selinux-policy-mls is now available for your testing pleasure.

selinux-policy-mls is now available for your testing pleasure.

[Daniel J Walsh]

Based off STRICT policy.

ftp://people.redhat.com/dwalsh/SELinux/Fedora/selinux-policy-mls-*

It is not in Rawhide, yet but I will provide it via my people page.

This has not been tested. 

I have not got an MLS machine up and running yet.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Paul Moore]

Daniel J Walsh wrote:
> Based off STRICT policy.
> 
> ftp://people.redhat.com/dwalsh/SELinux/Fedora/selinux-policy-mls-*
> 
> It is not in Rawhide, yet but I will provide it via my people page.
> 
> This has not been tested.
> I have not got an MLS machine up and running yet.

Since I have been looking into this lately I figured I would give it a 
whirl and report back my experiences, here they are:

  1 Installed FC4T2 via the 'Workstation' option using two partitions,
    one for '/' and one for swap
  2 Applied all of the related updates via YUM (done on April 19th)
  3 Installed the MLS policy (version 1.23-11-2) but continued to use
    the default targeted policy
  4 Rebooted into kernel 2.6.11-1.1240_FC4smp to verify everything was
    OK (it was)
  5 Enabled the MLS policy via the Fedora GUI tool and ensured that the
    relabel option was selected
  6 Rebooted with the new MLS policy only to have the machine lock,
    it wasn't able to execute something related to init (I should have
    taken better notes here - sorry)
  7 Rebooted (the hard way, Ctrl-Alt-Del only resulted in more AVC
    denial messages) with 'selinux=0 single'
  8 Unmounted '/proc' and '/sys' then relabeled them to
    'system_u:object_r:file_t:s0' and 'user_u:object_r:file_t:s0'
    respectively; also relabeled '/var/lib/nfs/rpc_pipefs' to
    'user_u:object_r:var_lib_nfs_t:s0'
  9 Rebooted with 'enforcing=0 single' and this time the FS-wide
    relabel happened as part of the boot process
10 Rebooted with 'single' and noticed lots of permission denied
    messages pertaining to '/dev/.udevdb/*' files
11 Switched to runlevel 3 and saw a variety of AVC denial messages but
    things went mostly to plan and I had a login prompt which appeared
    to work as expected
12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start

I'm going to keep playing with this system, but I thought some people 
here might want to see a quick little report on how the MLS policy RPM 
worked.

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[James Morris]

On Tue, 19 Apr 2005, Paul Moore wrote:

>   5 Enabled the MLS policy via the Fedora GUI tool and ensured that the
>     relabel option was selected
>   6 Rebooted with the new MLS policy only to have the machine lock,
>     it wasn't able to execute something related to init (I should have
>     taken better notes here - sorry)

You still need to perform the manual mointpoint relabeling per the MLS 
readme.

> 10 Rebooted with 'single' and noticed lots of permission denied
>     messages pertaining to '/dev/.udevdb/*' files

Odd, I haven't seen that.

Did you update to all of the new SELinux packages in Dan's FTP directory?

> 12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start

Haven't tried X yet, not sure it's supposed to work.


- James
-- 
James Morris
<jmorris@redhat.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Stephen Smalley]

On Tue, 2005-04-19 at 18:29 -0400, James Morris wrote:
> > 12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
> 
> Haven't tried X yet, not sure it's supposed to work.

Works for me.  Of course, you do need to have the allow_execmem=1
boolean enabled for X to run, but that is independent of
MLS.  /usr/sbin/setsebool -P allow_execmem=1.  Did the RPM include a
booleans file?

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Paul Moore]

James Morris wrote:
> On Tue, 19 Apr 2005, Paul Moore wrote:
> 
> 
>>  5 Enabled the MLS policy via the Fedora GUI tool and ensured that the
>>    relabel option was selected
>>  6 Rebooted with the new MLS policy only to have the machine lock,
>>    it wasn't able to execute something related to init (I should have
>>    taken better notes here - sorry)
> 
> 
> You still need to perform the manual mointpoint relabeling per the MLS 
> readme.
> 

Yup, figured that one out the hard way ... ;) ... just figured I would
mention it here since Dan's original post didn't make any reference to
having to do any manual relabel operations.

>>10 Rebooted with 'single' and noticed lots of permission denied
>>    messages pertaining to '/dev/.udevdb/*' files
>  
> Odd, I haven't seen that.

Taking a bit of a closer look, the files with a permission denied error
seem to be missing a SELinux context as well as any permission flags as
well as an owner and group (ls -Z fills the fields in with a '?').

I'll try fixing them manually (or maybe just deleting them since it
looks like udev recreates them on boot anyway) and see what happens.

> Did you update to all of the new SELinux packages in Dan's FTP directory?

Not originally no, but looking at them this morning all the versions I
have installed are the same versions as Dan's or newer.  I also noticed
that Dan setup that directory as a YUM repository so I added it to my
list and did a yum update - no new/updated packages.

>>12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
> 
> 
> Haven't tried X yet, not sure it's supposed to work.
> 
> 
> - James

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Paul Moore]

Stephen Smalley wrote:
> On Tue, 2005-04-19 at 18:29 -0400, James Morris wrote:
> 
>>>12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
>>
>>Haven't tried X yet, not sure it's supposed to work.
> 
> Works for me.  Of course, you do need to have the allow_execmem=1
> boolean enabled for X to run, but that is independent of
> MLS.  /usr/sbin/setsebool -P allow_execmem=1.  Did the RPM include a
> booleans file?
> 

Yes it did, however, the allow_execmem entry was missing.  I added it 
via setsebool and verified that it was in the booleans.local file and 
rebooted to see gdm startup this time but I could not login - according 
to the xsession-errors file Xlib failed to connect to the display, which 
was running on ":0.0".

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Daniel J Walsh]

Paul Moore wrote:

> Daniel J Walsh wrote:
>
>> Based off STRICT policy.
>>
>> ftp://people.redhat.com/dwalsh/SELinux/Fedora/selinux-policy-mls-*
>>
>> It is not in Rawhide, yet but I will provide it via my people page.
>>
>> This has not been tested.
>> I have not got an MLS machine up and running yet.
>
>
> Since I have been looking into this lately I figured I would give it a 
> whirl and report back my experiences, here they are:
>
>  1 Installed FC4T2 via the 'Workstation' option using two partitions,
>    one for '/' and one for swap
>  2 Applied all of the related updates via YUM (done on April 19th)
>  3 Installed the MLS policy (version 1.23-11-2) but continued to use
>    the default targeted policy
>  4 Rebooted into kernel 2.6.11-1.1240_FC4smp to verify everything was
>    OK (it was)
>  5 Enabled the MLS policy via the Fedora GUI tool and ensured that the
>    relabel option was selected
>  6 Rebooted with the new MLS policy only to have the machine lock,
>    it wasn't able to execute something related to init (I should have
>    taken better notes here - sorry)
>  7 Rebooted (the hard way, Ctrl-Alt-Del only resulted in more AVC
>    denial messages) with 'selinux=0 single'
>  8 Unmounted '/proc' and '/sys' then relabeled them to
>    'system_u:object_r:file_t:s0' and 'user_u:object_r:file_t:s0'
>    respectively; also relabeled '/var/lib/nfs/rpc_pipefs' to
>    'user_u:object_r:var_lib_nfs_t:s0'
>  9 Rebooted with 'enforcing=0 single' and this time the FS-wide
>    relabel happened as part of the boot process
> 10 Rebooted with 'single' and noticed lots of permission denied
>    messages pertaining to '/dev/.udevdb/*' files

udevdb/* files should be labeled udev_tbl_t  Accordiung to policy

> 11 Switched to runlevel 3 and saw a variety of AVC denial messages but
>    things went mostly to plan and I had a login prompt which appeared
>    to work as expected
> 12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
>
> I'm going to keep playing with this system, but I thought some people 
> here might want to see a quick little report on how the MLS policy RPM 
> worked.
>
Could you clear you /var/log/messages or /var/log/audit/audit.log file.  
Reboot and then send the AVC messages.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Paul Moore]

Paul Moore wrote:
> Stephen Smalley wrote:
> 
>> On Tue, 2005-04-19 at 18:29 -0400, James Morris wrote:
>>
>>>> 12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
>>>
>>>
>>> Haven't tried X yet, not sure it's supposed to work.
>>
>>
>> Works for me.  Of course, you do need to have the allow_execmem=1
>> boolean enabled for X to run, but that is independent of
>> MLS.  /usr/sbin/setsebool -P allow_execmem=1.  Did the RPM include a
>> booleans file?
>>
> 
> Yes it did, however, the allow_execmem entry was missing.  I added it 
> via setsebool and verified that it was in the booleans.local file and 
> rebooted to see gdm startup this time but I could not login - according 
> to the xsession-errors file Xlib failed to connect to the display, which 
> was running on ":0.0".
> 

I was playing with this some more and a regular user was allowed to 
login via gdm - just not root.

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Paul Moore]

[-- Attachment #1: Type: text/plain, Size: 2655 bytes --]

Daniel J Walsh wrote:
> Paul Moore wrote:
> 
>> Daniel J Walsh wrote:
>>
>>> Based off STRICT policy.
>>>
>>> ftp://people.redhat.com/dwalsh/SELinux/Fedora/selinux-policy-mls-*
>>>
>>> It is not in Rawhide, yet but I will provide it via my people page.
>>>
>>> This has not been tested.
>>> I have not got an MLS machine up and running yet.
>>
>>
>>
>> Since I have been looking into this lately I figured I would give it a 
>> whirl and report back my experiences, here they are:
>>
>>  1 Installed FC4T2 via the 'Workstation' option using two partitions,
>>    one for '/' and one for swap
>>  2 Applied all of the related updates via YUM (done on April 19th)
>>  3 Installed the MLS policy (version 1.23-11-2) but continued to use
>>    the default targeted policy
>>  4 Rebooted into kernel 2.6.11-1.1240_FC4smp to verify everything was
>>    OK (it was)
>>  5 Enabled the MLS policy via the Fedora GUI tool and ensured that the
>>    relabel option was selected
>>  6 Rebooted with the new MLS policy only to have the machine lock,
>>    it wasn't able to execute something related to init (I should have
>>    taken better notes here - sorry)
>>  7 Rebooted (the hard way, Ctrl-Alt-Del only resulted in more AVC
>>    denial messages) with 'selinux=0 single'
>>  8 Unmounted '/proc' and '/sys' then relabeled them to
>>    'system_u:object_r:file_t:s0' and 'user_u:object_r:file_t:s0'
>>    respectively; also relabeled '/var/lib/nfs/rpc_pipefs' to
>>    'user_u:object_r:var_lib_nfs_t:s0'
>>  9 Rebooted with 'enforcing=0 single' and this time the FS-wide
>>    relabel happened as part of the boot process
>> 10 Rebooted with 'single' and noticed lots of permission denied
>>    messages pertaining to '/dev/.udevdb/*' files
>  
> udevdb/* files should be labeled udev_tbl_t  Accordiung to policy
> 
>> 11 Switched to runlevel 3 and saw a variety of AVC denial messages but
>>    things went mostly to plan and I had a login prompt which appeared
>>    to work as expected
>> 12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
>>
>> I'm going to keep playing with this system, but I thought some people 
>> here might want to see a quick little report on how the MLS policy RPM 
>> worked.
>>
> Could you clear you /var/log/messages or /var/log/audit/audit.log file.  
> Reboot and then send the AVC messages.
> 

See attached.  The messages are from boot up to an including trying to 
login as root via gdm.

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

[-- Attachment #2: messages-04202005.gz --]
[-- Type: application/x-gzip, Size: 11346 bytes --]

Re: selinux-policy-mls is now available for your testing pleasure.

[Stephen Smalley]

On Wed, 2005-04-20 at 13:04 -0400, Paul Moore wrote:
> I was playing with this some more and a regular user was allowed to 
> login via gdm - just not root.

I'd call that a security feature, not a bug ;)

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[jrdesai18-tech]

--- Paul Moore <paul.moore@hp.com> wrote:
> Paul Moore wrote:
> > Stephen Smalley wrote:
> > 
> >> On Tue, 2005-04-19 at 18:29 -0400, James Morris wrote:
> >>
> >>>> 12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
> >>>
> >>>
> >>> Haven't tried X yet, not sure it's supposed to work.
> >>
> >>
> >> Works for me.  Of course, you do need to have the allow_execmem=1
> >> boolean enabled for X to run, but that is independent of
> >> MLS.  /usr/sbin/setsebool -P allow_execmem=1.  Did the RPM include
> a
> >> booleans file?
> >>
> > 
> > Yes it did, however, the allow_execmem entry was missing.  I added
> it 
> > via setsebool and verified that it was in the booleans.local file
> and 
> > rebooted to see gdm startup this time but I could not login -
> according 
> > to the xsession-errors file Xlib failed to connect to the display,
> which 
> > was running on ":0.0".
> > 
> 
> I was playing with this some more and a regular user was allowed to 
> login via gdm - just not root.
> 

Hi Paul,

I saw a similar problem. In my case /tmp/gconfd-root had a type
other than tmp_t (I think it was sysadm_tmp or something like
that). It is possible that it was there from a previous login
of root when MLS was not active. Try removing that directory 
and see if you can login as root.

-Janak




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Paul Moore]

jrdesai18-tech@yahoo.com wrote:
> --- Paul Moore <paul.moore@hp.com> wrote:
> 
>>Paul Moore wrote:
>>
>>>Stephen Smalley wrote:
>>>
>>>
>>>>On Tue, 2005-04-19 at 18:29 -0400, James Morris wrote:
>>>>
>>>>
>>>>>>12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
>>>>>
>>>>>
>>>>>Haven't tried X yet, not sure it's supposed to work.
>>>>
>>>>
>>>>Works for me.  Of course, you do need to have the allow_execmem=1
>>>>boolean enabled for X to run, but that is independent of
>>>>MLS.  /usr/sbin/setsebool -P allow_execmem=1.  Did the RPM include
>>
>>a
>>
>>>>booleans file?
>>>>
>>>
>>>Yes it did, however, the allow_execmem entry was missing.  I added
>>
>>it 
>>
>>>via setsebool and verified that it was in the booleans.local file
>>
>>and 
>>
>>>rebooted to see gdm startup this time but I could not login -
>>
>>according 
>>
>>>to the xsession-errors file Xlib failed to connect to the display,
>>
>>which 
>>
>>>was running on ":0.0".
>>>
>>
>>I was playing with this some more and a regular user was allowed to 
>>login via gdm - just not root.
>>
> 
> 
> Hi Paul,
> 
> I saw a similar problem. In my case /tmp/gconfd-root had a type
> other than tmp_t (I think it was sysadm_tmp or something like
> that). It is possible that it was there from a previous login
> of root when MLS was not active. Try removing that directory 
> and see if you can login as root.
> 
> -Janak

Hi Janak,

Thanks for the suggestion.  I made sure to clear out '/tmp' when I first 
ran into problems booting and I just checked it again - not gconf 
entries for root.

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Paul Moore]

Daniel J Walsh wrote:
> Based off STRICT policy.
> 
> ftp://people.redhat.com/dwalsh/SELinux/Fedora/selinux-policy-mls-*
> 
> It is not in Rawhide, yet but I will provide it via my people page.
> 
> This has not been tested.
> I have not got an MLS machine up and running yet.
> 

In version 1.23.12-1 of MLS policy RPM there is a problem with the file 
contexts for '/sbin/arping' - there are entries for both 
'system_u:object_r:traceroute_exec_t:s0' and 
'system_u:object_r:netutils_exec_t:s0'.  I assume it should be the 
latter of the two?

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-mls is now available for your testing pleasure.

[Paul Moore]

Paul Moore wrote:
> Daniel J Walsh wrote:
> 
>> Based off STRICT policy.
>>
>> ftp://people.redhat.com/dwalsh/SELinux/Fedora/selinux-policy-mls-*
>>
>> It is not in Rawhide, yet but I will provide it via my people page.
>>
>> This has not been tested.
>> I have not got an MLS machine up and running yet.
>>
> 
> In version 1.23.12-1 of MLS policy RPM there is a problem with the file 
> contexts for '/sbin/arping' - there are entries for both 
> 'system_u:object_r:traceroute_exec_t:s0' and 
> 'system_u:object_r:netutils_exec_t:s0'.  I assume it should be the 
> latter of the two?
> 

I'm sorry, disregard that - I didn't see the updated RPM with this 
problem fixed.

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.