Problems with the MLS policy

Problems with the MLS policy

[Salvo Giuffrida]

I have Fedora Core 6 Test 1 (it's the VMware image found 
here:http://www.thoughtpolice.co.uk/vmware/), I installed the package 
selinux-policy-mls-2.3.9-3. So, I now can switch to the "mls", in theory. 
The problem is that there's no binary policy file in 
/etc/selinux/mls/policy; so, I tough "I must compile it by myself", but in 
/usr/devel/selinux/mls there aren't source files (there are only sources for 
the targeted policy), only a lot of .pp files...
Where can I find those sources, or the rpm with them? And, where can I find 
more information to the classification system used (I didn't understand what 
those "SystemLow-SystemHigh" stand for)?
Thanks a lot

_________________________________________________________________
Scarica gratuitamente MSN Toolbar! http://toolbar.msn.it/


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with the MLS policy

[Stephen Smalley]

On Thu, 2006-09-07 at 19:59 +0200, Salvo Giuffrida wrote:
> I have Fedora Core 6 Test 1 (it's the VMware image found 
> here:http://www.thoughtpolice.co.uk/vmware/),

Do you mean test 2?

>  I installed the package 
> selinux-policy-mls-2.3.9-3. So, I now can switch to the "mls", in theory. 
> The problem is that there's no binary policy file in 
> /etc/selinux/mls/policy; so, I tough "I must compile it by myself", but in 
> /usr/devel/selinux/mls there aren't source files (there are only sources for 
> the targeted policy), only a lot of .pp files...
> Where can I find those sources, or the rpm with them? And, where can I find 
> more information to the classification system used (I didn't understand what 
> those "SystemLow-SystemHigh" stand for)?

If you have installed the selinux-policy-mls rpm successfully, then
there should be a binary policy file under /etc/selinux/mls/policy/.  Do
you have a /etc/selinux/mls/modules/active directory?  If so, does
semodule -B generate a binary policy file for you?
  
The devel files are for building policy modules, not for rebuilding the
base policy.  The full policy sources are available in the
selinux-policy .src.rpm file, but you don't need that unless you are
making changes to the policy that can't be expressed as a module or via
semanage.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with the MLS policy

[Linda Knippers]

Stephen Smalley wrote:
> On Thu, 2006-09-07 at 19:59 +0200, Salvo Giuffrida wrote:
> 
>>I have Fedora Core 6 Test 1 (it's the VMware image found 
>>here:http://www.thoughtpolice.co.uk/vmware/),
> 
> 
> Do you mean test 2?
> 
> 
>> I installed the package 
>>selinux-policy-mls-2.3.9-3. So, I now can switch to the "mls", in theory. 
>>The problem is that there's no binary policy file in 
>>/etc/selinux/mls/policy; so, I tough "I must compile it by myself", but in 
>>/usr/devel/selinux/mls there aren't source files (there are only sources for 
>>the targeted policy), only a lot of .pp files...
>>Where can I find those sources, or the rpm with them? And, where can I find 
>>more information to the classification system used (I didn't understand what 
>>those "SystemLow-SystemHigh" stand for)?
> 
> 
> If you have installed the selinux-policy-mls rpm successfully, then
> there should be a binary policy file under /etc/selinux/mls/policy/.  

I've saw the same problem recently when I installed the mls policy on
my FC6T2 system using yum.  The rpm seemed to install but got non-fatal
errors which left it without a binary policy file and a few other
important files.  I had to remove the rpm and update all the various
selinux rpms to get the mls policy to install correctly.

I believe Dan has fixed some dependency problems with the rpms to solve
this problem.

-- ljk



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems with the MLS policy

[Stephen Smalley]

On Fri, 2006-09-08 at 12:30 +0200, Salvo Giuffrida wrote:
> I did as you said, but the problems remain: there's no binary policy file in 
> /etc/selinux/mls/policy, and when I go to /etc/selinux/mls/modules/active, 
> and so "semanage -B", it gives me "Segmentation fault".

Please update to the latest devel versions of:
libsepol
libselinux
libsemanage
policycoreutils

Then update to the latest selinux-policy-mls.

> Where can I find more info on the classification system? I'd like to know 
> how the categories are mapped to the TopSecret,Secret,ecc... classification 
> levels...

They are mapped via setrans.conf, in /etc/selinux/mls/setrans.conf.  You
should be able to manage those mappings via semanage, e.g.
run /usr/sbin/semanage translation -l to list the current mappings.

You might want to look at:
http://selinux-symposium.org/2006/papers/03-SELinux-and-MLS.pdf
http://fedoraproject.org/wiki/SELinux/MLS


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.