guido Trentalancia wrote:
> > On Fri, 2011-09-16 at 11:58 -0400, Daniel J Walsh wrote:
> >> On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
> >>> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> >>>> ps -eZ |grep sshd
> >>> I dont have sshd running, but here is ps auxZ to give you an
> >>> idea of what I am seeing: http://fpaste.org/u6IB/
> >>>
> >>> if I adjust /etc/pam.d/login and add select_context to
> >>> pam_selinux.so then do init 3 in lilo I am able to have the
> >>> context justin:staff_r:staff_t:s0 the way it should. but as
> >>> soon as I init 5 gdm starts up, and everything goes back to
> >>> name:staff_r:insmod_t:s0
> >>>
> >>> I think I am either missing a boolean to have the transisiton
> >>> runing properly, and/or pam.d or some config file somewhere
> >>> needs to be adjusted. keep in mind refpolicy has no patches
> >>> added to it(not sure if I need any for systemd), just plain git
> >>> pull etc...
> >>>
> >>> Justin P. Mattock
> >> Well since you don't have a init_t running, I think your problem
> >> starts there. Looks like your system is badly mislabeled or
> >> something in init is broken. I take it this is not a Red Hat
> >> Based OS?
> >
> > I'd actually like to take this opportunity to stress once again
> > that in my opinion the system boot/init process should fail
> > irreversibly as soon as the init process has failed to transition
> > to its own designated context from the initial kernel context.
> >
> > Regards,
> >
> > Guido
> >
> >
> > -- This message was distributed to subscribers of the selinux
> > mailing list. If you no longer wish to subscribe, send mail to
> > majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> > without quotes as the message.
> >
> >
> Well it does crash if you are in enforcing mode on RHEL and Fedora boxes.
Yes, very good. At the end, a very polite message is not the first
priority in such as situation...
But unfortunately this is not the case for the upstream bits.
Ideally should be tackled in the SELinux kernel code. Did RHEL and
Fedora patch the kernel then to achieve that ?
Regards,
Guido
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 19:09 ` Guido Trentalancia
@ 2011-09-23 20:45 ` Eric Paris
2011-09-23 21:12 ` Guido Trentalancia
0 siblings, 1 reply; 29+ messages in thread
From: Eric Paris @ 2011-09-23 20:45 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: Daniel J Walsh, SE-Linux
On Fri, Sep 23, 2011 at 3:09 PM, Guido Trentalancia
<guido@trentalancia.com> wrote:
> On Fri, 2011-09-23 at 13:38 -0400, Daniel J Walsh wrote:
> Yes, very good. At the end, a very polite message is not the first
> priority in such as situation...
>
> But unfortunately this is not the case for the upstream bits.
>
> Ideally should be tackled in the SELinux kernel code. Did RHEL and
> Fedora patch the kernel then to achieve that ?
No we consider init to be part of the trusted base required to load
policy. The Fedora init (systemd not, but it's been old init, some
scripts in the initramfs, and who know what else) tries to load policy
and if it can't and it was supposed to be enforcing will either print
and error and halt for a really long time and then exit, or exit
directly. init exiting is enough to make the kernel panic and thus
shut down the box.
The tool that is trusted to load the policy is what needs to make this check.
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 20:45 ` Eric Paris
@ 2011-09-23 21:12 ` Guido Trentalancia
2011-09-23 21:17 ` Eric Paris
0 siblings, 1 reply; 29+ messages in thread
From: Guido Trentalancia @ 2011-09-23 21:12 UTC (permalink / raw)
To: Eric Paris; +Cc: SE-Linux
On Fri, 2011-09-23 at 16:45 -0400, Eric Paris wrote:
> On Fri, Sep 23, 2011 at 3:09 PM, Guido Trentalancia
> <guido@trentalancia.com> wrote:
> > On Fri, 2011-09-23 at 13:38 -0400, Daniel J Walsh wrote:
>
> > Yes, very good. At the end, a very polite message is not the first
> > priority in such as situation...
> >
> > But unfortunately this is not the case for the upstream bits.
> >
> > Ideally should be tackled in the SELinux kernel code. Did RHEL and
> > Fedora patch the kernel then to achieve that ?
>
> No we consider init to be part of the trusted base required to load
> policy. The Fedora init (systemd not, but it's been old init, some
> scripts in the initramfs, and who know what else) tries to load policy
> and if it can't and it was supposed to be enforcing will either print
> and error and halt for a really long time and then exit, or exit
> directly. init exiting is enough to make the kernel panic and thus
> shut down the box.
>
> The tool that is trusted to load the policy is what needs to make this check.
What really confuses me at this point is the fact that within this
specific thread, Justin said that he was using Fedora (F15 as far as I
remember).
Anyway, apart from the specific case, it remains the fact that the
upstream SELinux + reference policy combo does allow the system to keep
running (in the wrong context, i.e. kernel_t or insmod_t) despite init
has not transitioned to its context after initial stage. I am not
particularly keen on this behavior.
You seem to suggest that load_policy -i (and not the kernel) should make
sure that init has transitioned to its designated context... So then,
getting back to the specific case at hand, my question becomes: "did
Fedora and RHEL patch the upstream load_policy tool to achieve this
halt-on-init-failure behavior ?". In any case, how comes this check
didn't work on Justin's system ?
Regards,
Guido
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 21:12 ` Guido Trentalancia
@ 2011-09-23 21:17 ` Eric Paris
2011-09-23 22:38 ` Guido Trentalancia
0 siblings, 1 reply; 29+ messages in thread
From: Eric Paris @ 2011-09-23 21:17 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: Eric Paris, SE-Linux
On Fri, 2011-09-23 at 23:12 +0200, Guido Trentalancia wrote:
> You seem to suggest that load_policy -i (and not the kernel) should make
> sure that init has transitioned to its designated context...
Can't speak for Justin's system. But that's not what I said. I said
it's /sbin/init's problem to make sure it did the right thing and to
handle errors correctly if it failed. If Justin has his box enforcing
and can boot without loading a policy that's a bug and needs to be
filed.
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 21:17 ` Eric Paris
@ 2011-09-23 22:38 ` Guido Trentalancia
2011-09-23 23:12 ` Eric Paris
0 siblings, 1 reply; 29+ messages in thread
From: Guido Trentalancia @ 2011-09-23 22:38 UTC (permalink / raw)
To: Eric Paris; +Cc: Eric Paris, SE-Linux
Hello Eric.
On Fri, 2011-09-23 at 17:17 -0400, Eric Paris wrote:
> On Fri, 2011-09-23 at 23:12 +0200, Guido Trentalancia wrote:
>
> > You seem to suggest that load_policy -i (and not the kernel) should make
> > sure that init has transitioned to its designated context...
>
> Can't speak for Justin's system.
That's for sure. But it seems to me that he already stated that it just
loaded plain refpolicy from git on a plain F15 system. Since we are on
the list he might even confirm once again...
> But that's not what I said. I said
> it's /sbin/init's problem to make sure it did the right thing and to
> handle errors correctly if it failed. If Justin has his box enforcing
> and can boot without loading a policy that's a bug and needs to be
> filed.
He has loaded the policy.
The point is that when init does not transition to init_t nothing
happens and the system keeps running with all processes in kernel_t or
insmod_t.
It surely use to happen with upstream components and policy back at the
beginning of this year (I did test that and reported it to the refpolicy
mailing list).
Apparently it also happens with Fedora 15 according to what Justin
reported on here when he started this thread...
Earlier on Daniel Walsh said Fedora and RHEL would crash in such case
(init has not transitioned properly to init_t). I said "very good" (as
that is what I expect from a SELinux system) and asked "how did you
achieved that ?" because I believe such behavior should be definitely be
imported in upstream. But then I thought Daniel's statement doesn't
match with what Justin reported.
Regards,
Guido
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 22:38 ` Guido Trentalancia
@ 2011-09-23 23:12 ` Eric Paris
2011-09-26 13:38 ` Daniel J Walsh
2011-09-27 12:46 ` Stephen Smalley
0 siblings, 2 replies; 29+ messages in thread
From: Eric Paris @ 2011-09-23 23:12 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: Eric Paris, SE-Linux
On Sat, 2011-09-24 at 00:38 +0200, Guido Trentalancia wrote:
> Hello Eric.
>
> On Fri, 2011-09-23 at 17:17 -0400, Eric Paris wrote:
> > On Fri, 2011-09-23 at 23:12 +0200, Guido Trentalancia wrote:
> >
> > > You seem to suggest that load_policy -i (and not the kernel) should make
> > > sure that init has transitioned to its designated context...
> >
> > Can't speak for Justin's system.
>
> That's for sure. But it seems to me that he already stated that it just
> loaded plain refpolicy from git on a plain F15 system. Since we are on
> the list he might even confirm once again...
>
> > But that's not what I said. I said
> > it's /sbin/init's problem to make sure it did the right thing and to
> > handle errors correctly if it failed. If Justin has his box enforcing
> > and can boot without loading a policy that's a bug and needs to be
> > filed.
>
> He has loaded the policy.
>
> The point is that when init does not transition to init_t nothing
> happens and the system keeps running with all processes in kernel_t or
> insmod_t.
>
> It surely use to happen with upstream components and policy back at the
> beginning of this year (I did test that and reported it to the refpolicy
> mailing list).
>
> Apparently it also happens with Fedora 15 according to what Justin
> reported on here when he started this thread...
>
> Earlier on Daniel Walsh said Fedora and RHEL would crash in such case
> (init has not transitioned properly to init_t).
Ahhh, different than I was talking sorry. In upstream systemd git the
code in question looks like so:
/* Transition to the new context */
r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
if (r < 0 || label == NULL) {
log_open();
log_error("Failed to compute init label, ignoring.");
} else {
r = setcon(label);
log_open();
if (r < 0)
log_error("Failed to transition into init label '%s', ignoring.", label);
label_free(label);
}
sds, what do you think, should we make these? We do know the requisite
enforce state in this function...
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 23:12 ` Eric Paris
@ 2011-09-26 13:38 ` Daniel J Walsh
2011-09-27 12:46 ` Stephen Smalley
1 sibling, 0 replies; 29+ messages in thread
From: Daniel J Walsh @ 2011-09-26 13:38 UTC (permalink / raw)
To: Eric Paris; +Cc: Guido Trentalancia, Eric Paris, SE-Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/23/2011 07:12 PM, Eric Paris wrote:
> On Sat, 2011-09-24 at 00:38 +0200, Guido Trentalancia wrote:
>> Hello Eric.
>>
>> On Fri, 2011-09-23 at 17:17 -0400, Eric Paris wrote:
>>> On Fri, 2011-09-23 at 23:12 +0200, Guido Trentalancia wrote:
>>>
>>>> You seem to suggest that load_policy -i (and not the kernel)
>>>> should make sure that init has transitioned to its designated
>>>> context...
>>>
>>> Can't speak for Justin's system.
>>
>> That's for sure. But it seems to me that he already stated that
>> it just loaded plain refpolicy from git on a plain F15 system.
>> Since we are on the list he might even confirm once again...
>>
>>> But that's not what I said. I said it's /sbin/init's problem
>>> to make sure it did the right thing and to handle errors
>>> correctly if it failed. If Justin has his box enforcing and
>>> can boot without loading a policy that's a bug and needs to be
>>> filed.
>>
>> He has loaded the policy.
>>
>> The point is that when init does not transition to init_t
>> nothing happens and the system keeps running with all processes
>> in kernel_t or insmod_t.
>>
>> It surely use to happen with upstream components and policy back
>> at the beginning of this year (I did test that and reported it to
>> the refpolicy mailing list).
>>
>> Apparently it also happens with Fedora 15 according to what
>> Justin reported on here when he started this thread...
>>
>> Earlier on Daniel Walsh said Fedora and RHEL would crash in such
>> case (init has not transitioned properly to init_t).
>
> Ahhh, different than I was talking sorry. In upstream systemd git
> the code in question looks like so:
>
> /* Transition to the new context */ r =
> label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); if (r
> < 0 || label == NULL) { log_open(); log_error("Failed to compute
> init label, ignoring."); } else { r = setcon(label);
>
> log_open(); if (r < 0) log_error("Failed to transition into init
> label '%s', ignoring.", label);
>
> label_free(label); }
>
> sds, what do you think, should we make these? We do know the
> requisite enforce state in this function...
>
> -Eric
>
>
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
>
>
The failure is in the init load_policy. It should crash if this
fails. If anything fails after that is is out of SELinux hands I
believe, since you are not sure what the policy writers intention was.
I believe we would get to this state if the policy writer wanted to
run systemd in the initial state (kernel_t) and not transition.
But maybe on failure of this call we should fail the machine in
enforcing mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6AgFEACgkQrlYvE4MpobNv/gCePhYLKIR966T7TLaJIj3hx6Ho
0EQAoNfIpEQSEKPYIdGRg5qC3xlc2dfM
=zG/t
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-23 23:12 ` Eric Paris
2011-09-26 13:38 ` Daniel J Walsh
@ 2011-09-27 12:46 ` Stephen Smalley
2011-09-27 16:40 ` Guido Trentalancia
1 sibling, 1 reply; 29+ messages in thread
From: Stephen Smalley @ 2011-09-27 12:46 UTC (permalink / raw)
To: Eric Paris; +Cc: Guido Trentalancia, Eric Paris, SE-Linux
On Fri, 2011-09-23 at 19:12 -0400, Eric Paris wrote:
> On Sat, 2011-09-24 at 00:38 +0200, Guido Trentalancia wrote:
> > Hello Eric.
> >
> > On Fri, 2011-09-23 at 17:17 -0400, Eric Paris wrote:
> > > On Fri, 2011-09-23 at 23:12 +0200, Guido Trentalancia wrote:
> > >
> > > > You seem to suggest that load_policy -i (and not the kernel) should make
> > > > sure that init has transitioned to its designated context...
> > >
> > > Can't speak for Justin's system.
> >
> > That's for sure. But it seems to me that he already stated that it just
> > loaded plain refpolicy from git on a plain F15 system. Since we are on
> > the list he might even confirm once again...
> >
> > > But that's not what I said. I said
> > > it's /sbin/init's problem to make sure it did the right thing and to
> > > handle errors correctly if it failed. If Justin has his box enforcing
> > > and can boot without loading a policy that's a bug and needs to be
> > > filed.
> >
> > He has loaded the policy.
> >
> > The point is that when init does not transition to init_t nothing
> > happens and the system keeps running with all processes in kernel_t or
> > insmod_t.
> >
> > It surely use to happen with upstream components and policy back at the
> > beginning of this year (I did test that and reported it to the refpolicy
> > mailing list).
> >
> > Apparently it also happens with Fedora 15 according to what Justin
> > reported on here when he started this thread...
> >
> > Earlier on Daniel Walsh said Fedora and RHEL would crash in such case
> > (init has not transitioned properly to init_t).
>
> Ahhh, different than I was talking sorry. In upstream systemd git the
> code in question looks like so:
>
> /* Transition to the new context */
> r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
> if (r < 0 || label == NULL) {
> log_open();
> log_error("Failed to compute init label, ignoring.");
> } else {
> r = setcon(label);
>
> log_open();
> if (r < 0)
> log_error("Failed to transition into init label '%s', ignoring.", label);
>
> label_free(label);
> }
>
> sds, what do you think, should we make these? We do know the requisite
> enforce state in this function...
These should be fatal errors if enforcing.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-27 12:46 ` Stephen Smalley
@ 2011-09-27 16:40 ` Guido Trentalancia
2011-09-27 18:00 ` Daniel J Walsh
0 siblings, 1 reply; 29+ messages in thread
From: Guido Trentalancia @ 2011-09-27 16:40 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Eric Paris, Eric Paris, SE-Linux
On Tue, 2011-09-27 at 08:46 -0400, Stephen Smalley wrote:
> On Fri, 2011-09-23 at 19:12 -0400, Eric Paris wrote:
> > On Sat, 2011-09-24 at 00:38 +0200, Guido Trentalancia wrote:
> > > Hello Eric.
> > >
> > > On Fri, 2011-09-23 at 17:17 -0400, Eric Paris wrote:
> > > > On Fri, 2011-09-23 at 23:12 +0200, Guido Trentalancia wrote:
> > > >
> > > > > You seem to suggest that load_policy -i (and not the kernel) should make
> > > > > sure that init has transitioned to its designated context...
> > > >
> > > > Can't speak for Justin's system.
> > >
> > > That's for sure. But it seems to me that he already stated that it just
> > > loaded plain refpolicy from git on a plain F15 system. Since we are on
> > > the list he might even confirm once again...
> > >
> > > > But that's not what I said. I said
> > > > it's /sbin/init's problem to make sure it did the right thing and to
> > > > handle errors correctly if it failed. If Justin has his box enforcing
> > > > and can boot without loading a policy that's a bug and needs to be
> > > > filed.
> > >
> > > He has loaded the policy.
> > >
> > > The point is that when init does not transition to init_t nothing
> > > happens and the system keeps running with all processes in kernel_t or
> > > insmod_t.
> > >
> > > It surely use to happen with upstream components and policy back at the
> > > beginning of this year (I did test that and reported it to the refpolicy
> > > mailing list).
> > >
> > > Apparently it also happens with Fedora 15 according to what Justin
> > > reported on here when he started this thread...
> > >
> > > Earlier on Daniel Walsh said Fedora and RHEL would crash in such case
> > > (init has not transitioned properly to init_t).
> >
> > Ahhh, different than I was talking sorry. In upstream systemd git the
> > code in question looks like so:
> >
> > /* Transition to the new context */
> > r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
> > if (r < 0 || label == NULL) {
> > log_open();
> > log_error("Failed to compute init label, ignoring.");
> > } else {
> > r = setcon(label);
> >
> > log_open();
> > if (r < 0)
> > log_error("Failed to transition into init label '%s', ignoring.", label);
> >
> > label_free(label);
> > }
> >
> > sds, what do you think, should we make these? We do know the requisite
> > enforce state in this function...
>
> These should be fatal errors if enforcing.
Yes, I agree. Fatal errors and system halt.
This is especially true because the box might not be isolated from the
outside world for network services might be up and running in wrong
contexts.
Thanks.
Guido
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
2011-09-27 16:40 ` Guido Trentalancia
@ 2011-09-27 18:00 ` Daniel J Walsh
0 siblings, 0 replies; 29+ messages in thread
From: Daniel J Walsh @ 2011-09-27 18:00 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: Stephen Smalley, Eric Paris, Eric Paris, SE-Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/27/2011 12:40 PM, Guido Trentalancia wrote:
> On Tue, 2011-09-27 at 08:46 -0400, Stephen Smalley wrote:
>> On Fri, 2011-09-23 at 19:12 -0400, Eric Paris wrote:
>>> On Sat, 2011-09-24 at 00:38 +0200, Guido Trentalancia wrote:
>>>> Hello Eric.
>>>>
>>>> On Fri, 2011-09-23 at 17:17 -0400, Eric Paris wrote:
>>>>> On Fri, 2011-09-23 at 23:12 +0200, Guido Trentalancia
>>>>> wrote:
>>>>>
>>>>>> You seem to suggest that load_policy -i (and not the
>>>>>> kernel) should make sure that init has transitioned to
>>>>>> its designated context...
>>>>>
>>>>> Can't speak for Justin's system.
>>>>
>>>> That's for sure. But it seems to me that he already stated
>>>> that it just loaded plain refpolicy from git on a plain F15
>>>> system. Since we are on the list he might even confirm once
>>>> again...
>>>>
>>>>> But that's not what I said. I said it's /sbin/init's
>>>>> problem to make sure it did the right thing and to handle
>>>>> errors correctly if it failed. If Justin has his box
>>>>> enforcing and can boot without loading a policy that's a
>>>>> bug and needs to be filed.
>>>>
>>>> He has loaded the policy.
>>>>
>>>> The point is that when init does not transition to init_t
>>>> nothing happens and the system keeps running with all
>>>> processes in kernel_t or insmod_t.
>>>>
>>>> It surely use to happen with upstream components and policy
>>>> back at the beginning of this year (I did test that and
>>>> reported it to the refpolicy mailing list).
>>>>
>>>> Apparently it also happens with Fedora 15 according to what
>>>> Justin reported on here when he started this thread...
>>>>
>>>> Earlier on Daniel Walsh said Fedora and RHEL would crash in
>>>> such case (init has not transitioned properly to init_t).
>>>
>>> Ahhh, different than I was talking sorry. In upstream systemd
>>> git the code in question looks like so:
>>>
>>> /* Transition to the new context */ r =
>>> label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
>>> if (r < 0 || label == NULL) { log_open(); log_error("Failed to
>>> compute init label, ignoring."); } else { r = setcon(label);
>>>
>>> log_open(); if (r < 0) log_error("Failed to transition into
>>> init label '%s', ignoring.", label);
>>>
>>> label_free(label); }
>>>
>>> sds, what do you think, should we make these? We do know the
>>> requisite enforce state in this function...
>>
>> These should be fatal errors if enforcing.
>
> Yes, I agree. Fatal errors and system halt.
>
> This is especially true because the box might not be isolated from
> the outside world for network services might be up and running in
> wrong contexts.
>
> Thanks.
>
> Guido
>
>
>
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
Please open a bugzilla, always better coming from outside of Red Hat
and CC eric and me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6CD0YACgkQrlYvE4MpobNF/ACg3qPSOhiTUj0JlUfhJVA9X5tY
O/gAn1U4EWHloCQXY3prySxS9HjtPoNb
=oC9z
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 29+ messages in thread