Re: SELinux policy configuration tutorial?

[Tracy R Reed <treed@ultraviolet.org>]

[-- Attachment #1: Type: text/plain, Size: 2712 bytes --]

On Mon, Nov 19, 2001 at 08:37:53AM -0500, Stephen Smalley wrote:
> I don't think anyone has written a general tutorial.  However, you'll find
> quite a bit of useful information in the security server section of the
> first technical report, the entire second technical report, and the OLS
> 2001 paper, all of which are on the web site.  Several people outside of

Thanks. I am slowly making progress. Over the last few nights I've been
going though "A Security Policy Configuration for the Security-Enhanced
Linux" in the documentation section and I have noticed that I get a 404
if I stop reading and pick it up again later. Looks like the url changes
periodically. Odd.

A policy question: I didn't have apache installed at the time I installed
SELinux but now I want to install, make it run some useful web app, and
try to secure it. SELinux seems to come with a policy for the stock apache
install so I installed the rpm that normally comes with RH6.1. 

Then I did:

make relabel && make load

Just to make sure the newly installed files get assigned the right type
and the policy gets compiled and loaded. But when I try to start apache I
get permission denied:

[root@tracy policy]# /etc/rc.d/init.d/httpd start
Starting httpd: execvp: Permission denied
[root@tracy init.d]# /usr/sbin/httpd 
bash: /usr/sbin/httpd: Permission denied
[root@tracy init.d]# 
[root@tracy init.d]# ls -la /usr/sbin/httpd 
-rwxr-xr-x   1 root     root       337500 Mar 29  2001 /usr/sbin/httpd
[root@tracy init.d]# ls -la --context /usr/sbin/httpd 
-rwxr-xr-x root     root     system_u:object_r:httpd_exec_t
/usr/sbin/httpd

What am I missing here?

Also, I notice that when I log in as the user "jdoe" and do an ls -la on /
the jdoe user sees this:

ls: lost+found: Permission denied
ls: ...security: Permission denied

Not much good for hiding files is it?

As a result of the ls I get this in the messages file:

Nov 21 01:03:53 bench3 kernel: avc:  denied  { getattr } for  pid=9640 exe=/usr/local/selinux/bin/ls path=/...security dev=08:01 ino=38857
Nov 21 01:03:53 bench3 kernel:    scontext=jdoe:user_r:user_t
Nov 21 01:03:53 bench3 kernel:    tcontext=system_u:object_r:file_labels_t
Nov 21 01:03:53 bench3 kernel:    tclass=dir

I'm not sure if I would really want the ls of every user in / to set that off
but even more of a problem is that the message takes up four lines in the
messages file. I normally run logcheck once an hour which sends me
anything interesting from the logfiles after filtering out the bits I have
deemed non-interesting so it would be quite convenient to have it all on
one line.

-- 
Tracy Reed      http://www.ultraviolet.org

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]