Re: SELinux on Wheezy - C.J. Adams-Collier

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "C.J. Adams-Collier" <cjac@colliertech.org>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Dominick Grift <dominick.grift@gmail.com>,
	SE-Linux <selinux@tycho.nsa.gov>,
	Russell Coker <russell@coker.com.au>
Subject: Re: SELinux on Wheezy
Date: Tue, 7 Feb 2012 13:05:01 -0800	[thread overview]
Message-ID: <20120207210501.GE18478@colliertech.org> (raw)
In-Reply-To: <1328645305.2162.105.camel@moss-pluto>

[-- Attachment #1: Type: text/plain, Size: 4126 bytes --]

On Tue, Feb 07, 2012 at 03:08:25PM -0500, Stephen Smalley wrote:
> On Tue, 2012-02-07 at 12:02 -0800, C.J. Adams-Collier wrote:
> > ~/selinux/semodule_-l_20120207T110759.log:
> > apache	2.3.0	
> > dbus	1.15.0	
> > devicekit	1.1.0	
> > dmidecode	1.4.0	
> > exim	1.5.0	
> > ftp	1.13.0	
> > git	1.0	
> > gpg	2.4.0	
> > lda	1.9.0	
> > lvm	1.13.0	
> > netutils	1.11.0	
> > openvpn	1.10.0	
> > ptchown	1.1.0	
> > pythonsupport	0.0.1	
> > remotelogin	1.7.0	
> > rpc	1.13.0	
> > rpcbind	1.5.0	
> > rsync	1.11.0	
> > ssh	2.2.0	
> > sudo	1.8.0	
> > tcpd	1.4.0	
> > telnet	1.10.0	
> > tzdata	1.4.0	
> > unconfined	3.3.0
> 
> So no xserver module, unless it happens to be part of your base module.
> seinfo -txserver_t

cjac@foxtrot:~$ sudo which seinfo
cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l
0

Any idea where I can get the xserver module?  Russell?
 
> 
> > ~/selinux/sestatus_-v_20120207T110759.log:
> > SELinux status:                 enabled
> > SELinuxfs mount:                /selinux
> > Current mode:                   permissive
> > Mode from config file:          permissive
> > Policy version:                 26
> > Policy from config file:        default
> > 
> > Process contexts:
> > Current context:                unconfined_u:system_r:insmod_t:SystemLow-SystemHigh
> > Init context:                   system_u:system_r:kernel_t:SystemLow
> > /usr/sbin/sshd                  system_u:system_r:kernel_t:SystemLow
> > 
> > File contexts:
> > Controlling term:               unconfined_u:object_r:tty_device_t:SystemLow
> > /etc/passwd                     unconfined_u:object_r:user_home_t:SystemLow
> > /etc/shadow                     unconfined_u:object_r:user_home_t:SystemLow
> > /bin/bash                       unconfined_u:object_r:user_home_t:SystemLow
> > /bin/login                      unconfined_u:object_r:user_home_t:SystemLow
> > /bin/sh                         unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow
> > /sbin/agetty                    unconfined_u:object_r:user_home_t:SystemLow
> > /sbin/init                      unconfined_u:object_r:user_home_t:SystemLow
> > /usr/sbin/sshd                  system_u:object_r:sshd_exec_t:SystemLow
> > /lib/ld-linux.so.2              unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow
> 
> So everything except for /usr/sbin/sshd has the wrong file context, and
> all of your processes are still running in the kernel's domain.
> 
> I think you need a new policy, and then you need to relabel your
> filesystems.

Sounds reasonable.  Do I get policy from my distribution, or should I
generate one myself?

cjac@foxtrot:~$ dpkg -l | grep selinux-policy
ii  selinux-policy-default               2:2.20110726-3                 Strict and Targeted variants of the SELinux policy
ii  selinux-policy-dev                   2:2.20110726-3                 Headers from the SELinux reference policy for building modules
ii  selinux-policy-doc                   2:2.20110726-3                 Documentation for the SELinux reference policy

cjac@foxtrot:~$ apt-cache search selinux-policy
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization

If I'm going to generate one myself, I need to understand them a bit
better.  I would like anything I generate to be useable by the rest of
the Debian world.  There seem to be some examples I ran review in the
selinux-policy-doc and selinux-policy-mls packages.

Regarding re-labeling, every time I boot without the selinux arguments
to my kernel and then boot with them, the filesystem seems to get
re-labeled.  Is there a better way to do this?

Thanks for helping me cope with my ignorance.

C.J.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

next prev parent reply	other threads:[~2012-02-07 21:05 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-06  4:26 SELinux on Wheezy C.J. Adams-Collier KF7BMP
2012-02-06 15:39 ` Stephen Smalley
2012-02-06 16:17   ` C.J. Adams-Collier KF7BMP
2012-02-06 23:23     ` C.J. Adams-Collier KF7BMP
2012-02-06 23:48       ` Dominick Grift
2012-02-07 17:42       ` Stephen Smalley
2012-02-07 18:44         ` Dominick Grift
2012-02-07 18:55         ` C.J. Adams-Collier KF7BMP
2012-02-09 13:17       ` Russell Coker
2012-02-06 15:56 ` Dominick Grift
2012-02-06 16:21   ` C.J. Adams-Collier KF7BMP
2012-02-07 17:35     ` C.J. Adams-Collier KF7BMP
2012-02-07 17:47       ` Stephen Smalley
2012-02-07 18:56         ` C.J. Adams-Collier KF7BMP
2012-02-07 20:02           ` C.J. Adams-Collier
2012-02-07 20:08             ` Stephen Smalley
2012-02-07 21:05               ` C.J. Adams-Collier [this message]
2012-02-08 13:24                 ` Stephen Smalley
2012-02-08 17:39                   ` C.J. Adams-Collier KF7BMP
2012-02-08 17:54                     ` Stephen Smalley
2012-02-08 19:45                       ` C.J. Adams-Collier KF7BMP
2012-02-08 20:17                         ` Stephen Smalley
2012-02-08 21:32                           ` C.J. Adams-Collier KF7BMP
2012-02-09 13:08                             ` Russell Coker
2012-02-09 13:55                             ` Stephen Smalley
2012-02-09 17:34                               ` C.J. Adams-Collier KF7BMP
2012-02-09 17:53                                 ` Stephen Smalley
2012-02-09 13:05                     ` Russell Coker
2012-02-09 16:40                       ` C.J. Adams-Collier KF7BMP
2012-02-09 13:12     ` Russell Coker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120207210501.GE18478@colliertech.org \
    --to=cjac@colliertech.org \
    --cc=dominick.grift@gmail.com \
    --cc=russell@coker.com.au \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.