Still no authentication from new debian packages

Still no authentication from new debian packages

[Dale Amon]

I've been working on this in the background for 
many weeks now, trying to build an selinux
image disk that simply works when rsync'd. I've
<ahem> a bit more work ahead yet.

I'm still not getting past the problem with the 
packages. I do not get the expected role prompt;
and newrole goes to the password file, which it
shouldn't.

This still looks like a wrong package set but everything
updates flawlessly from Russell's repository and I 
cannot see any unexpected version numbers. I've got
another system that was built from Colin's old package
set some months ago and it works fine. I can't see 
why one package set works and the other does not.

I'd like very much to compare notes with someone else
who has installed a virgin debian sid with Russell's
new selinux packages on top. 

What is the most likely package to be the guilty
party? 

Fortuneately the -test10 kernel has made debugging
a bit easier on my test box... the NIC's work now.
Before the only way to change a package was to 
boot off an NFS floppy, flatten the whole fs (the
small boot kernel couldn't handle the xattr and
security attr) and rsync the entire disk. Let's just
say that it didn't require a lot of attention but
didn't allow for more than one or two test runs in
a day...

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Still no authentication from new debian packages

[Dale Amon]

Just to add a little more... I've been looking through
the newrole code and probing in /proc. I'm beginning
to think there is something wrong with the version of
login I have because I can't see how I could end up
logged in as root and be in system_u:system_r:local_login_t
(according to id and /proc/self/attr/current) afterwards.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Still no authentication from new debian packages

[Dale Amon]

Thanks for the advice. I think by framing the question
in greater detail I gave myself an answer... of course
finally being able to access the net from the test machine
(because of kernel bug fixes) helped a bit!

It is the login package.

Russell's Release has a package that requires:
	 conflict login <  1:4.0.3-11.se1

Colin's package supplies a package that satisfies
that:
	login 1:4.9.3-8.selinux.1

However, the sid distribution supplies a newer
package that both satisfies Russell's rules and 
overrides Colin's version with one which does not
support selinux:

	login 1:4.9.3-12

I have managed to get it working manually, now the
question becomes whether a virgin install with a
slightly modified preference will solve just this
without doing the bean-bag thing on me...

That system build will be in progress very shortly. Should
be ready for me to test tomorrow morning...

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Still no authentication from new debian packages

[Dale Amon]

On Tue, Nov 25, 2003 at 09:50:11PM +0100, Thomas Bleher wrote:
> I'm using Russel's packages on a new Debian install and am booting up
> fine in enforcing mode. The one thing I had to change in policy to be
> able to login was to add the line
> 
>         allow system_chkpwd_t tty_device_t:chr_file rw_file_perms;
> 
> to macros/program/chkpwd_macros.te
> 
> I also appended the line 
>         session required pam_selinux.so
> to /etc/pam.d/{login,ssh}

That is worth a look also. But I think Russell might
need to look into some of this... the object of what
I'm doing is not to get selinux working on this 
machine per-se. It's to verify that I can define a
full build process from bare disk to running selinux
with as little fiddling as possible.

I suspect I'll be annoying Russ with trivia for 
quite some time.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Still no authentication from new debian packages

[Russell Coker]

On Wed, 26 Nov 2003 10:11, Dale Amon <amon@vnl.com> wrote:
> > I also appended the line
> >         session required pam_selinux.so
> > to /etc/pam.d/{login,ssh}
>
> That is worth a look also. But I think Russell might

That is the right answer.  An updated login or ssh package is no longer 
needed.

I have to automate this somehow, unfortunately Debian policy prohibits 
interfering with the configuration files of another package.  Maybe I'll have 
to do a diversion.

> I suspect I'll be annoying Russ with trivia for
> quite some time.

No probs.  Tell me the problems and I'll fix them as fast as possible.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Still no authentication from new debian packages

[Dale Amon]

On Wed, Nov 26, 2003 at 02:54:14PM +1100, Russell Coker wrote:
> On Wed, 26 Nov 2003 10:11, Dale Amon <amon@vnl.com> wrote:
> > > I also appended the line
> > >         session required pam_selinux.so
> > > to /etc/pam.d/{login,ssh}
> >
> > That is worth a look also. But I think Russell might
> 
> That is the right answer.  An updated login or ssh package is no longer 
> needed.

Well, I guess I could add a sed script to handle it for
me during the build. But then I'll forget about it, and
you'll fix it... and I'll break again and wonder what 
happened. :-)
 
> I have to automate this somehow, unfortunately Debian policy prohibits 
> interfering with the configuration files of another package.  Maybe I'll have 
> to do a diversion.

I don't know that this is true in general, inetd.conf
for example. Your addition looks like a single line
to be added/deleted with the install/purge of pam_selinux.so.
I should think you'd be okay there.

I often set some of my own house rules in pam so it 
would be annoying if the existing files went poof... far 
better to just edit with sed and make the minimal changes 
required. 

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Still no authentication from new debian packages

[Manoj Srivastava]

On Wed, 26 Nov 2003 14:54:14 +1100, Russell Coker <russell@coker.com.au> said: 

> On Wed, 26 Nov 2003 10:11, Dale Amon <amon@vnl.com> wrote:
>> > I also appended the line
>> >         session required pam_selinux.so
>> > to /etc/pam.d/{login,ssh}
>>
>> That is worth a look also. But I think Russell might

> That is the right answer.  An updated login or ssh package is no
> longer needed.

> I have to automate this somehow, unfortunately Debian policy
> prohibits interfering with the configuration files of another
> package.  Maybe I'll have to do a diversion.

	I am afraid that diversions of conffiles may also be frowned
 upon.  The best solution I can think of is a NEWS.Debian files, and a
 simple ed/sed/awk/perl utility that helps the sysadmin make these
 changes. (Or create a sample /etc/pam.d/{login,ssh}.selinux set of
 files, and ask the sysadmin to mv them over. Or something.

	manoj

-- 
"Science is to computer science as hydrodynamics is to plumbing." Stan
Kelly-Bootle, _Computer Language_, Oct 90
Manoj Srivastava   <manoj.srivastava@stdc.com>    <srivasta@acm.org> 
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Still no authentication from new debian packages

[Dale Amon]

On Sun, Nov 30, 2003 at 01:10:24PM -0600, Manoj Srivastava wrote:
> 	I am afraid that diversions of conffiles may also be frowned
>  upon.  The best solution I can think of is a NEWS.Debian files, and a
>  simple ed/sed/awk/perl utility that helps the sysadmin make these
>  changes. (Or create a sample /etc/pam.d/{login,ssh}.selinux set of
>  files, and ask the sysadmin to mv them over. Or something.

That's a pretty rotten solution IMHO. It won't affect
me personally all that much: I have my own meta-installation
system that unpacks debian and then just does to the
file system what ever I DWP... but for those poor newbies
out there, this kind of thing just raises the bar by yet
another notch.

We have to have a solution in which you install a basic
selinux system and It Just Works.

We all know it takes a great deal of expertise to fiddle
selinux. But I (and I think others here) do have hopes
that some way can be found to give much of its benefits
to people who are not 20 year unix heads.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.