From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9GLwbWt006185 for ; Thu, 16 Oct 2003 17:58:37 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9GLwamR023290 for ; Thu, 16 Oct 2003 21:58:36 GMT Received: from baitaca.ipen.br (baitaca.ipen.br [200.136.52.8]) by jazzband.ncsc.mil with ESMTP id h9GLwZjp023287 for ; Thu, 16 Oct 2003 21:58:35 GMT Received: (from root@localhost) by baitaca.ipen.br (8.12.9/8.12.9) id h9GLwkEY023231 for selinux@tycho.nsa.gov; Thu, 16 Oct 2003 18:58:46 -0300 Received: from ipen.br ([10.0.12.47]) by baitaca.ipen.br (8.12.9/8.12.9) with ESMTP id h9GLwgY8023212 for ; Thu, 16 Oct 2003 18:58:43 -0300 Message-ID: <3F8EEA16.8090908@ipen.br> Date: Thu, 16 Oct 2003 16:57:26 -0200 From: Carlos Anisio Monteiro MIME-Version: 1.0 To: selinux@tycho.nsa.gov Subject: process context Content-Type: multipart/alternative; boundary="------------090409020509000508040305" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --------------090409020509000508040305 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi. The system have many process running in the following context: system_u:system_r:kernel_t (see example below). PID CONTEXT COMMAND 1 system_u:system_r:kernel_t init [2] 2 system_u:system_r:kernel_t [ksoftirqd/0] 3 system_u:system_r:kernel_t [events/0] 7 system_u:system_r:kernel_t [kswapd0] 8 system_u:system_r:kernel_t [aio/0] 9 system_u:system_r:kernel_t [kseriod] 33 system_u:system_r:kernel_t [kjournald] 250 system_u:system_r:kernel_t /sbin/syslogd 253 system_u:system_r:kernel_t /sbin/klogd 262 system_u:system_r:kernel_t /usr/sbin/inetd 346 system_u:system_r:kernel_t sendmail: MTA: accepting connections 373 system_u:system_r:kernel_t /usr/sbin/cron 378 system_u:system_r:kernel_t /sbin/getty 38400 tty2 379 system_u:system_r:kernel_t /sbin/getty 38400 tty3 This is happen in the time of boot. Is this correct? Any process, p.ex. init, syslogd, klogd, shouldn't they running in the proper context? P.ex.: init - system_u:system_r:init_t klogd - system_u:system_r:klogd_t cron - system_u:system_r:cron_t If yes. How I resolve ??? thanks. -- Carlos Anisio Monteiro IPEN/CNEN-SP Sao Paulo - Brasil --------------090409020509000508040305 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Hi.

The system have many process running in the following context: system_u:system_r:kernel_t (see example below).

PID CONTEXT                                  COMMAND
    1 system_u:system_r:kernel_t               init [2]
    2 system_u:system_r:kernel_t               [ksoftirqd/0]
    3 system_u:system_r:kernel_t               [events/0]
    7 system_u:system_r:kernel_t               [kswapd0]
    8 system_u:system_r:kernel_t               [aio/0]
    9 system_u:system_r:kernel_t               [kseriod]
   33 system_u:system_r:kernel_t               [kjournald]
250 system_u:system_r:kernel_t               /sbin/syslogd
253 system_u:system_r:kernel_t               /sbin/klogd
262 system_u:system_r:kernel_t               /usr/sbin/inetd
346 system_u:system_r:kernel_t               sendmail: MTA: accepting connections
373 system_u:system_r:kernel_t               /usr/sbin/cron
378 system_u:system_r:kernel_t               /sbin/getty 38400 tty2
379 system_u:system_r:kernel_t               /sbin/getty 38400 tty3

This is happen in the time of boot.

Is this correct? Any process, p.ex. init, syslogd, klogd, shouldn't they running in the proper context?
P.ex.:
init - system_u:system_r:init_t
klogd - system_u:system_r:klogd_t
cron - system_u:system_r:cron_t

If yes. How I resolve ???

thanks.

-- 
Carlos Anisio Monteiro  <monteiro@ipen.br>
IPEN/CNEN-SP
Sao Paulo - Brasil

--------------090409020509000508040305-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9H3RmWt007018 for ; Thu, 16 Oct 2003 23:27:48 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9H3RlmR002017 for ; Fri, 17 Oct 2003 03:27:47 GMT Received: from tsv.sws.net.au (tsv.sws.net.au [61.95.69.2]) by jazzband.ncsc.mil with ESMTP id h9H3Rjjp002014 for ; Fri, 17 Oct 2003 03:27:46 GMT From: Russell Coker Reply-To: russell@coker.com.au To: Carlos Anisio Monteiro , selinux@tycho.nsa.gov Subject: Re: process context Date: Fri, 17 Oct 2003 13:27:31 +1000 References: <3F8EEA16.8090908@ipen.br> In-Reply-To: <3F8EEA16.8090908@ipen.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-Id: <200310171327.31980.russell@coker.com.au> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Fri, 17 Oct 2003 04:57, Carlos Anisio Monteiro wrote: > The system have many process running in the following context: > system_u:system_r:kernel_t (see example below). > > PID CONTEXT COMMAND > 250 system_u:system_r:kernel_t /sbin/syslogd > 253 system_u:system_r:kernel_t /sbin/klogd > 262 system_u:system_r:kernel_t /usr/sbin/inetd > 346 system_u:system_r:kernel_t sendmail: MTA: accepting > connections > 373 system_u:system_r:kernel_t /usr/sbin/cron > 378 system_u:system_r:kernel_t /sbin/getty 38400 tty2 > 379 system_u:system_r:kernel_t /sbin/getty 38400 tty3 > > This is happen in the time of boot. I guess that at boot time the init process (usually /sbin/init) was not labeled with init_exec_t, that caused init to be run in kernel_t. root@lyta:/etc/selinux# grep kernel_t.*process.transition policy.conf allow kernel_t init_t:process transition; allow kernel_t insmod_t:process transition; allow kernel_t hotplug_t:process transition; allow { initrc_t kernel_t } insmod_t:process transition; root@lyta:/etc/selinux# As you can see above kernel_t can only transition to init_t, insmod_t, and hotplug_t in a default policy. So therefore when you have init running in kernel_t every process that init runs (either directly or indirectly) apart from modprobe and hotplug will be in kernel_t. If you label init correctly and run "telinit u" then init should re-exec itself in the correct context. If you then run "killall -9 getty" the getty processes should be restarted in the correct context. After getting getty running in the correct context you should be able to login at the console and then use run_init to restart the daemons and thus get them all running in the right context without rebooting. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9H4I0Wt007261 for ; Fri, 17 Oct 2003 00:18:00 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9H4HxmR003137 for ; Fri, 17 Oct 2003 04:18:00 GMT Received: from tsv.sws.net.au (tsv.sws.net.au [61.95.69.2]) by jazzband.ncsc.mil with ESMTP id h9H4Hwjp003134 for ; Fri, 17 Oct 2003 04:17:59 GMT From: Russell Coker Reply-To: russell@coker.com.au To: Carlos Anisio Monteiro , selinux@tycho.nsa.gov Subject: Re: process context Date: Fri, 17 Oct 2003 14:17:55 +1000 References: <3F8EEA16.8090908@ipen.br> <200310171327.31980.russell@coker.com.au> In-Reply-To: <200310171327.31980.russell@coker.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-Id: <200310171417.55149.russell@coker.com.au> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Fri, 17 Oct 2003 13:27, Russell Coker wrote: > I guess that at boot time the init process (usually /sbin/init) was not Sorry, I meant to say "the executable for the init process". -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9HAZQWt008207 for ; Fri, 17 Oct 2003 06:35:27 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9HAZPmR008913 for ; Fri, 17 Oct 2003 10:35:25 GMT Received: from mail2.iitk.ac.in ([203.197.196.2]) by jazzband.ncsc.mil with ESMTP id h9HAZLjp008906 for ; Fri, 17 Oct 2003 10:35:24 GMT Received: from antivirus.cc.iitk.ac.in (antivirus.cc.iitk.ac.in [172.31.1.102]) by mail2.iitk.ac.in (8.12.8/8.12.8) with SMTP id h9HAohoO009657 for ; Fri, 17 Oct 2003 16:20:55 +0530 Received: from iitk.ac.in ([172.31.77.127]) by antivirus.cc.iitk.ac.in (NAVGW 2.5.2.12) with SMTP id M2003101716044112422 for ; Fri, 17 Oct 2003 16:04:41 +0530 Message-ID: <3F8FC612.2090105@iitk.ac.in> Date: Fri, 17 Oct 2003 16:06:02 +0530 From: kamal MIME-Version: 1.0 To: selinux@tycho.nsa.gov Subject: Re: process context References: <3F8EEA16.8090908@ipen.br> <200310171327.31980.russell@coker.com.au> In-Reply-To: <200310171327.31980.russell@coker.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Russell Coker wrote: >I guess that at boot time the init process (usually /sbin/init) was not >labeled with init_exec_t, that caused init to be run in kernel_t. > > But why does this happen? I also had the same problem, and because getty process is not labeled properly, login fails to get default context. Output of "ls --context /sbin/init" is: -rwxr-xr-x root root system_u:object_r:init_exec_t /sbin/init -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9HBOeWt008431 for ; Fri, 17 Oct 2003 07:24:40 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9HBOcmR010110 for ; Fri, 17 Oct 2003 11:24:39 GMT Received: from tsv.sws.net.au (tsv.sws.net.au [61.95.69.2]) by jazzband.ncsc.mil with ESMTP id h9HBOajp010107 for ; Fri, 17 Oct 2003 11:24:37 GMT From: Russell Coker Reply-To: russell@coker.com.au To: kamal , selinux@tycho.nsa.gov Subject: Re: process context Date: Fri, 17 Oct 2003 21:24:26 +1000 References: <3F8EEA16.8090908@ipen.br> <200310171327.31980.russell@coker.com.au> <3F8FC612.2090105@iitk.ac.in> In-Reply-To: <3F8FC612.2090105@iitk.ac.in> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-Id: <200310172124.26830.russell@coker.com.au> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Fri, 17 Oct 2003 20:36, kamal wrote: > Russell Coker wrote: > >I guess that at boot time the init process (usually /sbin/init) was not > >labeled with init_exec_t, that caused init to be run in kernel_t. > > But why does this happen? I also had the same problem, and because getty > process is not labeled properly, login fails to get default context. The most likely cause of /sbin/init having the wrong type is that it was never labeled correctly. The seond most likely cause is that you copied over a newer version without relabeling afterwards. > Output of "ls --context /sbin/init" is: > -rwxr-xr-x root root system_u:object_r:init_exec_t /sbin/init That's the correct value. So "telinit u" should result in it getting the right context. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9HC47Wt008585 for ; Fri, 17 Oct 2003 08:04:07 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9HC46mR011188 for ; Fri, 17 Oct 2003 12:04:06 GMT Received: from epoch.ncsc.mil (facesaver.epoch.ncsc.mil [144.51.25.10]) by jazzband.ncsc.mil with ESMTP id h9HC45jp011185 for ; Fri, 17 Oct 2003 12:04:05 GMT Subject: Re: process context From: Stephen Smalley To: Carlos Anisio Monteiro Cc: selinux@tycho.nsa.gov, Russell Coker In-Reply-To: <3F8EEA16.8090908@ipen.br> References: <3F8EEA16.8090908@ipen.br> Content-Type: text/plain Message-Id: <1066392235.31764.6.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Date: 17 Oct 2003 08:03:55 -0400 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Thu, 2003-10-16 at 14:57, Carlos Anisio Monteiro wrote: > Hi. > > The system have many process running in the following context: > system_u:system_r:kernel_t (see example below). > > This is happen in the time of boot. > > Is this correct? Any process, p.ex. init, syslogd, klogd, shouldn't > they running in the proper context? > P.ex.: > init - system_u:system_r:init_t > klogd - system_u:system_r:klogd_t > cron - system_u:system_r:cron_t > > If yes. How I resolve ??? The possible scenarios are: 1) You never labeled /sbin/init with system_u:object_r:init_exec_t. Based on your prior email, you have labeled /sbin/init, so this is not the cause. 2) You labeled /sbin/init initially, but you are running prelink on your system and do not have the patched prelink program, so prelink is cheerfully unlinking it and re-creating it with the default type, causing it to fall back into sbin_t. You can check for this by doing a 'ls --context /sbin/init' again. Dan Walsh has a patched prelink program that preserves security contexts available from his site, ftp://people.redhat.com/dwalsh/SELinux. prelink is enabled by default in Fedora Core. 3) /sbin/init is labeled correctly, but the policy is not loaded prior to starting it, so the domain transition rule isn't defined when the execution occurs. This would happen if you failed to load the policy from an initrd prior to execution of /sbin/init, or if you are trying to perform the initial policy load via /sbin/init itself without re-exec'ing it after performing the load. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9HC8bWt008606 for ; Fri, 17 Oct 2003 08:08:37 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9HC8amR011354 for ; Fri, 17 Oct 2003 12:08:36 GMT Received: from epoch.ncsc.mil (facesaver.epoch.ncsc.mil [144.51.25.10]) by jazzband.ncsc.mil with ESMTP id h9HC8Zjp011350 for ; Fri, 17 Oct 2003 12:08:36 GMT Subject: Re: process context From: Stephen Smalley To: kamal Cc: selinux@tycho.nsa.gov, Russell Coker In-Reply-To: <3F8FC612.2090105@iitk.ac.in> References: <3F8EEA16.8090908@ipen.br> <200310171327.31980.russell@coker.com.au> <3F8FC612.2090105@iitk.ac.in> Content-Type: text/plain Message-Id: <1066392503.31764.11.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Date: 17 Oct 2003 08:08:23 -0400 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Fri, 2003-10-17 at 06:36, kamal wrote: > But why does this happen? I also had the same problem, and because getty > process is not labeled properly, login fails to get default context. > > Output of "ls --context /sbin/init" is: > -rwxr-xr-x root root system_u:object_r:init_exec_t /sbin/init As with the other poster, your problem may be that you aren't loading the policy prior to executing /sbin/init, or you are loading the policy via /sbin/init but failing to re-execute it. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzswing.ncsc.mil (jazzswing.ncsc.mil [144.51.68.65]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9KDuMWt019873 for ; Mon, 20 Oct 2003 09:56:22 -0400 (EDT) Received: from jazzswing.ncsc.mil (localhost [127.0.0.1]) by jazzswing.ncsc.mil with ESMTP id h9KDuA0p028770 for ; Mon, 20 Oct 2003 13:56:10 GMT Received: from baitaca.ipen.br (baitaca.ipen.br [200.136.52.8]) by jazzswing.ncsc.mil with ESMTP id h9KDtwr9028756 for ; Mon, 20 Oct 2003 13:56:09 GMT Message-ID: <3F93BEEF.9060904@ipen.br> Date: Mon, 20 Oct 2003 08:54:39 -0200 From: Carlos Anisio Monteiro MIME-Version: 1.0 To: Stephen Smalley , Russell Coker , Daniel J Walsh , selinux@tycho.nsa.gov Subject: Re: process context References: <3F8EEA16.8090908@ipen.br> <1066392235.31764.6.camel@moss-spartans.epoch.ncsc.mil> Content-Type: multipart/alternative; boundary="------------070507020900000003060400" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --------------070507020900000003060400 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Stephen Smalley wrote: >On Thu, 2003-10-16 at 14:57, Carlos Anisio Monteiro wrote: > > >>Hi. >> >>The system have many process running in the following context: >>system_u:system_r:kernel_t (see example below). >> >> > > > >>This is happen in the time of boot. >> >>Is this correct? Any process, p.ex. init, syslogd, klogd, shouldn't >>they running in the proper context? >>P.ex.: >>init - system_u:system_r:init_t >>klogd - system_u:system_r:klogd_t >>cron - system_u:system_r:cron_t >> >>If yes. How I resolve ??? >> >> > >The possible scenarios are: >1) You never labeled /sbin/init with system_u:object_r:init_exec_t. >Based on your prior email, you have labeled /sbin/init, so this is not >the cause. > >2) You labeled /sbin/init initially, but you are running prelink on your >system and do not have the patched prelink program, so prelink is >cheerfully unlinking it and re-creating it with the default type, >causing it to fall back into sbin_t. You can check for this by doing a >'ls --context /sbin/init' again. Dan Walsh has a patched prelink >program that preserves security contexts available from his site, >ftp://people.redhat.com/dwalsh/SELinux. prelink is enabled by default >in Fedora Core. > >3) /sbin/init is labeled correctly, but the policy is not loaded prior >to starting it, so the domain transition rule isn't defined when the >execution occurs. This would happen if you failed to load the policy >from an initrd prior to execution of /sbin/init, or if you are trying to >perform the initial policy load via /sbin/init itself without >re-exec'ing it after performing the load. > > > I loaded the policy in the initrd image and the boot process and the contexts are fine. The policies must be loaded prior to init process. *I am much obliged to you*. However, alway that I change one policy I have to update the policies in the initrd image. Or, can I load the minimum of policies in the initrd image and the remainder as script in the /etc/init.d directory? So, the update to policies in initrd image should be very little. Again, thanks! Thanks! -- Carlos Anisio Monteiro IPEN/CNEN-SP Sao Paulo - Brasil --------------070507020900000003060400 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Smalley wrote:

On Thu, 2003-10-16 at 14:57, Carlos Anisio Monteiro wrote:

Hi.

The system have many process running in the following context:
system_u:system_r:kernel_t (see example below).

<snip>

This is happen in the time of boot.

Is this correct? Any process, p.ex. init, syslogd, klogd, shouldn't
they running in the proper context?
P.ex.: 
init - system_u:system_r:init_t
klogd - system_u:system_r:klogd_t
cron - system_u:system_r:cron_t

If yes. How I resolve ???


The possible scenarios are:
1) You never labeled /sbin/init with system_u:object_r:init_exec_t.
Based on your prior email, you have labeled /sbin/init, so this is not
the cause.

2) You labeled /sbin/init initially, but you are running prelink on your
system and do not have the patched prelink program, so prelink is
cheerfully unlinking it and re-creating it with the default type,
causing it to fall back into sbin_t.  You can check for this by doing a
'ls --context /sbin/init' again.  Dan Walsh has a patched prelink
program that preserves security contexts available from his site,
ftp://people.redhat.com/dwalsh/SELinux.  prelink is enabled by default
in Fedora Core.

3) /sbin/init is labeled correctly, but the policy is not loaded prior
to starting it, so the domain transition rule isn't defined when the
execution occurs.  This would happen if you failed to load the policy
from an initrd prior to execution of /sbin/init, or if you are trying to
perform the initial policy load via /sbin/init itself without
re-exec'ing it after performing the load.

I loaded the policy in the initrd image and the boot process and the contexts are fine. The policies must be loaded prior to init process.
I am much obliged to you.

However, alway that I change one policy I have to update the policies in the initrd image. Or, can I load the minimum of policies in the initrd image and the remainder as script in the /etc/init.d directory? So, the update to policies in initrd image should be very little.

Again, thanks! Thanks!

-- 
Carlos Anisio Monteiro  <monteiro@ipen.br>
IPEN/CNEN-SP
Sao Paulo - Brasil

--------------070507020900000003060400-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9KE1UWt019915 for ; Mon, 20 Oct 2003 10:01:30 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9KE1SmT007009 for ; Mon, 20 Oct 2003 14:01:29 GMT Message-ID: <3F93EAB3.7080109@redhat.com> Date: Mon, 20 Oct 2003 10:01:23 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: Carlos Anisio Monteiro CC: Stephen Smalley , Russell Coker , selinux@tycho.nsa.gov Subject: Re: process context References: <3F8EEA16.8090908@ipen.br> <1066392235.31764.6.camel@moss-spartans.epoch.ncsc.mil> <3F93BEEF.9060904@ipen.br> In-Reply-To: <3F93BEEF.9060904@ipen.br> Content-Type: multipart/alternative; boundary="------------070808050803000003020206" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. --------------070808050803000003020206 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Carlos Anisio Monteiro wrote: > Stephen Smalley wrote: > >>On Thu, 2003-10-16 at 14:57, Carlos Anisio Monteiro wrote: >> >> >>>Hi. >>> >>>The system have many process running in the following context: >>>system_u:system_r:kernel_t (see example below). >>> >>> >> >> >> >>>This is happen in the time of boot. >>> >>>Is this correct? Any process, p.ex. init, syslogd, klogd, shouldn't >>>they running in the proper context? >>>P.ex.: >>>init - system_u:system_r:init_t >>>klogd - system_u:system_r:klogd_t >>>cron - system_u:system_r:cron_t >>> >>>If yes. How I resolve ??? >>> >>> >> >>The possible scenarios are: >>1) You never labeled /sbin/init with system_u:object_r:init_exec_t. >>Based on your prior email, you have labeled /sbin/init, so this is not >>the cause. >> >>2) You labeled /sbin/init initially, but you are running prelink on your >>system and do not have the patched prelink program, so prelink is >>cheerfully unlinking it and re-creating it with the default type, >>causing it to fall back into sbin_t. You can check for this by doing a >>'ls --context /sbin/init' again. Dan Walsh has a patched prelink >>program that preserves security contexts available from his site, >>ftp://people.redhat.com/dwalsh/SELinux. prelink is enabled by default >>in Fedora Core. >> >>3) /sbin/init is labeled correctly, but the policy is not loaded prior >>to starting it, so the domain transition rule isn't defined when the >>execution occurs. This would happen if you failed to load the policy >>from an initrd prior to execution of /sbin/init, or if you are trying to >>perform the initial policy load via /sbin/init itself without >>re-exec'ing it after performing the load. >> >> >> > I loaded the policy in the initrd image and the boot process and the > contexts are fine. The policies must be loaded prior to init process. > *I am much obliged to you*. > > However, alway that I change one policy I have to update the policies > in the initrd image. Or, can I load the minimum of policies in the > initrd image and the remainder as script in the /etc/init.d > directory? So, the update to policies in initrd image should be very > little. > > Again, thanks! Thanks! Currently that is what we are suggesting. Modify mkinitrd with minimal policy and then have the initscripts load the on disk policy as early as possible. We are working to the point where init itself will load policy and modification of the initrd will go away. Dan > >-- >Carlos Anisio Monteiro >IPEN/CNEN-SP >Sao Paulo - Brasil > > > --------------070808050803000003020206 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Carlos Anisio Monteiro wrote:

Stephen Smalley wrote:

On Thu, 2003-10-16 at 14:57, Carlos Anisio Monteiro wrote:

Hi.

The system have many process running in the following context:
system_u:system_r:kernel_t (see example below).

<snip>

This is happen in the time of boot.

Is this correct? Any process, p.ex. init, syslogd, klogd, shouldn't
they running in the proper context?
P.ex.: 
init - system_u:system_r:init_t
klogd - system_u:system_r:klogd_t
cron - system_u:system_r:cron_t

If yes. How I resolve ???


The possible scenarios are:
1) You never labeled /sbin/init with system_u:object_r:init_exec_t.
Based on your prior email, you have labeled /sbin/init, so this is not
the cause.

2) You labeled /sbin/init initially, but you are running prelink on your
system and do not have the patched prelink program, so prelink is
cheerfully unlinking it and re-creating it with the default type,
causing it to fall back into sbin_t.  You can check for this by doing a
'ls --context /sbin/init' again.  Dan Walsh has a patched prelink
program that preserves security contexts available from his site,
ftp://people.redhat.com/dwalsh/SELinux.  prelink is enabled by default
in Fedora Core.

3) /sbin/init is labeled correctly, but the policy is not loaded prior
to starting it, so the domain transition rule isn't defined when the
execution occurs.  This would happen if you failed to load the policy
from an initrd prior to execution of /sbin/init, or if you are trying to
perform the initial policy load via /sbin/init itself without
re-exec'ing it after performing the load.

Currently that is what we are suggesting. Modify mkinitrd with minimal policy and then have the initscripts load the on disk policy as early as possible. We are working to the point where init itself will load policy and modification of the initrd will go away.

Dan

-- 
Carlos Anisio Monteiro  <monteiro@ipen.br>
IPEN/CNEN-SP
Sao Paulo - Brasil

--------------070808050803000003020206-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzband.ncsc.mil (jazzband.ncsc.mil [144.51.5.4]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id h9L186Wt023898 for ; Mon, 20 Oct 2003 21:08:06 -0400 (EDT) Received: from jazzband.ncsc.mil (localhost [127.0.0.1]) by jazzband.ncsc.mil with ESMTP id h9L185mR007092 for ; Tue, 21 Oct 2003 01:08:05 GMT Received: from tsv.sws.net.au (tsv.sws.net.au [61.95.69.2]) by jazzband.ncsc.mil with ESMTP id h9L184jp007088 for ; Tue, 21 Oct 2003 01:08:04 GMT From: Russell Coker Reply-To: russell@coker.com.au To: Daniel J Walsh , Carlos Anisio Monteiro Subject: Re: process context Date: Tue, 21 Oct 2003 11:07:56 +1000 Cc: Stephen Smalley , selinux@tycho.nsa.gov References: <3F8EEA16.8090908@ipen.br> <3F93BEEF.9060904@ipen.br> <3F93EAB3.7080109@redhat.com> In-Reply-To: <3F93EAB3.7080109@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-Id: <200310211107.56066.russell@coker.com.au> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tue, 21 Oct 2003 00:01, Daniel J Walsh wrote: > Currently that is what we are suggesting. �Modify mkinitrd with minimal > policy and then have the initscripts load the on disk policy as early as > possible. � We are working to the point where init itself will load > policy and modification of the initrd will go away. Unless of course we decide to go with a modified init, which means that we don't need policy in the initrd. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.