policy configuration problems

policy configuration problems

[lky]

[-- Attachment #1: Type: text/plain, Size: 1593 bytes --]

Hi, I have installed 2.4-based SELinux on Redhat9.0 and I want to eliminate the denied messages now. But there are several problems about my policy configuration.
First,there are still several system processes run within the initrc_t domain. I have moved up the .te files for these programes from the policy/domains/program/unused directory before building the policy and the pathname for these programs in the .fc files are right as well. Below is the 
associated messages with the command "ps -e --context":
--------------------------------------------------------------------------------------------------------------------
  PID CONTEXT                                  COMMAND
  925 system_u:system_r:initrc_t               portmap
  944 system_u:system_r:initrc_t               rpc.statd
 1054 system_u:system_r:initrc_t               xinetd -stayalive -reuse -pidfile
 1074 system_u:system_r:initrc_t               sendmail: accepting connections
 1083 system_u:system_r:initrc_t               sendmail: Queue runner@01:00:00 f
 1093 system_u:system_r:initrc_t               gpm -t imps2 -m /dev/mouse
 1103 system_u:system_r:initrc_t               /usr/sbin/cannaserver -syslog -u 
-------------------------------------------------------------------------------------------------------------------

The second problem is that I used the "newrule.pl -d" command to automaticaly generate the allow rules.But there is no effect after I append the rules in the associated .te files and run the command "make load". The same denied messages are still there.
Thanks a lot!


[-- Attachment #2: Type: text/html, Size: 3269 bytes --]

Re: policy configuration problems

[Tom]

On Thu, Oct 09, 2003 at 12:47:22AM +0800, lky wrote:
> Hi, I have installed 2.4-based SELinux on Redhat9.0 and I want to eliminate the denied messages now. But there are several problems about my policy configuration.
> First,there are still several system processes run within the initrc_t domain. I have moved up the .te files for these programes from the policy/domains/program/unused directory before building the policy and the pathname for these programs in the .fc files are right as well. Below is the 
> associated messages with the command "ps -e --context":

Check if the binaries are labelled correctly, i.e. do something like:

ls --context /usr/sbin/xinetd 
(or wherever it is installed in redhat)

it should be system_u:system_r:inetd_exec_t if I remember correctly. If
it's the generic :sbin_t then no transition happens.

same for the other programs.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy configuration problems

[lky]

> Check if the binaries are labelled correctly, i.e. do something like:
> 
> ls --context /usr/sbin/xinetd 
> (or wherever it is installed in redhat)
> 
> it should be system_u:system_r:inetd_exec_t if I remember correctly. If
> it's the generic :sbin_t then no transition happens.
> 
> same for the other programs.

Absolutely right! The file contexts aren't labelled correctly. After make relabel and append some allow rules the most programes run within their own domains and denied messages have been eliminated. Thanks!
------------------------------------------------------------------------
Another problem:
 I want to use webmin to configure the system remotely,but now the webmin daemon still run within the initrc_t domain. I didn't find the .te and .fc files under the policy/domain/program and /policy/file_context/ directories. Should I have to create a new domain and a new .fc file for the program?  I think it's fairly hard for me because webmin is a complicated program and I'm not very family with it. Is there any easier way I can take or can I add the webmin program to an existing domain? 
-------------------------------------------------------------------------
Another question:
I'm not sure about my policy configuration steps.After changing the policy I take the following steps:
1.make reload
2.create the initrd-xx.img file
3.reboot
4.make relabel
5.reboot
Is this the only way if I want to reboot with the new policy? Can I omit the 4 and 5 steps if I just move up the .te file from the unused directory and add some allow permissions? I don't know clearly when I must use "make relabel".
Thanks a lot!


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy configuration problems

[lky]

[-- Attachment #1: Type: text/plain, Size: 1660 bytes --]

> Check if the binaries are labelled correctly, i.e. do something like:
> 
> ls --context /usr/sbin/xinetd 
> (or wherever it is installed in redhat)
> 
> it should be system_u:system_r:inetd_exec_t if I remember correctly. If
> it's the generic :sbin_t then no transition happens.
> 
> same for the other programs.

Absolutely right! The file contexts aren't labelled correctly. After make relabel and append some allow rules the most programes run within their own domains and denied messages have been eliminated. Thanks!
------------------------------------------------------------------------
Another problem:
 I want to use webmin to configure the system remotely,but now the webmin daemon still run within the initrc_t domain. I didn't find the .te and .fc files under the policy/domain/program and /policy/file_context/ directories. Should I have to create a new domain and a new .fc file for the program?  I think it's fairly hard for me because webmin is a complicated program and I'm not very family with it. Is there any easier way I can take or can I add the webmin program to an existing domain? 
-------------------------------------------------------------------------
Another question:
I'm not sure about my policy configuration steps.After changing the policy I take the following steps:
1.make reload
2.create the initrd-xx.img file
3.reboot
4.make relabel
5.reboot
Is this the only way if I want to reboot with the new policy? Can I omit the 4 and 5 steps if I just move up the .te file from the unused directory and add some allow permissions? I don't know clearly when I must use "make relabel".
Thanks a lot!



[-- Attachment #2: Type: text/html, Size: 2117 bytes --]

Re: policy configuration problems

[Russell Coker]

On Fri, 10 Oct 2003 11:40, lky wrote:
> Absolutely right! The file contexts aren't labelled correctly. After make
> relabel and append some allow rules the most programes run within their own
> domains and denied messages have been eliminated. Thanks!

What allow rules did you have to add?  Some of them may be worth adding to the 
default policy (which will save you some effort in the future).

>  I want to use webmin to configure the system remotely,but now the webmin
> daemon still run within the initrc_t domain. I didn't find the .te and .fc
> files under the policy/domain/program and /policy/file_context/
> directories.

Correct, no-one has written policy for webmin.

> Should I have to create a new domain and a new .fc file for
> the program?

Yes.

> I think it's fairly hard for me because webmin is a
> complicated program and I'm not very family with it. Is there any easier
> way I can take or can I add the webmin program to an existing domain?

Probably not.  I suggest giving it a go.  If you get stuck then ask for some 
advice here.

> -------------------------------------------------------------------------
> Another question:
> I'm not sure about my policy configuration steps.After changing the policy
> I take the following steps: 1.make reload
> 2.create the initrd-xx.img file
> 3.reboot
> 4.make relabel
> 5.reboot

1 is necessary to get the policy installed and have it take affect.

2 is necessary to make it take affect on the next boot (but we are working on 
solutions to this problem).

3 should never be necessary unless you want to test things.

4 is only needed if you add a new .te file (which adds the .fc file to 
file_contexts) or if you edit any of the .fc files.  But in that case you can 
probable use the -s option to setfiles to get the labelling you need done in 
far less time.  Also the "reboot ; make relabel ; reboot" process is only 
needed for an initial install.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.