Some questions?

Some questions?

[Giovanni Mugnai]

I' trying to install and make working selinux on a red hat 7.2. I downloaded 
the LSM patch against kernel 2.4.17 (i had already installed the 2.4.17 
kernel) and the SELinux archive, so i followed the READMY instruction
i found inside it.

Configuring the kernel i found, and set, the "Security Option" as reported in 
the README, but i found, and set, only the "Network Packet Filtering" option 
from the "Networking Options". I couldn't find neither "Kernel/User Netlink 
Socket" and "Routing Messages". 
There's someone can explain me why? 
There could be problems?

I went on to install, i am at the point 8 of the README,   my passwd
file is:

root:x:0:0:root:/root:/bin/bash
sysadm:x:400:0:sysadm:/home/sysadm:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/bin/false
gdm:x:42:42::/var/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
named:x:25:25:Named:/var/named:/bin/false
pcap:x:77:77::/var/arpwatch:/bin/nologin
guest:x:500:500:guest:/home/guest:/bin/bash

I'm at the beginning so there's someone that could help me to know which 
users put in the context_file and which in the cron_context file?

thank you very much
Giovanni Mugnai

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Some questions?

[Stephen Smalley]

On Wed, 20 Feb 2002, Giovanni Mugnai wrote:

> Configuring the kernel i found, and set, the "Security Option" as reported in
> the README, but i found, and set, only the "Network Packet Filtering" option
> from the "Networking Options". I couldn't find neither "Kernel/User Netlink
> Socket" and "Routing Messages".
> There's someone can explain me why?
> There could be problems?

The Kernel/User Netlink Socket and Routing Messages options were
mainstreamed in 2.4.17, so you no longer need to explicitly enable them in
the kernel configuration.  They have also been mainstreamed in the 2.5
kernel as of 2.5.3, so the discussion of these options will be removed
from the README before the next release of SELinux.

> I'm at the beginning so there's someone that could help me to know which
> users put in the context_file and which in the cron_context file?

Most of the entries in /etc/passwd don't require an entry in policy/users
or the *context files, because they don't need to login/ssh to the system
or set up cron jobs.  From your passwd listing, it looks like you would
want an entry for root, sysadm, and guest.  You need an entry for these
users in each of the policy/users, default_context, and cron_context
files.  You also need the system_u entry in the cron_context file.

In the next release, there will be support for mapping all unspecified
Linux users to a single generic unprivileged SELinux user, so that will
reduce the maintenance burden for ordinary users.  Also, at some point,
the *context files will be replaced by a single default_contexts file that
won't require per-user entries at all, and you will only need to maintain
policy/users.  This has been discussed previously on the list - please see
the mailing list archives.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Some questions ...

[j.logsdon]

Hi

First many thanks to the list for helping me get going - particularly
Russell, Stephen and Evan.  Having now a working SE Linux setup, although
not completely cofigured as yet, a number of questions arise:

1) When booting up, I still get a large number of avc denied messages. Do
(some of) these always come up or is it in principle possible to boot up
with no such messages?  I am obviously in permissive mode at the moment!:)

2) One cronned job really took over the machine - I think it was tripwire
(don't know why I had it installed at all) - where after a short period
(generally when I wasn't looking) the load meter went solid and absolutely
nothing could be done.  I tracked it down to a job initiated by cron from
cron.daily but it wasn't the usual 4am job so I deleted those that I
didn't want from the system and it has been OK since then.  Is it possible
that either an old job from the RH7.3-8 upgrade can have been interfering?  
I had to cold-boot the machine each time - jumping out of X could be done
early on in the take-over but after a little while even that was
impossible and doing anything from the console was also impossible.  I
tried to track down with 2 tops (one on load, one of latest process) but
nothing showed up at all.

3) If I boot into another kernel then back into selinux, do I have to run
make relabel each time?  It takes ages on my box - I would go into
overdose if I made coffee all the time.

4) Are there any implications for hyperthreading in selinux - ie on a Xeon
box should one disable hyperthreading?  I notice that on openMosix it is
currently advised (a kernel problem) although 2.6 should see it in OK.

5) I know it is not a good idea to start X from root (head hung in shame
but I am the only user at the moment and it is not connected to anything
sensitive) but an appropriate message saying it was not allowed would be
better than hanging the machine I think...  Is this in the new version?

6) When is the current CVS tree scheduled for release as a stable version?

Probably some more thoughts will hit me immediately after I hit the send
button but these will do for now...

TIA

John


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Some questions ...

[Tom]

On Tue, Jan 28, 2003 at 11:34:33AM +0000, j.logsdon@lancaster.ac.uk wrote:
> 1) When booting up, I still get a large number of avc denied messages. Do
> (some of) these always come up or is it in principle possible to boot up
> with no such messages?  I am obviously in permissive mode at the moment!:)

I've never managed to let all of them disappear, but my current dev
machine is down to very few that don't seem to matter (i.e. it works
fine even in enforcing mode).


> 3) If I boot into another kernel then back into selinux, do I have to run
> make relabel each time?  It takes ages on my box - I would go into
> overdose if I made coffee all the time.

Yes, you have to run make relabel again. The bootup process creates or
modifies quite a few files that will mess up your next boot into the
SELinux kernel.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Some questions ...

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 2720 bytes --]

On Tue, 28 Jan 2003 12:34, j.logsdon@lancaster.ac.uk wrote:
> 1) When booting up, I still get a large number of avc denied messages. Do
> (some of) these always come up or is it in principle possible to boot up
> with no such messages?  I am obviously in permissive mode at the moment!:)

I've attached the messages from the early stages of boot of one of my 
machines.  As you can see it's only sys_module access from "lsmod" and the 
"nsd" program (Name Server Daemon) is trying to chown a file.  I'll probably 
fix the nsd issue eventually.

If you get many more than that then it indicates a problem with policy, 
labelling, or configuration of boot scripts.

> 2) One cronned job really took over the machine - I think it was tripwire
> (don't know why I had it installed at all) - where after a short period
> (generally when I wasn't looking) the load meter went solid and absolutely
> nothing could be done.  I tracked it down to a job initiated by cron from

I imagine that it was accessing a huge number of files that it is not 
permitted to, and SE Linux was logging all the errors to syslog, and you have 
your syslogd configured to write the files synchronously.  If you run in 
enforcing mode such things are less of an issue.  In enforcing mode a program 
will be denied access to a directory rather than having a log entry for each 
file it tries to access.

For the moment put a "-" before the file name for the kernel log in 
/etc/syslog.conf so it doesn't write synchronously.

> 3) If I boot into another kernel then back into selinux, do I have to run
> make relabel each time?  It takes ages on my box - I would go into
> overdose if I made coffee all the time.

Yes.  As for the overdose issue, just don't run a non-SE kernel.  There's no 
reason to.

> 5) I know it is not a good idea to start X from root (head hung in shame
> but I am the only user at the moment and it is not connected to anything
> sensitive) but an appropriate message saying it was not allowed would be
> better than hanging the machine I think...  Is this in the new version?

If you are in permissive mode then it should not be able to hang the machine 
or prevent the usual operation in any other way.

In any case if you have the wrong permissions for the X server and you are not 
using a frame-buffer driver with SAK enabled then you are likely to hang your 
machine.  The X server is very invasive and does a lot of direct hardware 
access.  Frame Buffer rules!

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: avc --]
[-- Type: text/plain, Size: 1102 bytes --]

Jan 15 23:15:23 lyta kernel: avc:  denied  { sys_module } for  pid=118 comm=lsmod capability=16 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=capability
Jan 15 23:15:23 lyta kernel: avc:  denied  { sys_module } for  pid=379 comm=lsmod capability=16 scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t tclass=capability
Jan 15 23:15:23 lyta kernel: avc:  granted  { avc_toggle } for  pid=407 exe=/sbin/avc_toggle scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:kernel_t tclass=system
Jan 15 23:15:23 lyta kernel: avc:  denied  { sys_module } for  pid=450 comm=lsmod capability=16 scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t tclass=capability
Jan 15 23:15:23 lyta kernel: avc:  denied  { sys_module } for  pid=455 comm=lsmod capability=16 scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t tclass=capability
Jan 15 23:15:40 lyta kernel: avc:  denied  { chown } for  pid=1068 comm=nsd capability=0 scontext=system_u:system_r:nsd_t tcontext=system_u:system_r:nsd_t tclass=capability