policy version

policy version

[Tom]

I'm a little upset right now, so apologies up front if I get across a
little too aggressive:

I have a totally unusable SELinux system right now, because of policy
version conflicts. For reasons I don't understand, checkpolicy creates
a binary representation version 12, which load_policy refuses to load
because it's version 11.

I have removed and reinstalled all available policies from both
Russell's and Brian's site, all available selinux packages from both
sites, and both .deb and .tgz versions where I could.

Unless I am horribly stupid, there is a major fuckup somewhere. Add to
this the fact that your system is fubar'ed when the policy doesn't work
and I second Brian's call that we require a lot more checking and
information when it comes to the policy versions.

I just find it unacceptable that a standard update (all my troubles
started when I ran nothing more than "se_apt-get upgrade" this morning)
can take the system out completely, with no path back.

That, or I'm a total idiot.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy version

[Stephen Smalley]

On Tue, 1 Oct 2002, Tom wrote:

> I have a totally unusable SELinux system right now, because of policy
> version conflicts. For reasons I don't understand, checkpolicy creates
> a binary representation version 12, which load_policy refuses to load
> because it's version 11.

This implies that you are still running a kernel with policy version 11,
but your checkpolicy program has been rebuilt for policy version 12.
Maybe you need to boot your new kernel (hopefully, you did obtain a new
kernel, right?)?

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy version

[Tom]

On Tue, Oct 01, 2002 at 07:46:43AM -0400, Stephen Smalley wrote:
> > I have a totally unusable SELinux system right now, because of policy
> > version conflicts. For reasons I don't understand, checkpolicy creates
> > a binary representation version 12, which load_policy refuses to load
> > because it's version 11.
> 
> This implies that you are still running a kernel with policy version 11,
> but your checkpolicy program has been rebuilt for policy version 12.
> Maybe you need to boot your new kernel (hopefully, you did obtain a new
> kernel, right?)?

I built a fresh kernel from 2.4.19-lsm1 sources today, so the kernel
should actually be newer than the checkpolicy program (actually,
they're both from the August release).

I guess I will take the machine apart in order to mount the harddrive
somewhere else and take a deep look at the kernel sources to verify
this.


I'm not sure what to think about the actual behaviour of the system,
though. I believe it is misbehaving and not failing safely - even
though it can't load the policy, it boots up and lets me log in (into
an unlabeled context). However, even though I'm running in permissive
mode, I get "permission denied" on most file access attempts (including
something as simple as "ls"). IMHO, when it can't load the policy, it
should either panic (enforcing mode) or start up with a "allow all"
default (permissive mode). Feel free to correct me on this, it's just
what I would have expected.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy version

[Stephen Smalley]

On Tue, 1 Oct 2002, Tom wrote:

> I built a fresh kernel from 2.4.19-lsm1 sources today, so the kernel
> should actually be newer than the checkpolicy program (actually,
> they're both from the August release).

Not if you are using policy version 12.  That change didn't occur until
the aforementioned patch that I posted, when the access vector definitions
changed.  If that patch was merged into the Debian selinux packages, then
you should have a new kernel that uses policy version 12.  If you are
building the old kernel sources from the release but trying to use a newer
checkpolicy+policy, then you naturally have a problem.

> I'm not sure what to think about the actual behaviour of the system,
> though. I believe it is misbehaving and not failing safely - even
> though it can't load the policy, it boots up and lets me log in (into
> an unlabeled context). However, even though I'm running in permissive
> mode, I get "permission denied" on most file access attempts (including
> something as simple as "ls"). IMHO, when it can't load the policy, it
> should either panic (enforcing mode) or start up with a "allow all"
> default (permissive mode). Feel free to correct me on this, it's just
> what I would have expected.

If you build your kernel without the development module option (i.e.
always in enforcing mode, no way to switch into permissive mode), then it
will panic if it cannot load a policy after mounting the root filesystem.
If you build your kernel with the development module option, then it only
issues a warning if it cannot load a policy and SELinux is effectively
off until you either explicitly load a policy via load_policy or you try
to toggle into enforcing mode via avc_toggle.  I suppose that we could
change the latter case so that if you boot with enforcing=1, then it will
also panic if no policy is present.  I don't see the behavior that you
describe when booting without a valid policy.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy version

[Tom]

On Tue, Oct 01, 2002 at 08:50:25AM -0400, Stephen Smalley wrote:
> > I built a fresh kernel from 2.4.19-lsm1 sources today, so the kernel
> > should actually be newer than the checkpolicy program (actually,
> > they're both from the August release).
> 
> Not if you are using policy version 12.  That change didn't occur until
> the aforementioned patch that I posted, when the access vector definitions
> changed.  If that patch was merged into the Debian selinux packages, then
> you should have a new kernel that uses policy version 12.  If you are
> building the old kernel sources from the release but trying to use a newer
> checkpolicy+policy, then you naturally have a problem.

That would make sense, though the Debian selinux packages (tools and
lsm patches) are all labeled 2002_08_23. Maybe the patches were 
backported and I'm just confused.

I'm currently rebuilding from scratch on a new system to verify that
Brian's new packages are clean and the mistake was somewhere on my
side.



> If you build your kernel without the development module option (i.e.
> always in enforcing mode, no way to switch into permissive mode), then it
> will panic if it cannot load a policy after mounting the root filesystem.
> If you build your kernel with the development module option, then it only
> issues a warning if it cannot load a policy and SELinux is effectively
> off until you either explicitly load a policy via load_policy or you try
> to toggle into enforcing mode via avc_toggle.  I suppose that we could
> change the latter case so that if you boot with enforcing=1, then it will
> also panic if no policy is present.  I don't see the behavior that you
> describe when booting without a valid policy.

My kernel is built with development module, and I don't trigger
avc_toggle during bootup either (I just verified this). After replacing
the base system from a woody CD, I can access the filesystem again.

However, one 100% reliable denial remains in the networking code,
namely that I do not have any networking at all. All network access
(ping, http, ftp, etc) throws an error about "unlabeled packet". This
is in permissive mode. And the kernel does not even have labelled IP
networking enabled.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy version

[Stephen Smalley]

On Tue, 1 Oct 2002, Tom wrote:

> However, one 100% reliable denial remains in the networking code,
> namely that I do not have any networking at all. All network access
> (ping, http, ftp, etc) throws an error about "unlabeled packet". This
> is in permissive mode. And the kernel does not even have labelled IP
> networking enabled.

If you mean the 'Unlabeled outbound packet' messages, those are only
warnings not denials, and should not prevent the flow of network traffic.
I can likely remove these printk's entirely; they were to help track down
an earlier problem with assigning labels to outbound packets.  When in
enforcing mode, any outgoing unlabeled packets will be denied by the
corresponding permission checks.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy version

[Tom]

On Tue, Oct 01, 2002 at 09:51:56AM -0400, Stephen Smalley wrote:
> If you mean the 'Unlabeled outbound packet' messages, those are only
> warnings not denials, and should not prevent the flow of network traffic.
> I can likely remove these printk's entirely; they were to help track down
> an earlier problem with assigning labels to outbound packets.  When in
> enforcing mode, any outgoing unlabeled packets will be denied by the
> corresponding permission checks.

My bad - I just realized that something else was preventing the network
traffic.


Thanks a lot for your help, I think I may be able to salvage this
machine without a reinstall now.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy version

[Russell Coker]

On Tue, 1 Oct 2002 13:15, Tom wrote:
> I have a totally unusable SELinux system right now, because of policy
> version conflicts. For reasons I don't understand, checkpolicy creates
> a binary representation version 12, which load_policy refuses to load
> because it's version 11.

Firstly your machine should still work.  The way things are designed to 
operate is that a unique file name is used for each version of the policy.  
So if you had a previously operational system with policy V11 and you did not 
delete any files then it should still boot up loading that V11 policy.  You 
won't be able to load a new V12 policy but that should not be a serious 
problem, your machine should still be in a state that allows you to compile 
the kernel.

Steve sent a kernel patch to this list at the same time as the checkpolicy 
patch that is in the Debian packages that Brian and I produce.  You need this 
patch to get it working.

> I just find it unacceptable that a standard update (all my troubles
> started when I ran nothing more than "se_apt-get upgrade" this morning)
> can take the system out completely, with no path back.

The way this is designed to work is that the "se_apt-get upgrade" will get you 
a new policy (which will install but not load) and a new kernel patch to 
match.  Then if you build a new kernel-image package with that kernel patch 
then it'll support the V12 policy and everything will be fine after a reboot.

Another option is to use the kernel-image packages Brian is producing, he has 
re-built all his packages with V12 policy support.  He appears to be going to 
a lot of effort to build those packages so it would be good if someone uses 
them...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy version

[Tom]

On Tue, Oct 01, 2002 at 04:04:25PM +0200, Russell Coker wrote:
> Firstly your machine should still work.  The way things are designed to 
> operate is that a unique file name is used for each version of the policy.  
> So if you had a previously operational system with policy V11 and you did not 
> delete any files then it should still boot up loading that V11 policy.  You 
> won't be able to load a new V12 policy but that should not be a serious 
> problem, your machine should still be in a state that allows you to compile 
> the kernel.

The v11 policy went down the drain due to a mistake that I made before
upgrading (ironically, the intent of moving some stuff away was to make
sure it neither gets overwritten nor is in the way of something).


> The way this is designed to work is that the "se_apt-get upgrade" will get you 
> a new policy (which will install but not load) and a new kernel patch to 
> match.  Then if you build a new kernel-image package with that kernel patch 
> then it'll support the V12 policy and everything will be fine after a reboot.

I will do that once I restored networking and report back with the
result. If it works, I'll collect what I learned today into a small
"howto save your soul after messing up your SELinux install" doc.



> Another option is to use the kernel-image packages Brian is producing, he has 
> re-built all his packages with V12 policy support.  He appears to be going to 
> a lot of effort to build those packages so it would be good if someone uses 
> them...

Roger, I'll do that on the other machine which I'm installing from
scratch.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.