selinux-policy-default

selinux-policy-default

[Eric Estabrooks]

[-- Attachment #1: Type: text/plain, Size: 888 bytes --]

I'm running debian unstable with a 2.6.2 kernel se-enabled.  I was 
following the new selinux how to ( 
http://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 
) and I've gotten stuck on the selinux-policy-default install.  It seems 
that the types for xxx_locate_t aren't defined.

[ snip lots of yes/no questions ]
Installing the new SE Linux policy
/usr/bin/checkpolicy:  loading policy configuration from 
/etc/security/selinux/src/policy.conf
domains/admin.te:32:ERROR 'unknown type sysadm_locate_t' at token ';' on 
line 5974:
allow sysadm_locate_t { sysadm_mozilla_ro_t sysadm_mozilla_rw_t }:dir { 
getattr
search };

I searched for type lines for sysadm_locate_t but couldn't find any in 
any of the .te files and I don't know what they should look like to 
generate my own.  Can someone point me to documentation that would 
explain these types?

Thanks,

Eric

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3174 bytes --]

Re: selinux-policy-default

[Tomas Hoger]

On Thu, Feb 05, 2004 at 11:57:15PM -0600, Eric Estabrooks wrote:
> domains/admin.te:32:ERROR 'unknown type sysadm_locate_t' at token ';' on 
> line 5974:
> allow sysadm_locate_t { sysadm_mozilla_ro_t sysadm_mozilla_rw_t }:dir { 
> getattr
> search };

I came across similar problem yesterday evening.  I think problem is that
*_locate_t domains are not created in user_domain and admin_domain macros.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=231343 , there you can
find simple patch which solved problem for me.  Can anyone look at it and
tell if my solution is correct?

th.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Russell Coker]

On Fri, 6 Feb 2004 21:31, Tomas Hoger <thoger@pobox.sk> wrote:
> On Thu, Feb 05, 2004 at 11:57:15PM -0600, Eric Estabrooks wrote:
> > domains/admin.te:32:ERROR 'unknown type sysadm_locate_t' at token ';' on
> > line 5974:
> > allow sysadm_locate_t { sysadm_mozilla_ro_t sysadm_mozilla_rw_t }:dir {
> > getattr
> > search };
>
> I came across similar problem yesterday evening.  I think problem is that
> *_locate_t domains are not created in user_domain and admin_domain macros.
> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=231343 , there you can
> find simple patch which solved problem for me.  Can anyone look at it and
> tell if my solution is correct?

I'll upload a new version of the package to fix this shortly.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Russell Coker]

On Fri, 6 Feb 2004 16:57, Eric Estabrooks <eric@urbanrage.com> wrote:
> /usr/bin/checkpolicy:  loading policy configuration from
> /etc/security/selinux/src/policy.conf
> domains/admin.te:32:ERROR 'unknown type sysadm_locate_t' at token ';' on
> line 5974:
> allow sysadm_locate_t { sysadm_mozilla_ro_t sysadm_mozilla_rw_t }:dir {
> getattr
> search };

I'll upload a new policy package to fix that tomorrow.

Anyway using the locate policy for Debian is not a good idea.  Debian does not 
have a SE Linux patched locate and is not likely to have one in the 
forseeable future.  I think that locate is simply a bad idea and have no 
plans to support it in Debian.

> I searched for type lines for sysadm_locate_t but couldn't find any in

Look at macros/program/locate_macros.te .

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Daniel J Walsh]

Russell Coker wrote:

>On Fri, 6 Feb 2004 16:57, Eric Estabrooks <eric@urbanrage.com> wrote:
>  
>
>>/usr/bin/checkpolicy:  loading policy configuration from
>>/etc/security/selinux/src/policy.conf
>>domains/admin.te:32:ERROR 'unknown type sysadm_locate_t' at token ';' on
>>line 5974:
>>allow sysadm_locate_t { sysadm_mozilla_ro_t sysadm_mozilla_rw_t }:dir {
>>getattr
>>search };
>>    
>>
>
>I'll upload a new policy package to fix that tomorrow.
>
>Anyway using the locate policy for Debian is not a good idea.  Debian does not 
>have a SE Linux patched locate and is not likely to have one in the 
>forseeable future.  I think that locate is simply a bad idea and have no 
>plans to support it in Debian.
>
>  
>
>>I searched for type lines for sysadm_locate_t but couldn't find any in
>>    
>>
>
>Look at macros/program/locate_macros.te .
>
>  
>

Easiest thing to do is remove slocate.te from domain/program and  then 
do a make reload.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

selinux-policy-default

[Chris Vanden Berghe]

Hi,

Already mentioned this quickly on #selinux, but thought it would useful
to put it on the mailing list with some more info too.

I tried installing the new selinux version for kernel 2.6.0-test11 under
Debian.  Started by installing libselinux1 from Russells newselinux
archives, this worked just fine.  But when afterwards I tried installing
selinux-policy-default, then I got the error message below:

dpkg --install
/var/cache/apt/archives/selinux-policy-default_1%3a1.2.real-13_all.deb
(Reading database ... 112169 files and directories currently installed.)
Preparing to replace selinux-policy-default 1:1.2.real-13 (using
.../selinux-policy-default_1%3a1.2.real-13_all.deb) ...
Unpacking replacement selinux-policy-default ...
Setting up selinux-policy-default (1.2.real-13) ...
/etc/selinux does not exist, aborting!
run-parts: /etc/dpkg/postinst.d/selinux exited with return code 1
"/bin/run-parts --arg=selinux-policy-default /etc/dpkg/postinst.d"
failed: 256
dpkg: error processing selinux-policy-default (--install):
1Error running trigger postinst: No such file or directory
Errors were encountered while processing:
selinux-policy-default

Does anybody know how/when the /etc/selinux directory is supposed to be
created?

Tnx,
Chris.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Tom]

On Tue, Dec 02, 2003 at 01:18:34PM +0100, Chris Vanden Berghe wrote:
> I tried installing the new selinux version for kernel 2.6.0-test11 under
> Debian.  Started by installing libselinux1 from Russells newselinux
> archives, this worked just fine.  But when afterwards I tried installing
> selinux-policy-default, then I got the error message below:

I had a similiar error when I upgraded. I _think_ you can just manually
create an empty dir and it should work. Try that. If it doesn't, yell
again and I'll try to recreate the steps I took to get it running.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Chris Vanden Berghe]

Hi,

>On Tue, Dec 02, 2003 at 01:18:34PM +0100, Chris Vanden Berghe wrote:
>  
>
>>I tried installing the new selinux version for kernel 2.6.0-test11 under
>>Debian.  Started by installing libselinux1 from Russells newselinux
>>archives, this worked just fine.  But when afterwards I tried installing
>>selinux-policy-default, then I got the error message below:
>>    
>>
>I had a similiar error when I upgraded. I _think_ you can just manually
>create an empty dir and it should work. Try that. If it doesn't, yell
>again and I'll try to recreate the steps I took to get it running.
>
I tried this, and got the following error (probably stemming from the 
fact that this dir is empty?):

# mkdir /etc/selinux
# dpkg --install 
/var/cache/apt/archives/selinux-policy-default_1%3a1.2.real-13_all.deb
Selecting previously deselected package selinux-policy-default.
(Reading database ... 111806 files and directories currently installed.)
Unpacking selinux-policy-default (from 
.../selinux-policy-default_1%3a1.2.real-13_all.deb) ...
Setting up selinux-policy-default (1.2.real-13) ...
make: *** No rule to make target `file_contexts/file_contexts'.  Stop.
run-parts: /etc/dpkg/postinst.d/selinux exited with return code 2
"/bin/run-parts --arg=selinux-policy-default /etc/dpkg/postinst.d" 
failed: 256
dpkg: error processing selinux-policy-default (--install):
 1Error running trigger postinst: No such file or directory
Errors were encountered while processing:
 selinux-policy-default

I would very much like to hear how you got around this problem!

Cheers,
Chris.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Tom]

On Tue, Dec 02, 2003 at 03:41:14PM +0100, Chris Vanden Berghe wrote:
> I would very much like to hear how you got around this problem!

Hm, ok. I'm not at home at the moment, so I don't have access to my
play machine. So it's all from memory.

The problem is that you're updating. One thing you can also try is to
(re)move the old /usr/share/selinux directory, remove the /etc/selinux
and do a clean re-install.

I'll check when I get home, but that might be late today.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Russell Coker]

On Tue, 2 Dec 2003 23:18, Chris Vanden Berghe <vbc@zurich.ibm.com> wrote:
> dpkg --install
> /var/cache/apt/archives/selinux-policy-default_1%3a1.2.real-13_all.deb
> (Reading database ... 112169 files and directories currently installed.)
> Preparing to replace selinux-policy-default 1:1.2.real-13 (using
> .../selinux-policy-default_1%3a1.2.real-13_all.deb) ...
> Unpacking replacement selinux-policy-default ...
> Setting up selinux-policy-default (1.2.real-13) ...
> /etc/selinux does not exist, aborting!

/etc/selinux is a sym-link to /usr/share/selinux/policy/current/ and is 
created on installation of the selinux-policy-default package.

Did you remove and re-install the package?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Chris Vanden Berghe]

Hi,

>/etc/selinux is a sym-link to /usr/share/selinux/policy/current/ and is 
>created on installation of the selinux-policy-default package.


I don't have '/usr/share/selinux/policy/current/' either, but I do have
'/usr/share/selinux/policy/default/'.  Should I link /etc/selinux to
this '.../default/' dir?

>Did you remove and re-install the package?

Yes, but I did use --purge, so I expected that all configuration files
would have been deleted by this.

And, as Dave suggested, I'm currently installing this under a
non-selinux kernel (since the selinux one doesn't boot: it complains
that it cannot find the policy file :-( ).  So the idea was to install
all the selinux related packages under a non-selinux kernel and to
afterwards boot with the selinux kernel.

Cheers,
Chris.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Russell Coker]

On Wed, 3 Dec 2003 02:24, Chris Vanden Berghe <vbc@zurich.ibm.com> wrote:
> Hi,
>
> >/etc/selinux is a sym-link to /usr/share/selinux/policy/current/ and is
> >created on installation of the selinux-policy-default package.
>
> I don't have '/usr/share/selinux/policy/current/' either, but I do have
> '/usr/share/selinux/policy/default/'.  Should I link /etc/selinux to
> this '.../default/' dir?

No.  Copy what you want from the default directory to the current directory 
then make a symlink.  Having the symlink point to the default directory won't 
do any good.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Chris Vanden Berghe]

Hi,

>>I don't have '/usr/share/selinux/policy/current/' either, but I do have
>>'/usr/share/selinux/policy/default/'.  Should I link /etc/selinux to
>>this '.../default/' dir?
>>    
>>
>
>No.  Copy what you want from the default directory to the current directory 
>then make a symlink.  Having the symlink point to the default directory won't 
>do any good.
>
Tnx, this worked.

I'd be happy to do some testing if you have a new version of the 
selinux-policy-default package available that addresses this issue.

Cheers,
Chris.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Tom]

On Tue, Dec 02, 2003 at 04:24:18PM +0100, Chris Vanden Berghe wrote:
> Yes, but I did use --purge, so I expected that all configuration files
> would have been deleted by this.

I think I had the same issue. It appears some things are left behind.
Try --purge again and check if both /etc/selinux and /usr/share/selinux
have gone.


> And, as Dave suggested, I'm currently installing this under a
> non-selinux kernel (since the selinux one doesn't boot: it complains
> that it cannot find the policy file :-( ).  So the idea was to install
> all the selinux related packages under a non-selinux kernel and to
> afterwards boot with the selinux kernel.

You might want to check my step-by-step howto at
http://selinux.lemuria.org and check if you've done all that.

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default

[Dale Amon]

On Tue, Dec 02, 2003 at 01:18:34PM +0100, Chris Vanden Berghe wrote:
> I tried installing the new selinux version for kernel 2.6.0-test11 under
> Debian.  Started by installing libselinux1 from Russells newselinux
> archives, this worked just fine.  But when afterwards I tried installing
> selinux-policy-default, then I got the error message below:

Yeah, looks like the same problem I've got. It has to
do with a package install hook that doesn't seem to 
work under non-selinux systems. Won't guarantee that
is a correct statement as I've been busy on other
things and have spent time to properly dig into it.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.