Documentation, anyone?

Documentation, anyone?

[Erich Schubert]

Hi,
Recent changes broke lots of stuff on my system.
For example, genhomedircon no longer reads my local.users file...
It seems that this is somehow related to semanage changes...
Which doesn't work for me, and I can't find *any* documentation on it.
So the current SELinux shape is IMHO really bad... no current
documentation, and even those who have working installations (like me)
have no idea how to get the latest stuff working... :-(

I have a user role "netuser" who is allowed to use the network to a
larger extend (e.g. bind to port_t). I'd like to make that the default
role for certain unix accounts...

$ semanage user --add -s netuser_u -R netuser_r erich
['netuser_r']
libsemanage.assert_init: A direct or server connection is needed to use
this function - please call the corresponding connect() method
libsemanage.enter_ro: could not enter read-only section
/usr/sbin/semanage: Seuser lerich already defined

I couldn't find an example for /etc/selinux/seusers, I guessed it looks
like
"lerich:netuser_u" but that didn't work either...

I've also investigated "genhomedircon", and what strikes me as really
bad code is that it keeps on calling an external "grep" on just about
everything.
Loading a file and applying a regexp is really easy in Python, you
know...

To all users of my Debian repository or Debian unstable:
Avoid upgrading for now if you are using extra user roles...

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
     We can debug relationships, but it's always good policy to     //\
     consider the people themselves to be features. People get      V_/_
         annoyed when you try to debug them. -- Larry Wall
      Alles verändert sich, sobald man sich selber verändert.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Documentation, anyone?

[Ivan Gyurdiev]

> Hi,
> Recent changes broke lots of stuff on my system.
> For example, genhomedircon no longer reads my local.users file...
> It seems that this is somehow related to semanage changes...
>   
More detail please..
> Which doesn't work for me, and I can't find *any* documentation on it.
> So the current SELinux shape is IMHO really bad... no current
> documentation, and even those who have working installations (like me)
> have no idea how to get the latest stuff working... :-(
>   
I didn't realize that there's been a stable release - if so, I will 
agree with you.
If not, please consider that this is software in development - code 
takes priority to documentation.
Also, I do see manpages for the utilities semanage, and semodule, which 
would be most relevant to you.
> I have a user role "netuser" who is allowed to use the network to a
> larger extend (e.g. bind to port_t). I'd like to make that the default
> role for certain unix accounts...
>
> $ semanage user --add -s netuser_u -R netuser_r erich
> ['netuser_r']
> libsemanage.assert_init: A direct or server connection is needed to use
> this function - please call the corresponding connect() method
> libsemanage.enter_ro: could not enter read-only section
> /usr/sbin/semanage: Seuser lerich already defined
>   
The semanage tool in particular was only created recently. I would 
qualify it as alpha at this point, since I can find tons of bugs without 
trying very hard. The situation above would occur if you ran it as 
non-root user. The semanage connection failed, but the python tool 
doesn't check the rc value for most of the libsemanage calls it makes, 
so it continues on, instead of reporting the error, and tries to call 
functions that require a connection. It should likely make sure you have 
proper access rights on startup.
> I couldn't find an example for /etc/selinux/seusers, I guessed it looks
> like
> "lerich:netuser_u" but that didn't work either...
>   
You should not edit /etc/selinux/seusers directly. On a "managed" 
system, which I assume yours is, the master copies of all such files are 
located in a sandbox at /etc/selinux/<type>/modules/active. If you want 
to edit them manually (which is probably recommended at this point, you 
need sufficient access, then you can edit, and run "semodule -B", which 
rebuilds and reinstalls the sandbox).

An example does not exist, because you're really *not* supposed to be 
editing the files manually - hopefully the semanage utility will get 
into shape soon, so you won't have to edit config files by hand. The 
format is:
linux user:selinux_user[:mls], where the mls part is optional. The 
selinux_user must be listed in your users.local file at 
/etc/selinux/<type>/modules/active/users.local. The format for that is 
backwards compatible with the previous one, except that MLS contexts 
must be on one line with no spaces. You do not have to put user_u, root, 
system_u and the like in that file, since they are build into policy, 
depending on which policy type you use. You can use semanage user -l to 
see the combination of local and in-policy users.

> I've also investigated "genhomedircon", and what strikes me as really
> bad code is that it keeps on calling an external "grep" on just about
> everything.
> Loading a file and applying a regexp is really easy in Python, you
> know...
>   
I can't comment on that. The genhomedircon utility (which is really an 
internal tool, not to be called manually anymore, that will hopefully go 
away in the future), should mostly work. It has one major bug - it can't 
expand ROLE macros for non user_r users at this point - this is relevant 
for users of mls and strict policy, not targeted. I am hoping to fix 
that by the time FC 5 is released.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Debian users: don't upgrade for now

[Erich Schubert]

Hello again:
to all Debian users of SELinux:
Avoid upgrading to either unstable or my backports.

This is not good:
system_u:object_r:default_t      root

But I don't know how to get genhomedircon working properly any more.

Oh, and does anyone have a hint for me how to get /dev/log
and /dev/initctl labeled properly with udev? Udev with SELinux is
serious pain...

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
     Which is worse: ignorance or apathy? Who knows? Who cares?     //\
      Alles verändert sich, sobald man sich selber verändert.       V_/_



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian users: don't upgrade for now

[Stephen Smalley]

On Sun, 2006-01-01 at 17:41 +0100, Erich Schubert wrote:
> Hello again:
> to all Debian users of SELinux:
> Avoid upgrading to either unstable or my backports.
> 
> This is not good:
> system_u:object_r:default_t      root
> 
> But I don't know how to get genhomedircon working properly any more.

As noted in the release announcement, genhomedircon does not yet support
ROLE expansion in homedir_template for managed policies (i.e. policies
built as modules and installed via semodule -> libsemanage).  But it
should fall back to the old behavior for monolithic policies.  Debian
policy package shouldn't be converted over to modular form until a)
refpolicy covers everything from strict policy and b) genhomedircon is
updated to deal with ROLE expansion in the managed case.

> Oh, and does anyone have a hint for me how to get /dev/log
> and /dev/initctl labeled properly with udev? Udev with SELinux is
> serious pain...

Fedora does a restorecon -R /dev from rc.sysinit to fix up the security
contexts on /dev, and then everything just works (assuming your udev has
SELinux support enabled).  There is a further SELinux patch to udev in
Fedora's CVS tree presently, but that is just an optimization; the basic
SELinux support should be in the upstream udev.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

more genhomedircon badness...

[Erich Schubert]

I've now created /etc/selinux/modules/active/modules
and /etc/selinux/modules/active/seusers...

genhomedircon:  Warning!  No support yet for expanding ROLE macros in
the /etc/selinux/./contexts/files/homedir_template file when using
libsemanage.
genhomedircon:  You must manually update file_contexts.homedirs for any
non-user_r users (including root).
zsh: 19705 segmentation fault  genhomedircon

Ouch, a segfault!

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
          There are only 10 types of people in the world:           //\
          Those who understand binary and those who don't           V_/_
     Mathematik ist die Kunst, verschiedene Dinge mit demselben
                Namen zu belegen. --- Henri Poincaré



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: more genhomedircon badness...

[Ivan Gyurdiev]

Erich Schubert wrote:
> I've now created /etc/selinux/modules/active/modules
> and /etc/selinux/modules/active/seusers...
>
> genhomedircon:  Warning!  No support yet for expanding ROLE macros in
> the /etc/selinux/./contexts/files/homedir_template file when using
> libsemanage.
> genhomedircon:  You must manually update file_contexts.homedirs for any
> non-user_r users (including root).
> zsh: 19705 segmentation fault  genhomedircon
>
> Ouch, a segfault!
>   
Trace?

Again, normally this folder (and file) are installed by a policy package 
which is "managed",
and makes use of the seusers file feature. You shouldn't have to do it 
manually.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: more genhomedircon badness...

[Stephen Smalley]

On Sun, 2006-01-01 at 21:19 +0100, Erich Schubert wrote:
> I've now created /etc/selinux/modules/active/modules
> and /etc/selinux/modules/active/seusers...
> 
> genhomedircon:  Warning!  No support yet for expanding ROLE macros in
> the /etc/selinux/./contexts/files/homedir_template file when using
> libsemanage.
> genhomedircon:  You must manually update file_contexts.homedirs for any
> non-user_r users (including root).
> zsh: 19705 segmentation fault  genhomedircon
> 
> Ouch, a segfault!

The warning is correct, and that limitation was noted in the release
announcement.  Should only affect Debian if using modular/managed
policy, which I wouldn't expect since refpolicy doesn't cover all of
strict policy yet.  segfault is odd, and doesn't occur here.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Documentation, anyone?

[Joshua Brindle]

Erich Schubert wrote:
> Hi,
> Recent changes broke lots of stuff on my system.
> For example, genhomedircon no longer reads my local.users file...
> It seems that this is somehow related to semanage changes...
> Which doesn't work for me, and I can't find *any* documentation on it.
> So the current SELinux shape is IMHO really bad... no current
> documentation, and even those who have working installations (like me)
> have no idea how to get the latest stuff working... :-(
> 
> I have a user role "netuser" who is allowed to use the network to a
> larger extend (e.g. bind to port_t). I'd like to make that the default
> role for certain unix accounts...
> 
> $ semanage user --add -s netuser_u -R netuser_r erich
> ['netuser_r']
> libsemanage.assert_init: A direct or server connection is needed to use
> this function - please call the corresponding connect() method
> libsemanage.enter_ro: could not enter read-only section
> /usr/sbin/semanage: Seuser lerich already defined
> 
> I couldn't find an example for /etc/selinux/seusers, I guessed it looks
> like
> "lerich:netuser_u" but that didn't work either...
> 
> I've also investigated "genhomedircon", and what strikes me as really
> bad code is that it keeps on calling an external "grep" on just about
> everything.
> Loading a file and applying a regexp is really easy in Python, you
> know...
> 
> To all users of my Debian repository or Debian unstable:
> Avoid upgrading for now if you are using extra user roles...
> 
> best regards,
> Erich Schubert

We've been putting a ton of effort into making the upgrade path to a 
managed system pretty painless but it isn't exactly transparent. Have 
you been watching all the traffic here? I know we addressed some of the 
issues you are having. The srpm that upgrades to a modular policy has 
all the migration logic, debian should probably consider converting to 
modular and releasing a migration package since almost all the 
functionality we are now adding depends on having a managed system.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Documentation, anyone?

[Stephen Smalley]

On Sun, 2006-01-01 at 17:37 +0100, Erich Schubert wrote:
> Hi,
> Recent changes broke lots of stuff on my system.
> For example, genhomedircon no longer reads my local.users file...
> It seems that this is somehow related to semanage changes...
> Which doesn't work for me, and I can't find *any* documentation on it.
> So the current SELinux shape is IMHO really bad... no current
> documentation, and even those who have working installations (like me)
> have no idea how to get the latest stuff working... :-(

Hmmm....details?  genhomedircon is supposed to fall back to the original
behavior as long as policy is not managed via libsemanage (i.e. policy
is still built as a monolithic policy and not as a module), so I
wouldn't have expected any breakage in Debian unless the Debian policy
package has been converted to modular policy.  I didn't expect that to
happen yet because Debian policy tracks strict policy only, and
refpolicy development has focused on getting targeted policy working
first since it is the default in Fedora.  genhomedircon is known to not
yet support ROLE expansion when using managed policy, and this has been
noted on the list previously.  But it should work fine for monolithic
policies.

> I have a user role "netuser" who is allowed to use the network to a
> larger extend (e.g. bind to port_t). I'd like to make that the default
> role for certain unix accounts...
> 
> $ semanage user --add -s netuser_u -R netuser_r erich
> ['netuser_r']
> libsemanage.assert_init: A direct or server connection is needed to use
> this function - please call the corresponding connect() method
> libsemanage.enter_ro: could not enter read-only section
> /usr/sbin/semanage: Seuser lerich already defined
> 
> I couldn't find an example for /etc/selinux/seusers, I guessed it looks
> like
> "lerich:netuser_u" but that didn't work either...

seusers is only meaningful if your userland has been updated to the
latest SELinux patches present in Fedora development.  Otherwise, it
won't be used; it requires changes to pam_selinux and others as I noted
in the release announcement.  

> I've also investigated "genhomedircon", and what strikes me as really
> bad code is that it keeps on calling an external "grep" on just about
> everything.
> Loading a file and applying a regexp is really easy in Python, you
> know...

Patches accepted ;)  genhomedircon was contributed by Red Hat.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Documentation, anyone?

[Erich Schubert]

Hello Stephen,
Thanks for your replies.

genhomedircon doesn't fall back on the "old" behaviour as I had it on
Debian up to now. When libsemanage fails (I guess when the "modular" dir
doesn't exist), it tries to load /etc/selinux/seusers instead; the old
genhomedircon I had was apparently parsing the local.users and users
files directly;
the current fallback is to load seusers and then parse these files for
any user found in this seusers file (which also must have three
components per line).
So I managed to get sufficient fallback now by writing an appropriate
seusers file; I think I got an example from one of the fedora packages.

For debian users, I've created two new mailing lists; as noted on
http://blog.drinsama.de/erich/en/linux/selinux/2006010201-debian-selinux-lists.html
The first mail on the selinux-users debian list gives details on the
seusers workaround to get a working genhomedircon again.

Thanks for your udev feedback; I'm not entirely happy with the
restorecon approach (e.g. what will happen on a syslog restart, which
might recreate the /dev/log device with incorrect permissions?) but it
will do for now.

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
  There is no branch of mathematics, however abstract, which may not  //\
 some day be applied to phenomena of the real world. --- Lobatchevsky V_/_
      Die Mathematik muss man schon deswegen studieren, weil sie
      die Gedanken ordnet. --- Michail Wassiljewitsch Lomonossow


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Documentation, anyone?

[Stephen Smalley]

On Tue, 2006-01-03 at 23:31 +0100, Erich Schubert wrote:
> genhomedircon doesn't fall back on the "old" behaviour as I had it on
> Debian up to now. When libsemanage fails (I guess when the "modular" dir
> doesn't exist), it tries to load /etc/selinux/seusers instead; the old
> genhomedircon I had was apparently parsing the local.users and users
> files directly;
> the current fallback is to load seusers and then parse these files for
> any user found in this seusers file (which also must have three
> components per line).

Ah, sorry - my mistake.

> So I managed to get sufficient fallback now by writing an appropriate
> seusers file; I think I got an example from one of the fedora packages.
> 
> For debian users, I've created two new mailing lists; as noted on
> http://blog.drinsama.de/erich/en/linux/selinux/2006010201-debian-selinux-lists.html
> The first mail on the selinux-users debian list gives details on the
> seusers workaround to get a working genhomedircon again.

What I find curious is that these same issues weren't encountered when
Russell and/or Manoj created and tested updated packages from the newer
upstream tarballs.  Or were they?

> Thanks for your udev feedback; I'm not entirely happy with the
> restorecon approach (e.g. what will happen on a syslog restart, which
> might recreate the /dev/log device with incorrect permissions?) but it
> will do for now.

Runtime creation of the file after initial policy load is handled by the
type_transition rules in the policy (typically encapsulated within
file_type_auto_trans macro in the example policy or within higher level
interfaces in the reference policy).  Hence, we only need to be
concerned with fixing up labels on /dev nodes created prior to the
initial policy load by /sbin/init, which is what the restorecon does.
Also, for anything created by udev itself, that is handled by the
SELinux support in udev (once policy has been loaded).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.