Mix and Match 2: relabel problems

Mix and Match 2: relabel problems

[Dale Amon]

Okay, getting close. I rebooted into selinux after remembering to
do the make relable this time. Then I did Russell's policy make install,
and it works under an selinux kernel as I surmised it would.

However I'm still missing something in his policy, because when
I relabel after the boot:

> make verbose
./setfiles -v file_contexts `mount | awk '/ext[23]/{print $3}'`
./setfiles:  Running on a SELinux kernel, using new system calls
./setfiles:  read 352 specifications
./setfiles:  invalid context system_u:object_r:slapd_db_t on line number 65
./setfiles:  invalid context system_u:object_r:slapd_replog_t on line number 66
./setfiles:  invalid context system_u:object_r:slapd_exec_t on line number 401
make: *** [verbose] Error 1

I'm using the policy/ from Russell's selinux_2002031409-2_i386.deb dist in
the lsm-2.4-selinux-2002031409.tgz base release. With minor twiddles of
my own to make things work together.

Any suggestions?



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mix and Match 2: relabel problems

[Russell Coker]

On Sun, 24 Mar 2002 16:45, Dale Amon wrote:
> However I'm still missing something in his policy, because when
>
> I relabel after the boot:
> > make verbose
>
> ./setfiles -v file_contexts `mount | awk '/ext[23]/{print $3}'`
> ./setfiles:  Running on a SELinux kernel, using new system calls
> ./setfiles:  read 352 specifications
> ./setfiles:  invalid context system_u:object_r:slapd_db_t on line number 65
> ./setfiles:  invalid context system_u:object_r:slapd_replog_t on line
> number 66 ./setfiles:  invalid context system_u:object_r:slapd_exec_t on
> line number 401 make: *** [verbose] Error 1
>
> I'm using the policy/ from Russell's selinux_2002031409-2_i386.deb dist in
> the lsm-2.4-selinux-2002031409.tgz base release. With minor twiddles of
> my own to make things work together.

The -2 release wasn't complete, it had some entries in file_contexts without 
a matching .te file.  You can comment out those entries, use the slapd.te 
file I mailed here, or wait for a -3 release (soon I hope).

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mix and Match 2: relabel problems

[Dale Amon]

On Mon, Mar 25, 2002 at 01:31:51AM +0100, Russell Coker wrote:
> The -2 release wasn't complete, it had some entries in file_contexts without 
> a matching .te file.  You can comment out those entries, use the slapd.te 
> file I mailed here, or wait for a -3 release (soon I hope).

Hmmm, can't seem to find it with a grep of the mailq. Guess
I'll have to wait or do the comment thing.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mix and Match 2: relabel problems

[Russell Coker]

On Mon, 25 Mar 2002 02:57, Dale Amon wrote:
> On Mon, Mar 25, 2002 at 01:31:51AM +0100, Russell Coker wrote:
> > The -2 release wasn't complete, it had some entries in file_contexts
> > without a matching .te file.  You can comment out those entries, use the
> > slapd.te file I mailed here, or wait for a -3 release (soon I hope).
>
> Hmmm, can't seem to find it with a grep of the mailq. Guess
> I'll have to wait or do the comment thing.

OK.  I've just put a new version of my selinux base packages online.  I've 
added new policy and made some changes to the devfsd shared object (which 
also requires a new version of the devfsd package for Debian so I've put it 
in the same directory).

One noteworthy thing I've done with the devfsd shared object is made any 
context that doesn't contain a ':' have "system_u:object_r:" be prepended.

I am wondering whether it would make sense to do the same for file_contexts, 
putting in system_u:object_r seems to be just needless typing.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mix and Match 2: relabel problems

[Dale Amon]

On Mon, Mar 25, 2002 at 12:13:19PM +0100, Russell Coker wrote:
> OK.  I've just put a new version of my selinux base packages online.  I've 
> added new policy and made some changes to the devfsd shared object (which 
> also requires a new version of the devfsd package for Debian so I've put it 
> in the same directory).

Got it, updated my merged set, and it seems to work now. I have to wait
for a kernel build to finish up (more beta testing for HVR) before I
can reboot and get a new list of avc error messages though :-)



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mix and Match 2: relabel problems

[Dale Amon]

On Mon, Mar 25, 2002 at 01:49:40PM +0000, Dale Amon wrote:
> On Mon, Mar 25, 2002 at 12:13:19PM +0100, Russell Coker wrote:
> > OK.  I've just put a new version of my selinux base packages online.  I've 
> > added new policy and made some changes to the devfsd shared object (which 
> > also requires a new version of the devfsd package for Debian so I've put it 
> > in the same directory).

Okay, booted and looks good... other than my own crop of avc warnings. Only
about a page full though :-)

 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mix and Match 2: relabel problems

[Stephen Smalley]

On Mon, 25 Mar 2002, Russell Coker wrote:

> One noteworthy thing I've done with the devfsd shared object is made any
> context that doesn't contain a ':' have "system_u:object_r:" be prepended.
>
> I am wondering whether it would make sense to do the same for file_contexts,
> putting in system_u:object_r seems to be just needless typing.

We'd like to minimize the set of code that has any awareness of the
internal format and meaning of the security context, so that people can
easily create their own security servers with their own security models
with no changes to the rest of the kernel and only minimal changes to
userspace.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.