* ext3 security labels missing
@ 2009-02-20 7:04 ` Justin Mattock
0 siblings, 0 replies; 13+ messages in thread
From: Justin Mattock @ 2009-02-20 7:04 UTC (permalink / raw)
To: SE-Linux, tresys
I've a strange issue.
with my experimental learning machine(LFS)
I'm able to load the policy etc.. but have no labels
on my files.(just a question mark);
ls -lZ shows
drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
/boot/vmlinuz-2.6.29-rc4
if I do a id -Z I get:
id: --context (-Z) works only on an SELinux-enabled kernel
(but it is enabled in the kernel)
>From looking back, I enabled as much as possible in any app/lib I was compiling
that provided selinux support.(libc,xserver,hal,dbus, etc..);
But could be missing an important app/lib that might make the security labels
give the proper label. by chance if anybody had experienced this and/or knows
what might be going on,(would be really appreciated).
regards;
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] ext3 security labels missing
@ 2009-02-20 7:04 ` Justin Mattock
0 siblings, 0 replies; 13+ messages in thread
From: Justin Mattock @ 2009-02-20 7:04 UTC (permalink / raw)
To: refpolicy
I've a strange issue.
with my experimental learning machine(LFS)
I'm able to load the policy etc.. but have no labels
on my files.(just a question mark);
ls -lZ shows
drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
/boot/vmlinuz-2.6.29-rc4
if I do a id -Z I get:
id: --context (-Z) works only on an SELinux-enabled kernel
(but it is enabled in the kernel)
>From looking back, I enabled as much as possible in any app/lib I was compiling
that provided selinux support.(libc,xserver,hal,dbus, etc..);
But could be missing an important app/lib that might make the security labels
give the proper label. by chance if anybody had experienced this and/or knows
what might be going on,(would be really appreciated).
regards;
--
Justin P. Mattock
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ext3 security labels missing
2009-02-20 7:04 ` [refpolicy] " Justin Mattock
(?)
@ 2009-02-20 7:42 ` Dennis Wronka
-1 siblings, 0 replies; 13+ messages in thread
From: Dennis Wronka @ 2009-02-20 7:42 UTC (permalink / raw)
To: Justin Mattock; +Cc: SE-Linux, tresys
[-- Attachment #1: Type: text/plain, Size: 2750 bytes --]
Might it be possible that you didn't enable support for security labels when
compiling the kernel?
Check Filesystems -> Ext3 Security Labels
Also, when installing LFS with SELinux, did you compile GLibC twice?
I first compile it without SELinux, afterwards the SELinux-libraries, so that
those can link against GLibC, and then again GLibC, with SELinux-support that
time.
Don't know though if that would be any issue, having a GLibC that isn't aware
of SELinux.
But I, for myself found that probably the safest way seems to add an extra
compile of GLibC to the install after installing the SELinux-libs.
On Friday 20 February 2009 15:04:54 Justin Mattock wrote:
> I've a strange issue.
> with my experimental learning machine(LFS)
> I'm able to load the policy etc.. but have no labels
> on my files.(just a question mark);
>
>
> ls -lZ shows
>
> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
> /boot/vmlinuz-2.6.29-rc4
>
> if I do a id -Z I get:
> id: --context (-Z) works only on an SELinux-enabled kernel
> (but it is enabled in the kernel)
>
> >From looking back, I enabled as much as possible in any app/lib I was
> > compiling
>
> that provided selinux support.(libc,xserver,hal,dbus, etc..);
> But could be missing an important app/lib that might make the security
> labels give the proper label. by chance if anybody had experienced this
> and/or knows what might be going on,(would be really appreciated).
>
> regards;
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ext3 security labels missing
2009-02-20 7:04 ` [refpolicy] " Justin Mattock
@ 2009-02-20 14:14 ` Stephen Smalley
-1 siblings, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2009-02-20 14:14 UTC (permalink / raw)
To: Justin Mattock; +Cc: SE-Linux, tresys
On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
> I've a strange issue.
> with my experimental learning machine(LFS)
> I'm able to load the policy etc.. but have no labels
> on my files.(just a question mark);
>
>
> ls -lZ shows
>
> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
> /boot/vmlinuz-2.6.29-rc4
>
> if I do a id -Z I get:
> id: --context (-Z) works only on an SELinux-enabled kernel
> (but it is enabled in the kernel)
sestatus shows what?
To be fully "enabled" as far as userspace is concerned, SELinux has to
be:
- enabled in your kernel build,
- enabled at boot,
- policy has to be loaded
grep SELINUX .config
cat /etc/selinux/config
dmesg | grep SELinux
> >From looking back, I enabled as much as possible in any app/lib I was compiling
> that provided selinux support.(libc,xserver,hal,dbus, etc..);
> But could be missing an important app/lib that might make the security labels
> give the proper label. by chance if anybody had experienced this and/or knows
> what might be going on,(would be really appreciated).
>
> regards;
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] ext3 security labels missing
@ 2009-02-20 14:14 ` Stephen Smalley
0 siblings, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2009-02-20 14:14 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
> I've a strange issue.
> with my experimental learning machine(LFS)
> I'm able to load the policy etc.. but have no labels
> on my files.(just a question mark);
>
>
> ls -lZ shows
>
> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
> /boot/vmlinuz-2.6.29-rc4
>
> if I do a id -Z I get:
> id: --context (-Z) works only on an SELinux-enabled kernel
> (but it is enabled in the kernel)
sestatus shows what?
To be fully "enabled" as far as userspace is concerned, SELinux has to
be:
- enabled in your kernel build,
- enabled at boot,
- policy has to be loaded
grep SELINUX .config
cat /etc/selinux/config
dmesg | grep SELinux
> >From looking back, I enabled as much as possible in any app/lib I was compiling
> that provided selinux support.(libc,xserver,hal,dbus, etc..);
> But could be missing an important app/lib that might make the security labels
> give the proper label. by chance if anybody had experienced this and/or knows
> what might be going on,(would be really appreciated).
>
> regards;
>
--
Stephen Smalley
National Security Agency
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ext3 security labels missing
2009-02-20 14:14 ` [refpolicy] " Stephen Smalley
@ 2009-02-20 15:03 ` Justin Mattock
-1 siblings, 0 replies; 13+ messages in thread
From: Justin Mattock @ 2009-02-20 15:03 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE-Linux, tresys
On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
>> I've a strange issue.
>> with my experimental learning machine(LFS)
>> I'm able to load the policy etc.. but have no labels
>> on my files.(just a question mark);
>>
>>
>> ls -lZ shows
>>
>> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
>> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
>> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
>> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
>> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
>> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
>> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
>> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
>> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
>> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
>> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
>> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
>> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
>> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
>> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
>> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
>> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
>> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
>> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
>> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
>> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
>> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
>> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
>> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
>> /boot/vmlinuz-2.6.29-rc4
>>
>> if I do a id -Z I get:
>> id: --context (-Z) works only on an SELinux-enabled kernel
>> (but it is enabled in the kernel)
>
> sestatus shows what?
>
> To be fully "enabled" as far as userspace is concerned, SELinux has to
> be:
> - enabled in your kernel build,
> - enabled at boot,
> - policy has to be loaded
>
> grep SELINUX .config
> cat /etc/selinux/config
> dmesg | grep SELinux
>
>> >From looking back, I enabled as much as possible in any app/lib I was compiling
>> that provided selinux support.(libc,xserver,hal,dbus, etc..);
>> But could be missing an important app/lib that might make the security labels
>> give the proper label. by chance if anybody had experienced this and/or knows
>> what might be going on,(would be really appreciated).
>>
>> regards;
>>
> --
> Stephen Smalley
> National Security Agency
>
>
Thanks for the reply.
here's what /usr/sbin/sestatus -vv (says);
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 22
Policy from config file: refpolicy
Process contexts:
Current context: system_u:system_r:local_login_t
Init context: system_u:system_r:init_t
File contexts:
Controlling term: system_u:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/lib/libc.so.6 system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t ->
system_u:object_r:ld_so_t
I think this is some aterm,xproto,etc.. library/app(that I forgot to install)
that's responsible for displaying the security label info in the
shell.(example) when I use
audit2allow -d, I generate the correct security allow rules.
when running make relabel in the policy source directory, reacts as it should.
As for setting any options in the kernel. no
left everything as I've had in the past.
as for enabling everything. yes
- enabled in your kernel build,
- enabled at boot,
- policy has to be loaded
I'll try adding these rules into the policy irregardless of a
broken proto/low level communications thing.
didn't mean to causing any heat.
regards;
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] ext3 security labels missing
@ 2009-02-20 15:03 ` Justin Mattock
0 siblings, 0 replies; 13+ messages in thread
From: Justin Mattock @ 2009-02-20 15:03 UTC (permalink / raw)
To: refpolicy
On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
>> I've a strange issue.
>> with my experimental learning machine(LFS)
>> I'm able to load the policy etc.. but have no labels
>> on my files.(just a question mark);
>>
>>
>> ls -lZ shows
>>
>> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
>> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
>> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
>> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
>> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
>> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
>> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
>> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
>> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
>> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
>> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
>> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
>> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
>> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
>> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
>> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
>> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
>> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
>> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
>> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
>> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
>> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
>> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
>> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
>> /boot/vmlinuz-2.6.29-rc4
>>
>> if I do a id -Z I get:
>> id: --context (-Z) works only on an SELinux-enabled kernel
>> (but it is enabled in the kernel)
>
> sestatus shows what?
>
> To be fully "enabled" as far as userspace is concerned, SELinux has to
> be:
> - enabled in your kernel build,
> - enabled at boot,
> - policy has to be loaded
>
> grep SELINUX .config
> cat /etc/selinux/config
> dmesg | grep SELinux
>
>> >From looking back, I enabled as much as possible in any app/lib I was compiling
>> that provided selinux support.(libc,xserver,hal,dbus, etc..);
>> But could be missing an important app/lib that might make the security labels
>> give the proper label. by chance if anybody had experienced this and/or knows
>> what might be going on,(would be really appreciated).
>>
>> regards;
>>
> --
> Stephen Smalley
> National Security Agency
>
>
Thanks for the reply.
here's what /usr/sbin/sestatus -vv (says);
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 22
Policy from config file: refpolicy
Process contexts:
Current context: system_u:system_r:local_login_t
Init context: system_u:system_r:init_t
File contexts:
Controlling term: system_u:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/lib/libc.so.6 system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t ->
system_u:object_r:ld_so_t
I think this is some aterm,xproto,etc.. library/app(that I forgot to install)
that's responsible for displaying the security label info in the
shell.(example) when I use
audit2allow -d, I generate the correct security allow rules.
when running make relabel in the policy source directory, reacts as it should.
As for setting any options in the kernel. no
left everything as I've had in the past.
as for enabling everything. yes
- enabled in your kernel build,
- enabled at boot,
- policy has to be loaded
I'll try adding these rules into the policy irregardless of a
broken proto/low level communications thing.
didn't mean to causing any heat.
regards;
--
Justin P. Mattock
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ext3 security labels missing
2009-02-20 15:03 ` [refpolicy] " Justin Mattock
(?)
@ 2009-02-20 15:20 ` Dennis Wronka
2009-02-20 23:10 ` Justin Mattock
-1 siblings, 1 reply; 13+ messages in thread
From: Dennis Wronka @ 2009-02-20 15:20 UTC (permalink / raw)
To: Justin Mattock; +Cc: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 5051 bytes --]
Are the coreutils compiled with SELinux-support?
I just gave it a quick check and found that the -Z option is available in both
id and ls without coreutils having actually been built without SELinux-
libraries actually available.
Could you check this:
ldd $(which ls)
This should show up a reference to libselinux.so.1
If this reference is missing then I'd suggest recompiling the coreutils.
On Friday 20 February 2009 23:03:37 you wrote:
> On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
> >> I've a strange issue.
> >> with my experimental learning machine(LFS)
> >> I'm able to load the policy etc.. but have no labels
> >> on my files.(just a question mark);
> >>
> >>
> >> ls -lZ shows
> >>
> >> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
> >> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
> >> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
> >> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
> >> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
> >> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
> >> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
> >> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
> >> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
> >> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
> >> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
> >> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
> >> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
> >> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
> >> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
> >> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
> >> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
> >> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
> >> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
> >> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
> >> /boot/vmlinuz-2.6.29-rc4
> >>
> >> if I do a id -Z I get:
> >> id: --context (-Z) works only on an SELinux-enabled kernel
> >> (but it is enabled in the kernel)
> >
> > sestatus shows what?
> >
> > To be fully "enabled" as far as userspace is concerned, SELinux has to
> > be:
> > - enabled in your kernel build,
> > - enabled at boot,
> > - policy has to be loaded
> >
> > grep SELINUX .config
> > cat /etc/selinux/config
> > dmesg | grep SELinux
> >
> >> >From looking back, I enabled as much as possible in any app/lib I was
> >> > compiling
> >>
> >> that provided selinux support.(libc,xserver,hal,dbus, etc..);
> >> But could be missing an important app/lib that might make the security
> >> labels give the proper label. by chance if anybody had experienced this
> >> and/or knows what might be going on,(would be really appreciated).
> >>
> >> regards;
> >
> > --
> > Stephen Smalley
> > National Security Agency
>
> Thanks for the reply.
> here's what /usr/sbin/sestatus -vv (says);
>
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 22
> Policy from config file: refpolicy
>
> Process contexts:
> Current context: system_u:system_r:local_login_t
> Init context: system_u:system_r:init_t
>
> File contexts:
> Controlling term: system_u:object_r:devpts_t
> /etc/passwd system_u:object_r:etc_t
> /bin/bash system_u:object_r:shell_exec_t
> /bin/login system_u:object_r:login_exec_t
> /bin/sh system_u:object_r:bin_t ->
> system_u:object_r:shell_exec_t
> /sbin/agetty system_u:object_r:getty_exec_t
> /sbin/init system_u:object_r:init_exec_t
> /lib/libc.so.6 system_u:object_r:lib_t ->
> system_u:object_r:lib_t
> /lib/ld-linux.so.2 system_u:object_r:lib_t ->
> system_u:object_r:ld_so_t
>
> I think this is some aterm,xproto,etc.. library/app(that I forgot to
> install) that's responsible for displaying the security label info in the
> shell.(example) when I use
> audit2allow -d, I generate the correct security allow rules.
> when running make relabel in the policy source directory, reacts as it
> should.
>
> As for setting any options in the kernel. no
> left everything as I've had in the past.
> as for enabling everything. yes
> - enabled in your kernel build,
> - enabled at boot,
> - policy has to be loaded
>
> I'll try adding these rules into the policy irregardless of a
> broken proto/low level communications thing.
> didn't mean to causing any heat.
>
> regards;
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ext3 security labels missing
2009-02-20 15:20 ` Dennis Wronka
@ 2009-02-20 23:10 ` Justin Mattock
2009-02-21 5:51 ` Dennis Wronka
0 siblings, 1 reply; 13+ messages in thread
From: Justin Mattock @ 2009-02-20 23:10 UTC (permalink / raw)
To: Dennis Wronka; +Cc: SE-Linux
On Fri, Feb 20, 2009 at 7:20 AM, Dennis Wronka <linuxweb@gmx.net> wrote:
> Are the coreutils compiled with SELinux-support?
> I just gave it a quick check and found that the -Z option is available in both
> id and ls without coreutils having actually been built without SELinux-
> libraries actually available.
>
> Could you check this:
> ldd $(which ls)
>
> This should show up a reference to libselinux.so.1
> If this reference is missing then I'd suggest recompiling the coreutils.
>
> On Friday 20 February 2009 23:03:37 you wrote:
>> On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> > On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
>> >> I've a strange issue.
>> >> with my experimental learning machine(LFS)
>> >> I'm able to load the policy etc.. but have no labels
>> >> on my files.(just a question mark);
>> >>
>> >>
>> >> ls -lZ shows
>> >>
>> >> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
>> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
>> >> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
>> >> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
>> >> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
>> >> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
>> >> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
>> >> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
>> >> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
>> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
>> >> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
>> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
>> >> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
>> >> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
>> >> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
>> >> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
>> >> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
>> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
>> >> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
>> >> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
>> >> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
>> >> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
>> >> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
>> >> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
>> >> /boot/vmlinuz-2.6.29-rc4
>> >>
>> >> if I do a id -Z I get:
>> >> id: --context (-Z) works only on an SELinux-enabled kernel
>> >> (but it is enabled in the kernel)
>> >
>> > sestatus shows what?
>> >
>> > To be fully "enabled" as far as userspace is concerned, SELinux has to
>> > be:
>> > - enabled in your kernel build,
>> > - enabled at boot,
>> > - policy has to be loaded
>> >
>> > grep SELINUX .config
>> > cat /etc/selinux/config
>> > dmesg | grep SELinux
>> >
>> >> >From looking back, I enabled as much as possible in any app/lib I was
>> >> > compiling
>> >>
>> >> that provided selinux support.(libc,xserver,hal,dbus, etc..);
>> >> But could be missing an important app/lib that might make the security
>> >> labels give the proper label. by chance if anybody had experienced this
>> >> and/or knows what might be going on,(would be really appreciated).
>> >>
>> >> regards;
>> >
>> > --
>> > Stephen Smalley
>> > National Security Agency
>>
>> Thanks for the reply.
>> here's what /usr/sbin/sestatus -vv (says);
>>
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: permissive
>> Policy version: 22
>> Policy from config file: refpolicy
>>
>> Process contexts:
>> Current context: system_u:system_r:local_login_t
>> Init context: system_u:system_r:init_t
>>
>> File contexts:
>> Controlling term: system_u:object_r:devpts_t
>> /etc/passwd system_u:object_r:etc_t
>> /bin/bash system_u:object_r:shell_exec_t
>> /bin/login system_u:object_r:login_exec_t
>> /bin/sh system_u:object_r:bin_t ->
>> system_u:object_r:shell_exec_t
>> /sbin/agetty system_u:object_r:getty_exec_t
>> /sbin/init system_u:object_r:init_exec_t
>> /lib/libc.so.6 system_u:object_r:lib_t ->
>> system_u:object_r:lib_t
>> /lib/ld-linux.so.2 system_u:object_r:lib_t ->
>> system_u:object_r:ld_so_t
>>
>> I think this is some aterm,xproto,etc.. library/app(that I forgot to
>> install) that's responsible for displaying the security label info in the
>> shell.(example) when I use
>> audit2allow -d, I generate the correct security allow rules.
>> when running make relabel in the policy source directory, reacts as it
>> should.
>>
>> As for setting any options in the kernel. no
>> left everything as I've had in the past.
>> as for enabling everything. yes
>> - enabled in your kernel build,
>> - enabled at boot,
>> - policy has to be loaded
>>
>> I'll try adding these rules into the policy irregardless of a
>> broken proto/low level communications thing.
>> didn't mean to causing any heat.
>>
>> regards;
>
>
>
After looking at the situation, and looking at the
(LFS)manual at first you setup shadow with a root
password(to get things going); then later once you're up
and running you move from using shadow to useing pam.
well I've managed to do that.
but I'm not seeing a /etc/pam.d/system-auth file
generated by the installer(probably have to manually pick my session,password,
account modules);
(positive side)
under ps aux (Ill have to attach them(before/after) as soon as I get a chance);
I finally see: /bin/login --
So hopefully once I get /etc/pam.d cleaned up(hopefully) I
should be logged into my SELinux user and have the right context.
keep in mind "hopefully".
regards;
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ext3 security labels missing
2009-02-20 23:10 ` Justin Mattock
@ 2009-02-21 5:51 ` Dennis Wronka
2009-02-21 9:55 ` Justin Mattock
0 siblings, 1 reply; 13+ messages in thread
From: Dennis Wronka @ 2009-02-21 5:51 UTC (permalink / raw)
To: Justin Mattock; +Cc: SE-Linux
[-- Attachment #1.1: Type: text/plain, Size: 7739 bytes --]
If you don't have the system-auth file and you're still able to login then
either your system is not really using PAM or login doesn't reference system-
auth.
But from what I remember system-auth is not installed by default and you have
to write it yourself.
The default login-PAM-config, from the shadow-package, does reference system-
auth, so I think login should fail if your system really uses PAM.
When did you compile PAM? It should be compiled before shadow, so that shadow
can be compiled with PAM-support.
Also, which getty are you using? You should install mingetty, or you'll run
into lots of problems that are caused by agetty under SELinux.
As said, check your coreutils, notably id and ls, if they reference the
SELinux-libs. If not you'll need to compile them again.
Plugging SELinux into LFS is a bit tricky. In order not to have to compile too
much twice you got to compile stuff in the right place during the process.
I have attached my stage2-script for your reference. This is the order I
compile my system in.
I've got a lot of optional stuff in there, so simply disregard anything you
don't need.
Also, just out of curiosity: You're doing LFS to learn about the internals or
do you just want to get an LFS-system with SELinux?
In the latter case maybe I could interest you in my project, which also the
attached script is taken from, EasyLFS.
Regards,
Dennis
On Saturday 21 February 2009 07:10:37 Justin Mattock wrote:
> On Fri, Feb 20, 2009 at 7:20 AM, Dennis Wronka <linuxweb@gmx.net> wrote:
> > Are the coreutils compiled with SELinux-support?
> > I just gave it a quick check and found that the -Z option is available in
> > both id and ls without coreutils having actually been built without
> > SELinux- libraries actually available.
> >
> > Could you check this:
> > ldd $(which ls)
> >
> > This should show up a reference to libselinux.so.1
> > If this reference is missing then I'd suggest recompiling the coreutils.
> >
> > On Friday 20 February 2009 23:03:37 you wrote:
> >> On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@tycho.nsa.gov>
wrote:
> >> > On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
> >> >> I've a strange issue.
> >> >> with my experimental learning machine(LFS)
> >> >> I'm able to load the policy etc.. but have no labels
> >> >> on my files.(just a question mark);
> >> >>
> >> >>
> >> >> ls -lZ shows
> >> >>
> >> >> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
> >> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
> >> >> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
> >> >> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
> >> >> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
> >> >> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
> >> >> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
> >> >> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
> >> >> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
> >> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
> >> >> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
> >> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
> >> >> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
> >> >> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
> >> >> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
> >> >> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
> >> >> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
> >> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
> >> >> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
> >> >> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
> >> >> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
> >> >> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
> >> >> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
> >> >> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
> >> >> /boot/vmlinuz-2.6.29-rc4
> >> >>
> >> >> if I do a id -Z I get:
> >> >> id: --context (-Z) works only on an SELinux-enabled kernel
> >> >> (but it is enabled in the kernel)
> >> >
> >> > sestatus shows what?
> >> >
> >> > To be fully "enabled" as far as userspace is concerned, SELinux has to
> >> > be:
> >> > - enabled in your kernel build,
> >> > - enabled at boot,
> >> > - policy has to be loaded
> >> >
> >> > grep SELINUX .config
> >> > cat /etc/selinux/config
> >> > dmesg | grep SELinux
> >> >
> >> >> >From looking back, I enabled as much as possible in any app/lib I
> >> >> > was compiling
> >> >>
> >> >> that provided selinux support.(libc,xserver,hal,dbus, etc..);
> >> >> But could be missing an important app/lib that might make the
> >> >> security labels give the proper label. by chance if anybody had
> >> >> experienced this and/or knows what might be going on,(would be really
> >> >> appreciated).
> >> >>
> >> >> regards;
> >> >
> >> > --
> >> > Stephen Smalley
> >> > National Security Agency
> >>
> >> Thanks for the reply.
> >> here's what /usr/sbin/sestatus -vv (says);
> >>
> >> SELinux status: enabled
> >> SELinuxfs mount: /selinux
> >> Current mode: permissive
> >> Mode from config file: permissive
> >> Policy version: 22
> >> Policy from config file: refpolicy
> >>
> >> Process contexts:
> >> Current context: system_u:system_r:local_login_t
> >> Init context: system_u:system_r:init_t
> >>
> >> File contexts:
> >> Controlling term: system_u:object_r:devpts_t
> >> /etc/passwd system_u:object_r:etc_t
> >> /bin/bash system_u:object_r:shell_exec_t
> >> /bin/login system_u:object_r:login_exec_t
> >> /bin/sh system_u:object_r:bin_t ->
> >> system_u:object_r:shell_exec_t
> >> /sbin/agetty system_u:object_r:getty_exec_t
> >> /sbin/init system_u:object_r:init_exec_t
> >> /lib/libc.so.6 system_u:object_r:lib_t ->
> >> system_u:object_r:lib_t
> >> /lib/ld-linux.so.2 system_u:object_r:lib_t ->
> >> system_u:object_r:ld_so_t
> >>
> >> I think this is some aterm,xproto,etc.. library/app(that I forgot to
> >> install) that's responsible for displaying the security label info in
> >> the shell.(example) when I use
> >> audit2allow -d, I generate the correct security allow rules.
> >> when running make relabel in the policy source directory, reacts as it
> >> should.
> >>
> >> As for setting any options in the kernel. no
> >> left everything as I've had in the past.
> >> as for enabling everything. yes
> >> - enabled in your kernel build,
> >> - enabled at boot,
> >> - policy has to be loaded
> >>
> >> I'll try adding these rules into the policy irregardless of a
> >> broken proto/low level communications thing.
> >> didn't mean to causing any heat.
> >>
> >> regards;
>
> After looking at the situation, and looking at the
> (LFS)manual at first you setup shadow with a root
> password(to get things going); then later once you're up
> and running you move from using shadow to useing pam.
> well I've managed to do that.
> but I'm not seeing a /etc/pam.d/system-auth file
> generated by the installer(probably have to manually pick my
> session,password, account modules);
> (positive side)
> under ps aux (Ill have to attach them(before/after) as soon as I get a
> chance); I finally see: /bin/login --
> So hopefully once I get /etc/pam.d cleaned up(hopefully) I
> should be logged into my SELinux user and have the right context.
> keep in mind "hopefully".
> regards;
[-- Attachment #1.2: lfs_stage2.sh --]
[-- Type: application/x-shellscript, Size: 6968 bytes --]
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ext3 security labels missing
2009-02-21 5:51 ` Dennis Wronka
@ 2009-02-21 9:55 ` Justin Mattock
[not found] ` <200902211806.55864.linuxweb@gmx.net>
0 siblings, 1 reply; 13+ messages in thread
From: Justin Mattock @ 2009-02-21 9:55 UTC (permalink / raw)
To: Dennis Wronka, russell, Stephen Smalley; +Cc: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 8044 bytes --]
On Fri, Feb 20, 2009 at 9:51 PM, Dennis Wronka <linuxweb@gmx.net> wrote:
> If you don't have the system-auth file and you're still able to login then
> either your system is not really using PAM or login doesn't reference system-
> auth.
> But from what I remember system-auth is not installed by default and you have
> to write it yourself.
> The default login-PAM-config, from the shadow-package, does reference system-
> auth, so I think login should fail if your system really uses PAM.
>
> When did you compile PAM? It should be compiled before shadow, so that shadow
> can be compiled with PAM-support.
>
> Also, which getty are you using? You should install mingetty, or you'll run
> into lots of problems that are caused by agetty under SELinux.
>
> As said, check your coreutils, notably id and ls, if they reference the
> SELinux-libs. If not you'll need to compile them again.
>
> Plugging SELinux into LFS is a bit tricky. In order not to have to compile too
> much twice you got to compile stuff in the right place during the process.
>
> I have attached my stage2-script for your reference. This is the order I
> compile my system in.
> I've got a lot of optional stuff in there, so simply disregard anything you
> don't need.
>
> Also, just out of curiosity: You're doing LFS to learn about the internals or
> do you just want to get an LFS-system with SELinux?
> In the latter case maybe I could interest you in my project, which also the
> attached script is taken from, EasyLFS.
>
> Regards,
> Dennis
>
> On Saturday 21 February 2009 07:10:37 Justin Mattock wrote:
>> On Fri, Feb 20, 2009 at 7:20 AM, Dennis Wronka <linuxweb@gmx.net> wrote:
>> > Are the coreutils compiled with SELinux-support?
>> > I just gave it a quick check and found that the -Z option is available in
>> > both id and ls without coreutils having actually been built without
>> > SELinux- libraries actually available.
>> >
>> > Could you check this:
>> > ldd $(which ls)
>> >
>> > This should show up a reference to libselinux.so.1
>> > If this reference is missing then I'd suggest recompiling the coreutils.
>> >
>> > On Friday 20 February 2009 23:03:37 you wrote:
>> >> On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
>> >> > On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
>> >> >> I've a strange issue.
>> >> >> with my experimental learning machine(LFS)
>> >> >> I'm able to load the policy etc.. but have no labels
>> >> >> on my files.(just a question mark);
>> >> >>
>> >> >>
>> >> >> ls -lZ shows
>> >> >>
>> >> >> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
>> >> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
>> >> >> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
>> >> >> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
>> >> >> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
>> >> >> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
>> >> >> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
>> >> >> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
>> >> >> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
>> >> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
>> >> >> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
>> >> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
>> >> >> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
>> >> >> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
>> >> >> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
>> >> >> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
>> >> >> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
>> >> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
>> >> >> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
>> >> >> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
>> >> >> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
>> >> >> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
>> >> >> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
>> >> >> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
>> >> >> /boot/vmlinuz-2.6.29-rc4
>> >> >>
>> >> >> if I do a id -Z I get:
>> >> >> id: --context (-Z) works only on an SELinux-enabled kernel
>> >> >> (but it is enabled in the kernel)
>> >> >
>> >> > sestatus shows what?
>> >> >
>> >> > To be fully "enabled" as far as userspace is concerned, SELinux has to
>> >> > be:
>> >> > - enabled in your kernel build,
>> >> > - enabled at boot,
>> >> > - policy has to be loaded
>> >> >
>> >> > grep SELINUX .config
>> >> > cat /etc/selinux/config
>> >> > dmesg | grep SELinux
>> >> >
>> >> >> >From looking back, I enabled as much as possible in any app/lib I
>> >> >> > was compiling
>> >> >>
>> >> >> that provided selinux support.(libc,xserver,hal,dbus, etc..);
>> >> >> But could be missing an important app/lib that might make the
>> >> >> security labels give the proper label. by chance if anybody had
>> >> >> experienced this and/or knows what might be going on,(would be really
>> >> >> appreciated).
>> >> >>
>> >> >> regards;
>> >> >
>> >> > --
>> >> > Stephen Smalley
>> >> > National Security Agency
>> >>
>> >> Thanks for the reply.
>> >> here's what /usr/sbin/sestatus -vv (says);
>> >>
>> >> SELinux status: enabled
>> >> SELinuxfs mount: /selinux
>> >> Current mode: permissive
>> >> Mode from config file: permissive
>> >> Policy version: 22
>> >> Policy from config file: refpolicy
>> >>
>> >> Process contexts:
>> >> Current context: system_u:system_r:local_login_t
>> >> Init context: system_u:system_r:init_t
>> >>
>> >> File contexts:
>> >> Controlling term: system_u:object_r:devpts_t
>> >> /etc/passwd system_u:object_r:etc_t
>> >> /bin/bash system_u:object_r:shell_exec_t
>> >> /bin/login system_u:object_r:login_exec_t
>> >> /bin/sh system_u:object_r:bin_t ->
>> >> system_u:object_r:shell_exec_t
>> >> /sbin/agetty system_u:object_r:getty_exec_t
>> >> /sbin/init system_u:object_r:init_exec_t
>> >> /lib/libc.so.6 system_u:object_r:lib_t ->
>> >> system_u:object_r:lib_t
>> >> /lib/ld-linux.so.2 system_u:object_r:lib_t ->
>> >> system_u:object_r:ld_so_t
>> >>
>> >> I think this is some aterm,xproto,etc.. library/app(that I forgot to
>> >> install) that's responsible for displaying the security label info in
>> >> the shell.(example) when I use
>> >> audit2allow -d, I generate the correct security allow rules.
>> >> when running make relabel in the policy source directory, reacts as it
>> >> should.
>> >>
>> >> As for setting any options in the kernel. no
>> >> left everything as I've had in the past.
>> >> as for enabling everything. yes
>> >> - enabled in your kernel build,
>> >> - enabled at boot,
>> >> - policy has to be loaded
>> >>
>> >> I'll try adding these rules into the policy irregardless of a
>> >> broken proto/low level communications thing.
>> >> didn't mean to causing any heat.
>> >>
>> >> regards;
>>
>> After looking at the situation, and looking at the
>> (LFS)manual at first you setup shadow with a root
>> password(to get things going); then later once you're up
>> and running you move from using shadow to useing pam.
>> well I've managed to do that.
>> but I'm not seeing a /etc/pam.d/system-auth file
>> generated by the installer(probably have to manually pick my
>> session,password, account modules);
>> (positive side)
>> under ps aux (Ill have to attach them(before/after) as soon as I get a
>> chance); I finally see: /bin/login --
>> So hopefully once I get /etc/pam.d cleaned up(hopefully) I
>> should be logged into my SELinux user and have the right context.
>> keep in mind "hopefully".
>> regards;
>
>
>
As promised here is the attached
ps auxZ
as it seems I do have pam up and running, but am still
(unfortunately) seeing no security labels.
must have a missing protocol somewhere.
regards;
--
Justin P. Mattock
[-- Attachment #2: beforeafterpsauxZ --]
[-- Type: application/octet-stream, Size: 18570 bytes --]
/*using a shadow mechanism */
LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
system_u:system_r:init_t root 1 0.1 0.0 2056 704 ? Ss 09:21 0:01 init [3]
system_u:system_r:kernel_t root 2 0.0 0.0 0 0 ? S< 09:21 0:00 [kthreadd]
system_u:system_r:kernel_t root 3 0.0 0.0 0 0 ? S< 09:21 0:00 [migration/0]
system_u:system_r:kernel_t root 4 0.0 0.0 0 0 ? S< 09:21 0:00 [ksoftirqd/0]
system_u:system_r:kernel_t root 5 0.0 0.0 0 0 ? S< 09:21 0:00 [watchdog/0]
system_u:system_r:kernel_t root 6 0.0 0.0 0 0 ? S< 09:21 0:00 [migration/1]
system_u:system_r:kernel_t root 7 0.0 0.0 0 0 ? S< 09:21 0:00 [ksoftirqd/1]
system_u:system_r:kernel_t root 8 0.0 0.0 0 0 ? S< 09:21 0:00 [watchdog/1]
system_u:system_r:kernel_t root 9 0.0 0.0 0 0 ? S< 09:21 0:00 [events/0]
system_u:system_r:kernel_t root 10 0.0 0.0 0 0 ? S< 09:21 0:00 [events/1]
system_u:system_r:kernel_t root 11 0.0 0.0 0 0 ? S< 09:21 0:00 [work_on_cpu/0]
system_u:system_r:kernel_t root 12 0.0 0.0 0 0 ? S< 09:21 0:00 [work_on_cpu/1]
system_u:system_r:kernel_t root 13 0.0 0.0 0 0 ? S< 09:21 0:00 [khelper]
system_u:system_r:kernel_t root 131 0.0 0.0 0 0 ? S< 09:21 0:00 [kblockd/0]
system_u:system_r:kernel_t root 132 0.0 0.0 0 0 ? S< 09:21 0:00 [kblockd/1]
system_u:system_r:kernel_t root 134 0.0 0.0 0 0 ? S< 09:21 0:00 [kacpid]
system_u:system_r:kernel_t root 135 0.0 0.0 0 0 ? S< 09:21 0:00 [kacpi_notify]
system_u:system_r:kernel_t root 205 0.0 0.0 0 0 ? S< 09:21 0:00 [cqueue]
system_u:system_r:kernel_t root 209 0.0 0.0 0 0 ? S< 09:21 0:00 [ata/0]
system_u:system_r:kernel_t root 210 0.0 0.0 0 0 ? S< 09:21 0:00 [ata/1]
system_u:system_r:kernel_t root 211 0.0 0.0 0 0 ? S< 09:21 0:00 [ata_aux]
system_u:system_r:kernel_t root 212 0.0 0.0 0 0 ? S< 09:21 0:00 [ksuspend_usbd]
system_u:system_r:kernel_t root 218 0.0 0.0 0 0 ? S< 09:21 0:00 [khubd]
system_u:system_r:kernel_t root 221 0.0 0.0 0 0 ? S< 09:21 0:00 [kseriod]
system_u:system_r:kernel_t root 244 0.0 0.0 0 0 ? S< 09:21 0:00 [kondemand/0]
system_u:system_r:kernel_t root 245 0.0 0.0 0 0 ? S< 09:21 0:00 [kondemand/1]
system_u:system_r:kernel_t root 277 0.0 0.0 0 0 ? S< 09:21 0:00 [rt-test-0]
system_u:system_r:kernel_t root 279 0.0 0.0 0 0 ? S< 09:21 0:00 [rt-test-1]
system_u:system_r:kernel_t root 281 0.0 0.0 0 0 ? S< 09:21 0:00 [rt-test-2]
system_u:system_r:kernel_t root 283 0.0 0.0 0 0 ? S< 09:21 0:00 [rt-test-3]
system_u:system_r:kernel_t root 285 0.0 0.0 0 0 ? S< 09:21 0:00 [rt-test-4]
system_u:system_r:kernel_t root 287 0.0 0.0 0 0 ? S< 09:21 0:00 [rt-test-5]
system_u:system_r:kernel_t root 289 0.0 0.0 0 0 ? S< 09:21 0:00 [rt-test-6]
system_u:system_r:kernel_t root 291 0.0 0.0 0 0 ? S< 09:21 0:00 [rt-test-7]
system_u:system_r:kernel_t root 294 0.0 0.0 0 0 ? S 09:21 0:00 [pdflush]
system_u:system_r:kernel_t root 295 0.0 0.0 0 0 ? S 09:21 0:00 [pdflush]
system_u:system_r:kernel_t root 296 0.0 0.0 0 0 ? S< 09:21 0:00 [kswapd0]
system_u:system_r:kernel_t root 390 0.0 0.0 0 0 ? S< 09:21 0:00 [aio/0]
system_u:system_r:kernel_t root 391 0.0 0.0 0 0 ? S< 09:21 0:00 [aio/1]
system_u:system_r:kernel_t root 554 0.0 0.0 0 0 ? S< 09:21 0:00 [scsi_eh_0]
system_u:system_r:kernel_t root 558 0.0 0.0 0 0 ? S< 09:21 0:00 [scsi_eh_1]
system_u:system_r:kernel_t root 566 0.0 0.0 0 0 ? S< 09:21 0:00 [scsi_eh_2]
system_u:system_r:kernel_t root 568 0.0 0.0 0 0 ? S< 09:21 0:00 [scsi_eh_3]
system_u:system_r:kernel_t root 593 0.0 0.0 0 0 ? S< 09:21 0:00 [kstriped]
system_u:system_r:kernel_t root 598 0.0 0.0 0 0 ? S< 09:21 0:00 [edac-poller]
system_u:system_r:kernel_t root 601 0.0 0.0 0 0 ? S< 09:21 0:00 [hid_compat]
system_u:system_r:kernel_t root 633 0.0 0.0 0 0 ? S< 09:21 0:00 [kjournald]
system_u:system_r:kernel_t root 691 0.0 0.0 0 0 ? S< 09:21 0:00 [applesmc-led]
system_u:system_r:udev_t root 800 0.0 0.0 2148 892 ? S<s 09:21 0:00 /sbin/udevd --daemon
system_u:system_r:kernel_t root 1233 0.0 0.0 0 0 ? S< 09:21 0:00 [khpsbpkt]
system_u:system_r:kernel_t root 1257 0.0 0.0 0 0 ? S< 09:21 0:00 [phy0]
system_u:system_r:kernel_t root 1309 0.0 0.0 0 0 ? S< 09:21 0:00 [knodemgrd_0]
system_u:system_r:kernel_t root 1324 0.0 0.0 0 0 ? S< 09:21 0:00 [hd-audio0]
system_u:system_r:syslogd_t root 1505 0.0 0.0 1716 564 ? SNs 09:21 0:00 syslogd -m 0
system_u:system_r:klogd_t root 1508 0.0 0.1 3160 1984 ? SNs 09:21 0:00 klogd
system_u:system_r:system_dbusd_t name 1524 0.0 0.0 10556 992 ? SNsl 09:21 0:00 /usr/bin/dbus-daemon --system
system_u:system_r:hald_t name 1569 0.0 0.3 5676 3608 ? SNs 09:21 0:00 /usr/sbin/hald --use-syslog
system_u:system_r:hald_t root 1570 0.0 0.1 3120 1032 ? SN 09:21 0:00 hald-runner
system_u:system_r:hald_t root 1574 0.0 0.0 3184 980 ? SN 09:21 0:00 hald-addon-input: Listening on //dev/input/event9 //dev/input/event5 //dev/input/event4 //dev/input/event2 //dev/input/event12 //dev/input/event11 //dev/input/event3 //dev/input/event7
system_u:system_r:hald_t root 1580 0.0 0.0 3184 948 ? SN 09:21 0:00 /usr/libexec/hald-addon-leds
system_u:system_r:hald_mac_t root 1592 0.0 0.1 3200 1044 ? SN 09:21 0:00 /usr/libexec/hald-addon-macbookpro-backlight
system_u:system_r:hald_t root 1599 0.0 0.0 3188 972 ? SN 09:21 0:00 hald-addon-storage: no polling on //dev/sr0 because it is explicitly disabled
system_u:system_r:local_login_t name 1600 0.0 0.1 3092 1492 tty1 Ss 09:21 0:00 -bash
system_u:system_r:getty_t root 1604 0.0 0.0 1668 492 tty2 Ss+ 09:21 0:00 /sbin/agetty tty2 9600
system_u:system_r:getty_t root 1605 0.0 0.0 1668 492 tty3 Ss+ 09:21 0:00 /sbin/agetty tty3 9600
system_u:system_r:getty_t root 1606 0.0 0.0 1668 492 tty4 Ss+ 09:21 0:00 /sbin/agetty tty4 9600
system_u:system_r:getty_t root 1607 0.0 0.0 1668 496 tty5 Ss+ 09:21 0:00 /sbin/agetty tty5 9600
system_u:system_r:getty_t root 1608 0.0 0.0 1668 496 tty6 Ss+ 09:21 0:00 /sbin/agetty tty6 9600
system_u:system_r:hald_t root 1610 0.0 0.0 3196 948 ? SN 09:21 0:00 /usr/libexec/hald-addon-cpufreq
system_u:system_r:hald_t name 1611 0.0 0.0 2840 868 ? SN 09:21 0:00 hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event
system_u:system_r:local_login_t name 1630 0.0 0.1 2912 1108 tty1 S+ 09:22 0:00 /bin/sh /usr/bin/startx
system_u:system_r:local_login_t name 1646 0.0 0.0 2932 752 tty1 S+ 09:22 0:00 xinit /usr/lib/X11/xinit/xinitrc -- /usr/bin/X :0 -auth
/home/name/.serverauth.1630
system_u:system_r:local_login_t root 1647 0.6 1.4 19016 14596 tty7 Ss+ 09:22 0:06 /usr/bin/X :0 -auth /home/name/serverauth.1630
system_u:system_r:kernel_t root 1680 0.0 0.0 0 0 ? S< 09:22 0:00 [kauditd]
system_u:system_r:local_login_t name 1681 0.0 0.4 6884 4080 tty1 S 09:22 0:00 fluxbox
system_u:system_r:local_login_t name 1705 0.2 0.1 3784 1924 ? Ss 09:22 0:03 aterm
system_u:system_r:local_login_t name 1706 0.0 0.1 3092 1456 pts/0 Ss 09:22 0:00 bash
system_u:system_r:local_login_t name 1775 0.0 0.0 2144 816 pts/0 R+ 09:40 0:00 ps auxZ
/* using shadow/hal mechanism */
LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
system_u:system_r:init_t root 1 2.0 0.0 2056 704 ? Ss 01:33 0:01 init [3]
system_u:system_r:kernel_t root 2 0.0 0.0 0 0 ? S< 01:33 0:00 [kthreadd]
system_u:system_r:kernel_t root 3 0.0 0.0 0 0 ? S< 01:33 0:00 [migration/0]
system_u:system_r:kernel_t root 4 0.0 0.0 0 0 ? S< 01:33 0:00 [ksoftirqd/0]
system_u:system_r:kernel_t root 5 0.0 0.0 0 0 ? S< 01:33 0:00 [watchdog/0]
system_u:system_r:kernel_t root 6 0.0 0.0 0 0 ? S< 01:33 0:00 [migration/1]
system_u:system_r:kernel_t root 7 0.0 0.0 0 0 ? S< 01:33 0:00 [ksoftirqd/1]
system_u:system_r:kernel_t root 8 0.0 0.0 0 0 ? S< 01:33 0:00 [watchdog/1]
system_u:system_r:kernel_t root 9 0.0 0.0 0 0 ? S< 01:33 0:00 [events/0]
system_u:system_r:kernel_t root 10 0.0 0.0 0 0 ? S< 01:33 0:00 [events/1]
system_u:system_r:kernel_t root 11 0.0 0.0 0 0 ? S< 01:33 0:00 [work_on_cpu/0]
system_u:system_r:kernel_t root 12 0.0 0.0 0 0 ? S< 01:33 0:00 [work_on_cpu/1]
system_u:system_r:kernel_t root 13 0.0 0.0 0 0 ? S< 01:33 0:00 [khelper]
system_u:system_r:kernel_t root 131 0.0 0.0 0 0 ? S< 01:33 0:00 [kblockd/0]
system_u:system_r:kernel_t root 132 0.0 0.0 0 0 ? S< 01:33 0:00 [kblockd/1]
system_u:system_r:kernel_t root 134 0.0 0.0 0 0 ? S< 01:33 0:00 [kacpid]
system_u:system_r:kernel_t root 135 0.0 0.0 0 0 ? S< 01:33 0:00 [kacpi_notify]
system_u:system_r:kernel_t root 205 0.0 0.0 0 0 ? S< 01:33 0:00 [cqueue]
system_u:system_r:kernel_t root 209 0.0 0.0 0 0 ? S< 01:33 0:00 [ata/0]
system_u:system_r:kernel_t root 210 0.0 0.0 0 0 ? S< 01:33 0:00 [ata/1]
system_u:system_r:kernel_t root 211 0.0 0.0 0 0 ? S< 01:33 0:00 [ata_aux]
system_u:system_r:kernel_t root 212 0.0 0.0 0 0 ? S< 01:33 0:00 [ksuspend_usbd]
system_u:system_r:kernel_t root 218 0.2 0.0 0 0 ? S< 01:33 0:00 [khubd]
system_u:system_r:kernel_t root 221 0.0 0.0 0 0 ? S< 01:33 0:00 [kseriod]
system_u:system_r:kernel_t root 244 0.0 0.0 0 0 ? S< 01:33 0:00 [kondemand/0]
system_u:system_r:kernel_t root 245 0.0 0.0 0 0 ? S< 01:33 0:00 [kondemand/1]
system_u:system_r:kernel_t root 277 0.0 0.0 0 0 ? S< 01:33 0:00 [rt-test-0]
system_u:system_r:kernel_t root 279 0.0 0.0 0 0 ? S< 01:33 0:00 [rt-test-1]
system_u:system_r:kernel_t root 281 0.0 0.0 0 0 ? S< 01:33 0:00 [rt-test-2]
system_u:system_r:kernel_t root 283 0.0 0.0 0 0 ? S< 01:33 0:00 [rt-test-3]
system_u:system_r:kernel_t root 285 0.0 0.0 0 0 ? S< 01:33 0:00 [rt-test-4]
system_u:system_r:kernel_t root 287 0.0 0.0 0 0 ? S< 01:33 0:00 [rt-test-5]
system_u:system_r:kernel_t root 289 0.0 0.0 0 0 ? S< 01:33 0:00 [rt-test-6]
system_u:system_r:kernel_t root 291 0.0 0.0 0 0 ? S< 01:33 0:00 [rt-test-7]
system_u:system_r:kernel_t root 294 0.0 0.0 0 0 ? S 01:33 0:00 [pdflush]
system_u:system_r:kernel_t root 295 0.0 0.0 0 0 ? S 01:33 0:00 [pdflush]
system_u:system_r:kernel_t root 296 0.0 0.0 0 0 ? S< 01:33 0:00 [kswapd0]
system_u:system_r:kernel_t root 390 0.0 0.0 0 0 ? S< 01:33 0:00 [aio/0]
system_u:system_r:kernel_t root 391 0.0 0.0 0 0 ? S< 01:33 0:00 [aio/1]
system_u:system_r:kernel_t root 554 0.0 0.0 0 0 ? S< 01:33 0:00 [scsi_eh_0]
system_u:system_r:kernel_t root 558 0.0 0.0 0 0 ? S< 01:33 0:00 [scsi_eh_1]
system_u:system_r:kernel_t root 566 0.0 0.0 0 0 ? S< 01:33 0:00 [scsi_eh_2]
system_u:system_r:kernel_t root 568 0.0 0.0 0 0 ? S< 01:33 0:00 [scsi_eh_3]
system_u:system_r:kernel_t root 593 0.0 0.0 0 0 ? S< 01:33 0:00 [kstriped]
system_u:system_r:kernel_t root 598 0.0 0.0 0 0 ? S< 01:33 0:00 [edac-poller]
system_u:system_r:kernel_t root 601 0.0 0.0 0 0 ? S< 01:33 0:00 [hid_compat]
system_u:system_r:kernel_t root 633 0.0 0.0 0 0 ? S< 01:33 0:00 [kjournald]
system_u:system_r:kernel_t root 691 0.0 0.0 0 0 ? S< 01:33 0:00 [applesmc-led]
system_u:system_r:udev_t root 800 0.6 0.0 2148 896 ? S<s 01:33 0:00 /sbin/udevd --daemon
system_u:system_r:kernel_t root 1228 0.0 0.0 0 0 ? S< 01:33 0:00 [khpsbpkt]
system_u:system_r:kernel_t root 1270 0.0 0.0 0 0 ? S< 01:33 0:00 [phy0]
system_u:system_r:kernel_t root 1307 0.0 0.0 0 0 ? S< 01:33 0:00 [knodemgrd_0]
system_u:system_r:kernel_t root 1346 0.0 0.0 0 0 ? S< 01:33 0:00 [hd-audio0]
system_u:system_r:syslogd_t root 1531 0.1 0.0 1716 552 ? SNs 01:33 0:00 syslogd -m 0
system_u:system_r:klogd_t root 1541 0.3 0.1 3160 1984 ? SNs 01:33 0:00 klogd
system_u:system_r:system_dbusd_t name 1558 0.0 0.0 10556 996 ? SNsl 01:33 0:00 /usr/bin/dbus-daemon --system
system_u:system_r:hald_t name 1602 0.8 0.3 5656 3616 ? SNs 01:33 0:00 /usr/sbin/hald --use-syslog
system_u:system_r:hald_t root 1603 0.0 0.1 3120 1044 ? SN 01:33 0:00 hald-runner
system_u:system_r:hald_t root 1607 0.0 0.0 3184 980 ? SN 01:33 0:00 hald-addon-input: Listening on //dev/input/event6 //dev/input/event4 //dev/input/event2 //dev/input/event12 //dev/input/event11 //dev/input/event9 //dev/input/event3 //dev/input/event8
system_u:system_r:hald_t root 1613 0.0 0.0 3184 948 ? SN 01:33 0:00 /usr/libexec/hald-addon-leds
system_u:system_r:hald_mac_t root 1625 0.0 0.1 3200 1040 ? SN 01:33 0:00 /usr/libexec/hald-addon-macbookpro-backlight
system_u:system_r:hald_t root 1631 0.0 0.0 3188 976 ? SN 01:33 0:00 hald-addon-storage: no polling on //dev/sr0 because it is explicitly disabled
system_u:system_r:getty_t root 1632 0.2 0.1 2552 1216 tty1 Ss 01:33 0:00 /bin/login --
system_u:system_r:getty_t root 1633 0.0 0.0 1668 492 tty2 Ss+ 01:33 0:00 /sbin/agetty tty2 9600
system_u:system_r:getty_t root 1637 0.0 0.0 1668 492 tty3 Ss+ 01:33 0:00 /sbin/agetty tty3 9600
system_u:system_r:getty_t root 1638 0.0 0.0 1668 488 tty4 Ss+ 01:33 0:00 /sbin/agetty tty4 9600
system_u:system_r:getty_t root 1639 0.0 0.0 1668 492 tty5 Ss+ 01:33 0:00 /sbin/agetty tty5 9600
system_u:system_r:getty_t root 1641 0.0 0.0 1668 496 tty6 Ss+ 01:33 0:00 /sbin/agetty tty6 9600
system_u:system_r:hald_t root 1642 0.0 0.0 3196 944 ? SN 01:33 0:00 /usr/libexec/hald-addon-cpufreq
system_u:system_r:hald_t name 1645 0.0 0.0 2840 872 ? SN 01:33 0:00 hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event
system_u:system_r:kernel_t root 1659 0.0 0.0 0 0 ? S< 01:33 0:00 [kauditd]
name:sysadm_r:sysadm_t name 1661 0.0 0.1 3092 1496 tty1 S 01:33 0:00 -bash
name:sysadm_r:sysadm_t name 1666 0.0 0.1 2912 1108 tty1 S+ 01:33 0:00 /bin/sh /usr/bin/startx
namr:sysadm_r:sysadm_t name 1682 0.0 0.0 2932 752 tty1 S+ 01:33 0:00 xinit /usr/lib/X11/xinit/xinitrc -- /usr/bin/X :0 -auth /home/name/.serverauth.1666
name:sysadm_r:xserver_t root 1683 5.1 1.3 19008 14040 tty7 Ss+ 01:33 0:02 /usr/bin/X :0 -auth /home/name/.serverauth.1666
name:sysadm_r:sysadm_t name 1710 0.7 0.4 6884 4080 tty1 S 01:33 0:00 fluxbox
name:sysadm_r:sysadm_t name 1734 0.1 0.1 3388 1592 ? Ss 01:33 0:00 aterm
name:sysadm_r:sysadm_t name 1735 0.0 0.1 3092 1452 pts/0 Ss 01:33 0:00 bash
name:sysadm_r:sysadm_t name 1737 0.0 0.0 2144 820 pts/0 R+ 01:34 0:00 ps auxZ
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: ext3 security labels missing
[not found] ` <4B40ED4D-BDE5-447D-A374-FDFF3B9CE634@gmail.com>
@ 2009-02-21 19:49 ` Justin Mattock
0 siblings, 0 replies; 13+ messages in thread
From: Justin Mattock @ 2009-02-21 19:49 UTC (permalink / raw)
To: Dennis Wronka, SE-Linux, tresys, Stephen Smalley
On Sat, Feb 21, 2009 at 2:50 AM, Justin P. Mattock
<justinmattock@gmail.com> wrote:
> Thanks for help.
> You're probably right with the coreutils
> Package. I'll look at it after I get some rest.
>
> Regards;
>
> justin P. Mattock
>
>
>
> On Feb 21, 2009, at 2:06 AM, Dennis Wronka <linuxweb@gmx.net> wrote:
>
>> On Saturday 21 February 2009 17:55:03 you wrote:
>>>
>>> On Fri, Feb 20, 2009 at 9:51 PM, Dennis Wronka <linuxweb@gmx.net> wrote:
>>>>
>>>> If you don't have the system-auth file and you're still able to login
>>>> then either your system is not really using PAM or login doesn't
>>>> reference system- auth.
>>>> But from what I remember system-auth is not installed by default and you
>>>> have to write it yourself.
>>>> The default login-PAM-config, from the shadow-package, does reference
>>>> system- auth, so I think login should fail if your system really uses
>>>> PAM.
>>>>
>>>> When did you compile PAM? It should be compiled before shadow, so that
>>>> shadow can be compiled with PAM-support.
>>>>
>>>> Also, which getty are you using? You should install mingetty, or you'll
>>>> run into lots of problems that are caused by agetty under SELinux.
>>>>
>>>> As said, check your coreutils, notably id and ls, if they reference the
>>>> SELinux-libs. If not you'll need to compile them again.
>>>>
>>>> Plugging SELinux into LFS is a bit tricky. In order not to have to
>>>> compile too much twice you got to compile stuff in the right place
>>>> during
>>>> the process.
>>>>
>>>> I have attached my stage2-script for your reference. This is the order I
>>>> compile my system in.
>>>> I've got a lot of optional stuff in there, so simply disregard anything
>>>> you don't need.
>>>>
>>>> Also, just out of curiosity: You're doing LFS to learn about the
>>>> internals or do you just want to get an LFS-system with SELinux?
>>>> In the latter case maybe I could interest you in my project, which also
>>>> the attached script is taken from, EasyLFS.
>>>>
>>>> Regards,
>>>> Dennis
>>>>
>>>> On Saturday 21 February 2009 07:10:37 Justin Mattock wrote:
>>>>>
>>>>> On Fri, Feb 20, 2009 at 7:20 AM, Dennis Wronka <linuxweb@gmx.net>
>>>>> wrote:
>>>>>>
>>>>>> Are the coreutils compiled with SELinux-support?
>>>>>> I just gave it a quick check and found that the -Z option is available
>>>>>> in both id and ls without coreutils having actually been built without
>>>>>> SELinux- libraries actually available.
>>>>>>
>>>>>> Could you check this:
>>>>>> ldd $(which ls)
>>>>>>
>>>>>> This should show up a reference to libselinux.so.1
>>>>>> If this reference is missing then I'd suggest recompiling the
>>>>>> coreutils.
>>>>>>
>>>>>> On Friday 20 February 2009 23:03:37 you wrote:
>>>>>>>
>>>>>>> On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@tycho.nsa.gov>
>>>>
>>>> wrote:
>>>>>>>>
>>>>>>>> On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
>>>>>>>>>
>>>>>>>>> I've a strange issue.
>>>>>>>>> with my experimental learning machine(LFS)
>>>>>>>>> I'm able to load the policy etc.. but have no labels
>>>>>>>>> on my files.(just a question mark);
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ls -lZ shows
>>>>>>>>>
>>>>>>>>> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
>>>>>>>>> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
>>>>>>>>> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
>>>>>>>>> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
>>>>>>>>> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
>>>>>>>>> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
>>>>>>>>> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
>>>>>>>>> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
>>>>>>>>> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
>>>>>>>>> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
>>>>>>>>> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
>>>>>>>>> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
>>>>>>>>> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
>>>>>>>>> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
>>>>>>>>> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
>>>>>>>>> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
>>>>>>>>> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
>>>>>>>>> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
>>>>>>>>> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
>>>>>>>>> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
>>>>>>>>> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
>>>>>>>>> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
>>>>>>>>> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
>>>>>>>>> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
>>>>>>>>> /boot/vmlinuz-2.6.29-rc4
>>>>>>>>>
>>>>>>>>> if I do a id -Z I get:
>>>>>>>>> id: --context (-Z) works only on an SELinux-enabled kernel
>>>>>>>>> (but it is enabled in the kernel)
>>>>>>>>
>>>>>>>> sestatus shows what?
>>>>>>>>
>>>>>>>> To be fully "enabled" as far as userspace is concerned, SELinux has
>>>>>>>> to be:
>>>>>>>> - enabled in your kernel build,
>>>>>>>> - enabled at boot,
>>>>>>>> - policy has to be loaded
>>>>>>>>
>>>>>>>> grep SELINUX .config
>>>>>>>> cat /etc/selinux/config
>>>>>>>> dmesg | grep SELinux
>>>>>>>>
>>>>>>>>>> From looking back, I enabled as much as possible in any app/lib I
>>>>>>>>>> was compiling
>>>>>>>>>
>>>>>>>>> that provided selinux support.(libc,xserver,hal,dbus, etc..);
>>>>>>>>> But could be missing an important app/lib that might make the
>>>>>>>>> security labels give the proper label. by chance if anybody had
>>>>>>>>> experienced this and/or knows what might be going on,(would be
>>>>>>>>> really appreciated).
>>>>>>>>>
>>>>>>>>> regards;
>>>>>>>>
>>>>>>>> --
>>>>>>>> Stephen Smalley
>>>>>>>> National Security Agency
>>>>>>>
>>>>>>> Thanks for the reply.
>>>>>>> here's what /usr/sbin/sestatus -vv (says);
>>>>>>>
>>>>>>> SELinux status: enabled
>>>>>>> SELinuxfs mount: /selinux
>>>>>>> Current mode: permissive
>>>>>>> Mode from config file: permissive
>>>>>>> Policy version: 22
>>>>>>> Policy from config file: refpolicy
>>>>>>>
>>>>>>> Process contexts:
>>>>>>> Current context: system_u:system_r:local_login_t
>>>>>>> Init context: system_u:system_r:init_t
>>>>>>>
>>>>>>> File contexts:
>>>>>>> Controlling term: system_u:object_r:devpts_t
>>>>>>> /etc/passwd system_u:object_r:etc_t
>>>>>>> /bin/bash system_u:object_r:shell_exec_t
>>>>>>> /bin/login system_u:object_r:login_exec_t
>>>>>>> /bin/sh system_u:object_r:bin_t ->
>>>>>>> system_u:object_r:shell_exec_t
>>>>>>> /sbin/agetty system_u:object_r:getty_exec_t
>>>>>>> /sbin/init system_u:object_r:init_exec_t
>>>>>>> /lib/libc.so.6 system_u:object_r:lib_t ->
>>>>>>> system_u:object_r:lib_t
>>>>>>> /lib/ld-linux.so.2 system_u:object_r:lib_t ->
>>>>>>> system_u:object_r:ld_so_t
>>>>>>>
>>>>>>> I think this is some aterm,xproto,etc.. library/app(that I forgot to
>>>>>>> install) that's responsible for displaying the security label info in
>>>>>>> the shell.(example) when I use
>>>>>>> audit2allow -d, I generate the correct security allow rules.
>>>>>>> when running make relabel in the policy source directory, reacts as
>>>>>>> it should.
>>>>>>>
>>>>>>> As for setting any options in the kernel. no
>>>>>>> left everything as I've had in the past.
>>>>>>> as for enabling everything. yes
>>>>>>> - enabled in your kernel build,
>>>>>>> - enabled at boot,
>>>>>>> - policy has to be loaded
>>>>>>>
>>>>>>> I'll try adding these rules into the policy irregardless of a
>>>>>>> broken proto/low level communications thing.
>>>>>>> didn't mean to causing any heat.
>>>>>>>
>>>>>>> regards;
>>>>>
>>>>> After looking at the situation, and looking at the
>>>>> (LFS)manual at first you setup shadow with a root
>>>>> password(to get things going); then later once you're up
>>>>> and running you move from using shadow to useing pam.
>>>>> well I've managed to do that.
>>>>> but I'm not seeing a /etc/pam.d/system-auth file
>>>>> generated by the installer(probably have to manually pick my
>>>>> session,password, account modules);
>>>>> (positive side)
>>>>> under ps aux (Ill have to attach them(before/after) as soon as I get a
>>>>> chance); I finally see: /bin/login --
>>>>> So hopefully once I get /etc/pam.d cleaned up(hopefully) I
>>>>> should be logged into my SELinux user and have the right context.
>>>>> keep in mind "hopefully".
>>>>> regards;
>>>
>>> As promised here is the attached
>>> ps auxZ
>>>
>>> as it seems I do have pam up and running, but am still
>>> (unfortunately) seeing no security labels.
>>> must have a missing protocol somewhere.
>>>
>>> regards;
>>
>> Just before, resulting from your description of a missing system-auth
>> file, I
>> tested what will happen when I remove my system-auth file.
>> As expected it prevents me from logging into my system.
>>
>> Please also check this:
>> ldd $(which login)
>>
>> This should show references to the PAM-libraries. If this is not the case
>> I
>> guess your shadow may lack PAM-support.
>>
>> Also, as said before, please check is your coreutils have SELinux-support.
>> ldd $(which id)
>> ldd $(which ls)
>>
>> Those should show references to SELinux-libraries. If not, there's
>> something
>> missing. The existence of the -Z-option is no giveaway for
>> SELinux-support. I
>> have checked and those also exist on a system that has been compiled
>> without
>> SELinux-support and even without the SELinux-libraries present.
>
Ahh..
Thanks for the info.
when building coreutils for the first time I
had no SELinux headers:(below said all no when building the first go at it);
(example of ./configure with SELinux headers in place);
checking selinux/flask.h usability... yes
checking selinux/flask.h presence... yes
checking for selinux/flask.h... yes
checking for library containing setfilecon... -lselinux
checking selinux/selinux.h usability... yes
checking selinux/selinux.h presence... yes
checking for selinux/selinux.h... yes
checking selinux/context.h usability... yes
checking selinux/context.h presence... yes
checking for selinux/context.h... yes
Now ls -lZ shows all of the beautiful labels.
Thanks again for the info
(I would of been running around in circles for days
if you didn't mention coreutils);
regards;
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] ext3 security labels missing
@ 2009-02-21 19:49 ` Justin Mattock
0 siblings, 0 replies; 13+ messages in thread
From: Justin Mattock @ 2009-02-21 19:49 UTC (permalink / raw)
To: refpolicy
On Sat, Feb 21, 2009 at 2:50 AM, Justin P. Mattock
<justinmattock@gmail.com> wrote:
> Thanks for help.
> You're probably right with the coreutils
> Package. I'll look at it after I get some rest.
>
> Regards;
>
> justin P. Mattock
>
>
>
> On Feb 21, 2009, at 2:06 AM, Dennis Wronka <linuxweb@gmx.net> wrote:
>
>> On Saturday 21 February 2009 17:55:03 you wrote:
>>>
>>> On Fri, Feb 20, 2009 at 9:51 PM, Dennis Wronka <linuxweb@gmx.net> wrote:
>>>>
>>>> If you don't have the system-auth file and you're still able to login
>>>> then either your system is not really using PAM or login doesn't
>>>> reference system- auth.
>>>> But from what I remember system-auth is not installed by default and you
>>>> have to write it yourself.
>>>> The default login-PAM-config, from the shadow-package, does reference
>>>> system- auth, so I think login should fail if your system really uses
>>>> PAM.
>>>>
>>>> When did you compile PAM? It should be compiled before shadow, so that
>>>> shadow can be compiled with PAM-support.
>>>>
>>>> Also, which getty are you using? You should install mingetty, or you'll
>>>> run into lots of problems that are caused by agetty under SELinux.
>>>>
>>>> As said, check your coreutils, notably id and ls, if they reference the
>>>> SELinux-libs. If not you'll need to compile them again.
>>>>
>>>> Plugging SELinux into LFS is a bit tricky. In order not to have to
>>>> compile too much twice you got to compile stuff in the right place
>>>> during
>>>> the process.
>>>>
>>>> I have attached my stage2-script for your reference. This is the order I
>>>> compile my system in.
>>>> I've got a lot of optional stuff in there, so simply disregard anything
>>>> you don't need.
>>>>
>>>> Also, just out of curiosity: You're doing LFS to learn about the
>>>> internals or do you just want to get an LFS-system with SELinux?
>>>> In the latter case maybe I could interest you in my project, which also
>>>> the attached script is taken from, EasyLFS.
>>>>
>>>> Regards,
>>>> Dennis
>>>>
>>>> On Saturday 21 February 2009 07:10:37 Justin Mattock wrote:
>>>>>
>>>>> On Fri, Feb 20, 2009 at 7:20 AM, Dennis Wronka <linuxweb@gmx.net>
>>>>> wrote:
>>>>>>
>>>>>> Are the coreutils compiled with SELinux-support?
>>>>>> I just gave it a quick check and found that the -Z option is available
>>>>>> in both id and ls without coreutils having actually been built without
>>>>>> SELinux- libraries actually available.
>>>>>>
>>>>>> Could you check this:
>>>>>> ldd $(which ls)
>>>>>>
>>>>>> This should show up a reference to libselinux.so.1
>>>>>> If this reference is missing then I'd suggest recompiling the
>>>>>> coreutils.
>>>>>>
>>>>>> On Friday 20 February 2009 23:03:37 you wrote:
>>>>>>>
>>>>>>> On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@tycho.nsa.gov>
>>>>
>>>> wrote:
>>>>>>>>
>>>>>>>> On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote:
>>>>>>>>>
>>>>>>>>> I've a strange issue.
>>>>>>>>> with my experimental learning machine(LFS)
>>>>>>>>> I'm able to load the policy etc.. but have no labels
>>>>>>>>> on my files.(just a question mark);
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ls -lZ shows
>>>>>>>>>
>>>>>>>>> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin
>>>>>>>>> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot
>>>>>>>>> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom
>>>>>>>>> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev
>>>>>>>>> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc
>>>>>>>>> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home
>>>>>>>>> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include
>>>>>>>>> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib
>>>>>>>>> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found
>>>>>>>>> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media
>>>>>>>>> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt
>>>>>>>>> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt
>>>>>>>>> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc
>>>>>>>>> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root
>>>>>>>>> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin
>>>>>>>>> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux
>>>>>>>>> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share
>>>>>>>>> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv
>>>>>>>>> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys
>>>>>>>>> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp
>>>>>>>>> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools
>>>>>>>>> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr
>>>>>>>>> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var
>>>>>>>>> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz ->
>>>>>>>>> /boot/vmlinuz-2.6.29-rc4
>>>>>>>>>
>>>>>>>>> if I do a id -Z I get:
>>>>>>>>> id: --context (-Z) works only on an SELinux-enabled kernel
>>>>>>>>> (but it is enabled in the kernel)
>>>>>>>>
>>>>>>>> sestatus shows what?
>>>>>>>>
>>>>>>>> To be fully "enabled" as far as userspace is concerned, SELinux has
>>>>>>>> to be:
>>>>>>>> - enabled in your kernel build,
>>>>>>>> - enabled at boot,
>>>>>>>> - policy has to be loaded
>>>>>>>>
>>>>>>>> grep SELINUX .config
>>>>>>>> cat /etc/selinux/config
>>>>>>>> dmesg | grep SELinux
>>>>>>>>
>>>>>>>>>> From looking back, I enabled as much as possible in any app/lib I
>>>>>>>>>> was compiling
>>>>>>>>>
>>>>>>>>> that provided selinux support.(libc,xserver,hal,dbus, etc..);
>>>>>>>>> But could be missing an important app/lib that might make the
>>>>>>>>> security labels give the proper label. by chance if anybody had
>>>>>>>>> experienced this and/or knows what might be going on,(would be
>>>>>>>>> really appreciated).
>>>>>>>>>
>>>>>>>>> regards;
>>>>>>>>
>>>>>>>> --
>>>>>>>> Stephen Smalley
>>>>>>>> National Security Agency
>>>>>>>
>>>>>>> Thanks for the reply.
>>>>>>> here's what /usr/sbin/sestatus -vv (says);
>>>>>>>
>>>>>>> SELinux status: enabled
>>>>>>> SELinuxfs mount: /selinux
>>>>>>> Current mode: permissive
>>>>>>> Mode from config file: permissive
>>>>>>> Policy version: 22
>>>>>>> Policy from config file: refpolicy
>>>>>>>
>>>>>>> Process contexts:
>>>>>>> Current context: system_u:system_r:local_login_t
>>>>>>> Init context: system_u:system_r:init_t
>>>>>>>
>>>>>>> File contexts:
>>>>>>> Controlling term: system_u:object_r:devpts_t
>>>>>>> /etc/passwd system_u:object_r:etc_t
>>>>>>> /bin/bash system_u:object_r:shell_exec_t
>>>>>>> /bin/login system_u:object_r:login_exec_t
>>>>>>> /bin/sh system_u:object_r:bin_t ->
>>>>>>> system_u:object_r:shell_exec_t
>>>>>>> /sbin/agetty system_u:object_r:getty_exec_t
>>>>>>> /sbin/init system_u:object_r:init_exec_t
>>>>>>> /lib/libc.so.6 system_u:object_r:lib_t ->
>>>>>>> system_u:object_r:lib_t
>>>>>>> /lib/ld-linux.so.2 system_u:object_r:lib_t ->
>>>>>>> system_u:object_r:ld_so_t
>>>>>>>
>>>>>>> I think this is some aterm,xproto,etc.. library/app(that I forgot to
>>>>>>> install) that's responsible for displaying the security label info in
>>>>>>> the shell.(example) when I use
>>>>>>> audit2allow -d, I generate the correct security allow rules.
>>>>>>> when running make relabel in the policy source directory, reacts as
>>>>>>> it should.
>>>>>>>
>>>>>>> As for setting any options in the kernel. no
>>>>>>> left everything as I've had in the past.
>>>>>>> as for enabling everything. yes
>>>>>>> - enabled in your kernel build,
>>>>>>> - enabled at boot,
>>>>>>> - policy has to be loaded
>>>>>>>
>>>>>>> I'll try adding these rules into the policy irregardless of a
>>>>>>> broken proto/low level communications thing.
>>>>>>> didn't mean to causing any heat.
>>>>>>>
>>>>>>> regards;
>>>>>
>>>>> After looking at the situation, and looking at the
>>>>> (LFS)manual at first you setup shadow with a root
>>>>> password(to get things going); then later once you're up
>>>>> and running you move from using shadow to useing pam.
>>>>> well I've managed to do that.
>>>>> but I'm not seeing a /etc/pam.d/system-auth file
>>>>> generated by the installer(probably have to manually pick my
>>>>> session,password, account modules);
>>>>> (positive side)
>>>>> under ps aux (Ill have to attach them(before/after) as soon as I get a
>>>>> chance); I finally see: /bin/login --
>>>>> So hopefully once I get /etc/pam.d cleaned up(hopefully) I
>>>>> should be logged into my SELinux user and have the right context.
>>>>> keep in mind "hopefully".
>>>>> regards;
>>>
>>> As promised here is the attached
>>> ps auxZ
>>>
>>> as it seems I do have pam up and running, but am still
>>> (unfortunately) seeing no security labels.
>>> must have a missing protocol somewhere.
>>>
>>> regards;
>>
>> Just before, resulting from your description of a missing system-auth
>> file, I
>> tested what will happen when I remove my system-auth file.
>> As expected it prevents me from logging into my system.
>>
>> Please also check this:
>> ldd $(which login)
>>
>> This should show references to the PAM-libraries. If this is not the case
>> I
>> guess your shadow may lack PAM-support.
>>
>> Also, as said before, please check is your coreutils have SELinux-support.
>> ldd $(which id)
>> ldd $(which ls)
>>
>> Those should show references to SELinux-libraries. If not, there's
>> something
>> missing. The existence of the -Z-option is no giveaway for
>> SELinux-support. I
>> have checked and those also exist on a system that has been compiled
>> without
>> SELinux-support and even without the SELinux-libraries present.
>
Ahh..
Thanks for the info.
when building coreutils for the first time I
had no SELinux headers:(below said all no when building the first go at it);
(example of ./configure with SELinux headers in place);
checking selinux/flask.h usability... yes
checking selinux/flask.h presence... yes
checking for selinux/flask.h... yes
checking for library containing setfilecon... -lselinux
checking selinux/selinux.h usability... yes
checking selinux/selinux.h presence... yes
checking for selinux/selinux.h... yes
checking selinux/context.h usability... yes
checking selinux/context.h presence... yes
checking for selinux/context.h... yes
Now ls -lZ shows all of the beautiful labels.
Thanks again for the info
(I would of been running around in circles for days
if you didn't mention coreutils);
regards;
--
Justin P. Mattock
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2009-02-21 19:49 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-20 7:04 ext3 security labels missing Justin Mattock
2009-02-20 7:04 ` [refpolicy] " Justin Mattock
2009-02-20 7:42 ` Dennis Wronka
2009-02-20 14:14 ` Stephen Smalley
2009-02-20 14:14 ` [refpolicy] " Stephen Smalley
2009-02-20 15:03 ` Justin Mattock
2009-02-20 15:03 ` [refpolicy] " Justin Mattock
2009-02-20 15:20 ` Dennis Wronka
2009-02-20 23:10 ` Justin Mattock
2009-02-21 5:51 ` Dennis Wronka
2009-02-21 9:55 ` Justin Mattock
[not found] ` <200902211806.55864.linuxweb@gmx.net>
[not found] ` <4B40ED4D-BDE5-447D-A374-FDFF3B9CE634@gmail.com>
2009-02-21 19:49 ` Justin Mattock
2009-02-21 19:49 ` [refpolicy] " Justin Mattock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.