Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Dale Amon]

Colin's /usr/sbin/policy-remove-unwanted gets into trouble
when you are using syslog-ng and do not have klogd installed:

	Using policy installation method "Automatic"
	Copying the sample /usr/share/selinux/policy/current directory from
	/usr/share/selinux/policy/default
	Removal of unwanted policy files
	Removing "current/domains/program/gnome-pty-helper.te"
	Keeping "current/domains/program/checkpolicy.te"
	Keeping "current/domains/program/chkpwd.te"
	Keeping "current/domains/program/crond.te"
	Keeping "current/domains/program/crontab.te"
	Keeping "current/domains/program/fsadm.te"
	Keeping "current/domains/program/getty.te"
	Keeping "current/domains/program/ifconfig.te"
	Keeping "current/domains/program/init.te"
	Keeping "current/domains/program/initrc.te"
	Removing "current/domains/program/klogd.te"

I think he needs to special case this and either test
for syslog-ng if the .te to be removed is klogd and
klogd is not found; or else simply never remove klogd.te
under any circumstance.

This problem could pop up at other places under
Automatic install as there is an assumption of an
absolute correspondence between the xxxx.te and one or
more xxxxx*.deb packages. (Or that's what I get from
a quick read through of the code without figuring
out all the details.)

Colin? Pong... in your court! :-)

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Russell Coker]

On Sun, 29 Feb 2004 05:14, Dale Amon <amon@vnl.com> wrote:
> Colin's /usr/sbin/policy-remove-unwanted gets into trouble
> when you are using syslog-ng and do not have klogd installed:

The syslog.te file has policy to allow syslog-ng to perform klogd 
functionality.  Why don't you have syslogd working in that manner?

> I think he needs to special case this and either test
> for syslog-ng if the .te to be removed is klogd and
> klogd is not found; or else simply never remove klogd.te
> under any circumstance.

Making klogd.te depend on syslog-ng would be easy enough.  But why is it 
necessary?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Dale Amon]

On Sun, Feb 29, 2004 at 01:44:28PM +1100, Russell Coker wrote:
> On Sun, 29 Feb 2004 05:14, Dale Amon <amon@vnl.com> wrote:
> > Colin's /usr/sbin/policy-remove-unwanted gets into trouble
> > when you are using syslog-ng and do not have klogd installed:
> 
> The syslog.te file has policy to allow syslog-ng to perform klogd 
> functionality.  Why don't you have syslogd working in that manner?

This is a pure clean install straight off the debian sid 
mirror. Total hands off. If it's broke, it's because it is
that way in the dist defaults.

> > I think he needs to special case this and either test
> > for syslog-ng if the .te to be removed is klogd and
> > klogd is not found; or else simply never remove klogd.te
> > under any circumstance.
> 
> Making klogd.te depend on syslog-ng would be easy enough.  But why is it 
> necessary?

Either that or figure out why the default install works
this way.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Dale Amon]

On Sun, Feb 29, 2004 at 01:44:28PM +1100, Russell Coker wrote:
> The syslog.te file has policy to allow syslog-ng to perform klogd 
> functionality.  Why don't you have syslogd working in that manner?

I just thought about what you said here. Are we on the
same page? The problem I'm seeing is to do with Colin's
script deciding to remove klogd.te because there is no
klogd debian package installed... which is because the 
debian syslog-ng package doesn't need the klogd package.

This causes a problem later because the POLICY files
require klogd.te regardless of whether there is a
klogd debian package or not.
 
-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Russell Coker]

On Sun, 29 Feb 2004 15:26, Dale Amon <amon@vnl.com> wrote:
> On Sun, Feb 29, 2004 at 01:44:28PM +1100, Russell Coker wrote:
> > The syslog.te file has policy to allow syslog-ng to perform klogd
> > functionality.  Why don't you have syslogd working in that manner?
>
> I just thought about what you said here. Are we on the
> same page? The problem I'm seeing is to do with Colin's
> script deciding to remove klogd.te because there is no
> klogd debian package installed... which is because the
> debian syslog-ng package doesn't need the klogd package.

That should be OK, the policy is written to support this.

> This causes a problem later because the POLICY files
> require klogd.te regardless of whether there is a
> klogd debian package or not.

What is the problem?  When I compile a policy without klogd (suitable for a 
syslog-ng system) it works.

Problems can't be fixed until they are correctly described.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Dale Amon]

On Sun, Feb 29, 2004 at 03:45:38PM +1100, Russell Coker wrote:
> On Sun, 29 Feb 2004 15:26, Dale Amon <amon@vnl.com> wrote:
> > On Sun, Feb 29, 2004 at 01:44:28PM +1100, Russell Coker wrote:
> > > The syslog.te file has policy to allow syslog-ng to perform klogd
> > > functionality.  Why don't you have syslogd working in that manner?
> >
> > I just thought about what you said here. Are we on the
> > same page? The problem I'm seeing is to do with Colin's
> > script deciding to remove klogd.te because there is no
> > klogd debian package installed... which is because the
> > debian syslog-ng package doesn't need the klogd package.
> 
> That should be OK, the policy is written to support this.
> 
> > This causes a problem later because the POLICY files
> > require klogd.te regardless of whether there is a
> > klogd debian package or not.
> 
> What is the problem?  When I compile a policy without klogd (suitable for a 
> syslog-ng system) it works.

After Colin's install script removes klogd.te, the policy build fails:

Using policy installation method "Automatic"
/usr/bin/checkpolicy:  loading policy configuration from /etc/security/selinux/src/policy.conf
ERROR 'unknown type klogd_t' at token ';' on line 39546:
#
neverallow ~klogd_t proc_kmsg_t:file ~{ getattr };
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/security/selinux/policy.15] Error 1
dpkg: error processing selinux-policy-default (--configure):
 subprocess post-installation script returned error exit status 2
Errors were encountered while processing:
 selinux-policy-default

In my current scripts, I have a workaround: after the initial
failure I have an explicit cp to replace klogd.te; this allows
me to successfully complete the package install.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Russell Coker]

On Mon, 1 Mar 2004 03:01, Dale Amon <amon@vnl.com> wrote:
> > What is the problem?  When I compile a policy without klogd (suitable for
> > a syslog-ng system) it works.
>
> After Colin's install script removes klogd.te, the policy build fails:
>
> Using policy installation method "Automatic"
> /usr/bin/checkpolicy:  loading policy configuration from
> /etc/security/selinux/src/policy.conf ERROR 'unknown type klogd_t' at token
> ';' on line 39546:
> #
> neverallow ~klogd_t proc_kmsg_t:file ~{ getattr };
> /usr/bin/checkpolicy:  error(s) encountered while parsing configuration

I fixed this in my policy ages ago, below is the policy section in question 
(see the list archives for details).  What policy are you running?

ifdef(`klogd.te', `
neverallow ~klogd_t proc_kmsg_t:file ~stat_file_perms;
', `
ifdef(`syslogd.te', `
neverallow ~syslogd_t proc_kmsg_t:file ~stat_file_perms;
')dnl end if syslogd
')dnl end if klogd

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 411 bytes --]

On Sun, 2004-02-29 at 11:01, Dale Amon wrote:

> After Colin's install script removes klogd.te, the policy build fails:

Are you using my very old selinux-policy-default package?  You must be,
since Russell hasn't yet merged the smarter installation script into his
packages.  Anyways at this point, I strongly suggest using Russell's
policy packages.  Hopefully soon we'll get that script merged in.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Attn Colin: Overhelpful /usr/sbin/policy-remove-unwanted

[Dale Amon]

On Mon, Mar 01, 2004 at 12:06:45AM -0500, Colin Walters wrote:
> > After Colin's install script removes klogd.te, the policy build fails:
> 
> Are you using my very old selinux-policy-default package?  You must be,
> since Russell hasn't yet merged the smarter installation script into his
> packages.  Anyways at this point, I strongly suggest using Russell's
> policy packages.  Hopefully soon we'll get that script merged in.

I have to have your script to do what I'm doing. It's
not an issue of 'just instaling' selinux. I can do that.
It's the hands-off build I've been fiddling with for
some time. 

I've got a workaround for now, I just replace klogd.te after
the install 'Automatic' removes it. If you'd let me know when
the merge with your script occurs, I'd appreciate that greatly
as then I can back out the hacks I'm using and perhaps switch
entirely to Russ's repository.

Just so you know, this is what I have to do at present
to get a workable set for a hands-off build:

sources.list
--------------------
deb http://www.coker.com.au/newselinux/ ./
deb http://web.verbum.org/debian/ ./experimental/
deb http://ftp.nl.debian.org/debian/ sid main non-free contrib
deb http://ftp.nl.debian.org/debian-non-US sid/non-US main contrib non-free

preferences
--------------------
Package: *
Pin: release l=etbe
Pin-Priority: 1200

Package: *
Pin: release o=walters
Pin-Priority: 1100
 
If you or Russ think the problems are sorted, I'd be
happy to have a go at building entirely off his repository.
Note that I've not gotten around to switching over from
initrd to svinit boot procedures though. I'm doing this
as a background task as I'm quite busy with a job
right now. I just start up a test run of my autobuild
and go do real work for the next hour or two :-)

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.