switching between SE Linux utils - kernel versions ? ... also ntp

switching between SE Linux utils - kernel versions ? ... also ntp

[forrest whitcher]

A note on NTP: ntpd / ntpdate on my selinux installation has (surprsingly) not
raised any AVC: messages in develop/permissive mode. Does this suggest that
setting system time is not LSM / SEL hooked?


I'll be updating to 2.4.17 shortly, wondered what is the safe matrix for 
mixing versions?

If I need to still sometimes boot the .12 kernel will it be able to deal 
with PSID's left by .17? and are the .17 version utils likely to cause
problems on .12 kernel?

>From all I've read I'll be happy to have .17 in place and not look back,
but thought it would be prudent to check for possible gotcha's

forrest


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: switching between SE Linux utils - kernel versions ? ... also ntp

[Paul Krumviede]

--On Tuesday, 22 January, 2002 17:15 -0500 forrest whitcher 
<fw@fwsystems.com> wrote:

>
> A note on NTP: ntpd / ntpdate on my selinux installation has
> (surprsingly) not raised any AVC: messages in develop/permissive mode.
> Does this suggest that setting system time is not LSM / SEL hooked?

if ntpddate/ntpd are (only) run out of the init scripts, then ntpd
is probably still running in the initrc domain, which may not be
desirable. i recall having to make some changes for things
like adjtime at system shutdown (this was interesting because
it occured after syslog was stopped, so i only saw it as a console
message).

every version of the selinux/README file i've read has text
along the lines of "run 'ps -e --context' and if anything is running
in the initrc domain then check it carefully as it should either have
its own domain or the executable may not have been labelled
correctly."

as to selinux/kernel versions, i've had problems with the
utilities from versions 2.4.16 and afterwards running on
pre-2.4.16 kernels. i'm not sure if the selinux versions of
login will work correctly on the different kernel versions
(i know i wound up with a version of login that wouldn't
allow logins in the process of booting yet another selinux
version, but i don't recall the exact details). for safety's
sake i keep one non-selinux kernel around i can boot
from in an emergency, along with all the selinux/utils
directories so i can do a combination of "make install"
for the utilities and then relabel (but i might not do
that on production machines).

-paul


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: switching between SE Linux utils - kernel versions ? ... also ntp

[Stephen Smalley]

On Tue, 22 Jan 2002, forrest whitcher wrote:

> A note on NTP: ntpd / ntpdate on my selinux installation has (surprsingly) not
> raised any AVC: messages in develop/permissive mode. Does this suggest that
> setting system time is not LSM / SEL hooked?

No, it just means that ntpd is still running in the initrc_t domain.  You
need to define a domain for it if you want to run it safely.

> I'll be updating to 2.4.17 shortly, wondered what is the safe matrix for
> mixing versions?
>
> If I need to still sometimes boot the .12 kernel will it be able to deal
> with PSID's left by .17? and are the .17 version utils likely to cause
> problems on .12 kernel?

The on-disk persistent label mapping format hasn't changed, so that isn't
an issue.  However, the on-disk policydb format has changed, so the 2.4.12
kernel won't be able to use the same policy, and some of the new system
calls have undergone changes, so the newer utilities will not work on the
2.4.12 kernel.  So you can't easily swap back and forth.  Also, when you
perform the build and install of the .17 release, remove
/usr/local/selinux/bin from your path to avoid trying to use the modified
utilities during the install.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: switching between SE Linux utils - kernel versions ? ... also ntp

[forrest whitcher]

On Wed, 23 Jan 2002 09:24:39 -0500 (EST)
Stephen Smalley <sds@tislabs.com> wrote:

> 
> On Tue, 22 Jan 2002, forrest whitcher wrote:
> 
> > A note on NTP: ntpd / ntpdate on my selinux installation has (surprsingly) not
> > raised any AVC: messages in develop/permissive mode. Does this suggest that
> > setting system time is not LSM / SEL hooked?
> 
> No, it just means that ntpd is still running in the initrc_t domain.  You
> need to define a domain for it if you want to run it safely.
> 

That's not it. Ntpd was startd from the commandline - sysadm_r:sysadm_t role/domain

Syslog messages indicate that ntpd is choosing kernel/pll (I have systems on which
ntpd uses tickadj() is the pll a kernel function that's not hooked?

 hermes ntpd[3099]: using kernel phase-lock loop 0041

> > I'll be updating to 2.4.17 shortly, wondered what is the safe matrix for
> > mixing versions?
> >
> > If I need to still sometimes boot the .12 kernel will it be able to deal
> > with PSID's left by .17? and are the .17 version utils likely to cause
> > problems on .12 kernel?
> 
> The on-disk persistent label mapping format hasn't changed, so that isn't
> an issue.  However, the on-disk policydb format has changed, so the 2.4.12
> kernel won't be able to use the same policy, and some of the new system
> calls have undergone changes, so the newer utilities will not work on the
> 2.4.12 kernel.  So you can't easily swap back and forth.  Also, when you
> perform the build and install of the .17 release, remove
> /usr/local/selinux/bin from your path to avoid trying to use the modified
> utilities during the install.

Thanks, that's useful to know.

forrest

> 
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
> 
> 
> 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: switching between SE Linux utils - kernel versions ? ... also ntp

[Stephen Smalley]

On Wed, 23 Jan 2002, forrest whitcher wrote:

> That's not it. Ntpd was startd from the commandline -
> sysadm_r:sysadm_t role/domain

sysadm_t is likewise a domain that has many permissions, so it isn't
surprising that you aren't encountering denials.  You need to put ntpd
into its own domain.

> Syslog messages indicate that ntpd is choosing kernel/pll (I have systems on which
> ntpd uses tickadj() is the pll a kernel function that's not hooked?
>
>  hermes ntpd[3099]: using kernel phase-lock loop 0041

I'm not sure what you mean.  I would expect that ntpd would use
adjtimex().  That call, like other time-related calls, requires the
CAP_SYS_TIME capability to modify the time.  LSM hooks capable, and
SELinux performs a parallel permission check for each Linux capability.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.