SELinux on Debian (Sid), second try

SELinux on Debian (Sid), second try

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 1711 bytes --]

Hi all!

I made an earlier attempt at installing SELinux on a Debian box, but got
stuck on the policy package. After that I got side tracked at work, then
the computer I was doing it on started exhibiting strange behaviour...
well, now I have some time do try again. Despite the computer being
fixed I've decided to start all over (it doesn't take that long any way
(the rumour about Debian's unfriendly installer is grossly
exaggerated!)).

Anyway, I've come as far as installing Woody, then bringing it all up to
Sid. Now the questions start coming :-)

When following the instructions from the SF site[1] I notice that there
are basically two kinds of programs:

 1. SELinux related packages, libselinux1, etc.
 2. Additional packages, coreutils, etc.

Should they be installed in some specific order (i.e. SELinux packages
before the others, or the other way around)?

Does it matter when I install the kernel with SELinux support?

Can I install the SELinux packages (especially selinux-policy-default)
on a non-SELinux kernel? (I remember the install scripts running some
tools that are SELinux related, and that's where I got stuck the last
time.)

/M

P.S. The note about having to install the procps package seems to
unnecessary. AFAICS I already have a procps package that supports
SELinux.

1. http://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266
-- 
-----------------------------------------------------------------------
Magnus Therning                 Philips Research Laboratories Eindhoven
Phone: +31 40 2745179           (OpenPGP: 0x4FBB2C40)

Maturity is when you quite blaming other people for your problems
     -- Craig Burton

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux on Debian (Sid), second try

[Russell Coker]

On Fri, 25 Jun 2004 02:39, Magnus Therning <magnus-work@therning.org> wrote:
> Should they be installed in some specific order (i.e. SELinux packages
> before the others, or the other way around)?
>
> Does it matter when I install the kernel with SELinux support?

Install everything apart from selinux-policy-default and then boot the SE 
Linux kernel.  Then install selinux-policy-default last and reboot.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid), second try

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 2269 bytes --]

On Fri, Jun 25, 2004 at 07:08:56PM +1000, Russell Coker wrote:
>On Fri, 25 Jun 2004 02:39, Magnus Therning <magnus-work@therning.org> wrote:
>> Should they be installed in some specific order (i.e. SELinux packages
>> before the others, or the other way around)?
>>
>> Does it matter when I install the kernel with SELinux support?
>
>Install everything apart from selinux-policy-default and then boot the
>SE Linux kernel.  Then install selinux-policy-default last and reboot.

Everything goes well until I get to the selinux-policy-default package.
The version I get is 1:1.12-3 (from Sid). The installation ends with the
following:

make: *** /etc/selinux: No such file or directory.  Stop.
run-parts: /etc/dpkg/postinst.d/selinux exited with return code 2
"/bin/run-parts --arg=selinux-policy-default /etc/dpkg/postinst.d" failed: 256
dpkg: error processing selinux-policy-default (--configure):
 1Error running trigger postinst: No such file or directory
Errors were encountered while processing:
 selinux-policy-default
E: Sub-process /usr/bin/dpkg returned error code (1)


Indeed, there is no directory called /etc/selinux. When should it have
been created? (By what package?)

I've tried to keep track of all the steps I've taken, and all packages
that have been installed as a result of them, when trying to convert a
Sid system to SELinux. Let me know if you need any more info regarding
versions of packages and so on.

/M

>
>-- 
>http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
>http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
>http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
>http://www.coker.com.au/~russell/  My home page
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.

-- 
-----------------------------------------------------------------------
Magnus Therning                 Philips Research Laboratories Eindhoven
Phone: +31 40 2745179           (OpenPGP: 0x4FBB2C40)

You can't depend on your judgement when your imagination is out of focus.
     -- Mark Twain

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux on Debian (Sid), second try

[Russell Coker]

On Mon, 28 Jun 2004 19:42, Magnus Therning <magnus-work@therning.org> wrote:
> Everything goes well until I get to the selinux-policy-default package.
> The version I get is 1:1.12-3 (from Sid). The installation ends with the
> following:
>
> make: *** /etc/selinux: No such file or directory.  Stop.
> run-parts: /etc/dpkg/postinst.d/selinux exited with return code 2
> "/bin/run-parts --arg=selinux-policy-default /etc/dpkg/postinst.d" failed:
> 256 dpkg: error processing selinux-policy-default (--configure):
>  1Error running trigger postinst: No such file or directory
> Errors were encountered while processing:
>  selinux-policy-default
> E: Sub-process /usr/bin/dpkg returned error code (1)
>
>
> Indeed, there is no directory called /etc/selinux. When should it have
> been created? (By what package?)

/etc/selinux is supposed to be a sym-link 
to /usr/share/selinux/policy/current/ .

Does /usr/share/selinux/policy/current/ exist?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid), second try

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 1493 bytes --]

On Mon, Jun 28, 2004 at 11:47:41PM +1000, Russell Coker wrote:
>On Mon, 28 Jun 2004 19:42, Magnus Therning <magnus-work@therning.org> wrote:
>> Everything goes well until I get to the selinux-policy-default package.
>> The version I get is 1:1.12-3 (from Sid). The installation ends with the
>> following:
>>
>> make: *** /etc/selinux: No such file or directory.  Stop.
>> run-parts: /etc/dpkg/postinst.d/selinux exited with return code 2
>> "/bin/run-parts --arg=selinux-policy-default /etc/dpkg/postinst.d" failed:
>> 256 dpkg: error processing selinux-policy-default (--configure):
>>  1Error running trigger postinst: No such file or directory
>> Errors were encountered while processing:
>>  selinux-policy-default
>> E: Sub-process /usr/bin/dpkg returned error code (1)
>>
>>
>> Indeed, there is no directory called /etc/selinux. When should it have
>> been created? (By what package?)
>
>/etc/selinux is supposed to be a sym-link 
>to /usr/share/selinux/policy/current/ .
>
>Does /usr/share/selinux/policy/current/ exist?

Nope, it doesn't. All I have is /usr/share/selinux/policy/default/

/M

-- 
Magnus Therning  Philips Research  +31-40-2745179
WDC2.52, Prof. Holstlaan 4, 5656AA Eindhoven, The Netherlands
mailto:therning@gforge.natlab.research.philips.com  OpenPGP:0x4FBB2C40
http://pww.innersource.philips.com/magnus/

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic.
     -- Anonymous

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux on Debian (Sid), second try

[Russell Coker]

On Tue, 29 Jun 2004 01:04, Magnus Therning <magnus-work@therning.org> wrote:
> >/etc/selinux is supposed to be a sym-link
> >to /usr/share/selinux/policy/current/ .
> >
> >Does /usr/share/selinux/policy/current/ exist?
>
> Nope, it doesn't. All I have is /usr/share/selinux/policy/default/

Change line 12 of /etc/dpkg/postinst.d/selinux to be the following and things 
should work.  I'll upload a new version of selinux-policy-default to fix this 
shortly.
if grep -q selinuxfs /proc/mounts && test -e /etc/selinux ; then


-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid), second try

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]

On Tue, Jun 29, 2004 at 03:33:09PM +1000, Russell Coker wrote:
>On Tue, 29 Jun 2004 01:04, Magnus Therning <magnus-work@therning.org> wrote:
>> >/etc/selinux is supposed to be a sym-link
>> >to /usr/share/selinux/policy/current/ .
>> >
>> >Does /usr/share/selinux/policy/current/ exist?
>>
>> Nope, it doesn't. All I have is /usr/share/selinux/policy/default/
>
>Change line 12 of /etc/dpkg/postinst.d/selinux to be the following and
>things should work.  I'll upload a new version of
>selinux-policy-default to fix this shortly.
>if grep -q selinuxfs /proc/mounts && test -e /etc/selinux ; then

That got me a bit further. I get asked a slew of questions about domains
:-) After answering them to the best of my ability (this is to be a test
setup only, so I answer yes to a lot of stuff) I get stuck at the
following:

Installing the new SE Linux policy
mount: none already mounted or /selinux busy
dpkg: error processing selinux-policy-default (--configure):
 subprocess post-installation script returned error exit status 32
Errors were encountered while processing:
 selinux-policy-default
E: Sub-process /usr/bin/dpkg returned error code (1)

/M

-- 
Magnus Therning  Philips Research  +31-40-2745179
WDC2.52, Prof. Holstlaan 4, 5656AA Eindhoven, The Netherlands
mailto:therning@gforge.natlab.research.philips.com  OpenPGP:0x4FBB2C40
http://pww.innersource.philips.com/magnus/

Finagle's Fourth Law:
Once a job is fouled up, anything done to improve it only makes it
worse.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux on Debian (Sid), second try

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 2727 bytes --]

On Tue, Jun 29, 2004 at 10:59:28AM +0200, Magnus Therning wrote:
>On Tue, Jun 29, 2004 at 03:33:09PM +1000, Russell Coker wrote:
>>On Tue, 29 Jun 2004 01:04, Magnus Therning <magnus-work@therning.org> wrote:
>>> >/etc/selinux is supposed to be a sym-link
>>> >to /usr/share/selinux/policy/current/ .
>>> >
>>> >Does /usr/share/selinux/policy/current/ exist?
>>>
>>> Nope, it doesn't. All I have is /usr/share/selinux/policy/default/
>>
>>Change line 12 of /etc/dpkg/postinst.d/selinux to be the following and
>>things should work.  I'll upload a new version of
>>selinux-policy-default to fix this shortly.
>>if grep -q selinuxfs /proc/mounts && test -e /etc/selinux ; then
>
>That got me a bit further. I get asked a slew of questions about domains
>:-) After answering them to the best of my ability (this is to be a test
>setup only, so I answer yes to a lot of stuff) I get stuck at the
>following:
>
>Installing the new SE Linux policy
>mount: none already mounted or /selinux busy
>dpkg: error processing selinux-policy-default (--configure):
> subprocess post-installation script returned error exit status 32
>Errors were encountered while processing:
> selinux-policy-default
>E: Sub-process /usr/bin/dpkg returned error code (1)

Some more information (that might be interesting).

/etc/fstab has an entry like this:

 none /selinux selinuxfs noauto 0 0

'mount' doesn't report it mounted though. Should it?

Calling 'mount /selinux' results in

 mount: none already mounted or /selinux busy

'ls /selinux' reveals that it already is populated with the following:

total 0
-rw-rw-rw-    1 root     root            0 Jun 28 13:35 access
dr-xr-xr-x    1 root     root            0 Jun 28 13:35 booleans
--w-------    1 root     root            0 Jun 28 13:35 commit_pending_bools
-rw-rw-rw-    1 root     root            0 Jun 28 13:35 context
-rw-rw-rw-    1 root     root            0 Jun 28 13:35 create
--w-------    1 root     root            0 Jun 28 13:35 disable
-rw-r--r--    1 root     root            0 Jun 28 13:35 enforce
-rw-------    1 root     root            0 Jun 28 13:35 load
-r--r--r--    1 root     root            0 Jun 28 13:35 mls
-r--r--r--    1 root     root            0 Jun 28 13:35 policyvers
-rw-rw-rw-    1 root     root            0 Jun 28 13:35 relabel
-rw-rw-rw-    1 root     root            0 Jun 28 13:35 user

/M

-- 
-----------------------------------------------------------------------
Magnus Therning                 Philips Research Laboratories Eindhoven
Phone: +31 40 2745179           (OpenPGP: 0x4FBB2C40)

Advice is what we ask for when we already know the answer but wish we
didn't.
     -- Erica Jong

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux on Debian (Sid), second try

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 919 bytes --]

On Wed, 30 Jun 2004 10:29:35 +0200, Magnus Therning said:

> Some more information (that might be interesting).
> 
> /etc/fstab has an entry like this:
> 
>  none /selinux selinuxfs noauto 0 0
> 
> 'mount' doesn't report it mounted though. Should it?

Sounds like it gets mounted before / gets remounted R/W, so
the mount isn't recorded in /etc/mtab.  Poke around in whatever Debian
uses as a /etc/rc.sysinit or similar, and there's probably a block of
calls that look something like:

# Enter root, /proc and (potentially) /proc/bus/usb and devfs into mtab.
mount -f /
mount -f /proc
mount -f /sys >/dev/null 2>&1 
mount -f /dev/pts
[ -f /proc/bus/usb/devices ] && mount -f -t usbdevfs usbdevfs /proc/bus/usb
[ -e /dev/.devfsd ] && mount -f -t devfs devfs /dev

(That's what Fedora Core 2 has).  If you have such a block, does adding:

mount -f /selinux

to it make things work as expected, or at least more like it>?

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: SELinux on Debian (Sid), second try

[Stephen Smalley]

On Wed, 2004-06-30 at 04:29, Magnus Therning wrote:
> Some more information (that might be interesting).
> 
> /etc/fstab has an entry like this:
> 
>  none /selinux selinuxfs noauto 0 0
> 
> 'mount' doesn't report it mounted though. Should it?
> 
> Calling 'mount /selinux' results in
> 
>  mount: none already mounted or /selinux busy

selinuxfs is mounted by /sbin/init for the initial policy load these
days, so it is no longer necessary (or useful) to add it to fstab and it
won't show up in mtab.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid), second try

[Russell Coker]

On Thu, 8 Jul 2004 02:05, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> selinuxfs is mounted by /sbin/init for the initial policy load these
> days, so it is no longer necessary (or useful) to add it to fstab and it
> won't show up in mtab.

I think that it is useful to have it in /etc/fstab.  Then if you are booting 
with init=/bin/bash to recover a system it's slightly less inconvenient.

With a "noauto" option in the fstab file and no permission to mount it twice 
there shouldn't be any problems.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.