Problems installing current version of refpolicy with FC6

Problems installing current version of refpolicy with FC6

[Catalin DIMA]

I am trying to install different versions of refpolicy on Dell X1 
machines with FC6, for teaching purposes, but no choice of build.conf 
parameters can make it. I get outcomes from "kernel panic" (when trying 
to install the "strict monolithic" version of refpolicy) to system stall 
(when trying to install "targeted monolithic" version), or outputs like 
below (when trying to install "targeted modular" version -- this 
installation ends in stack problems which also cause system halt). Every 
time the kernel does not panic, there's a whole list of booleans that 
are unknown to libsepol.load_booleans, though generated from refpolicy 
via the "install" target of the Makefile.

I have tried on two different laptops but the outcome is the same. I 
have also tried with the latest or older versions and the output is the 
same. Did anyone observe similar behaviors with laptops/FC6/refpolicy ?...

Output :
libsepol.load_booleans: unknown boolean user_ttyfile_stat (and others)
libsepol.sepol_genbools: error while reading /etc/selinux/refpolicy/booleans
bash: initialize_job_control : setpgid: Permission denied
bash: /sbin/consoletype: Permission denied
No devices found
Setting up Logival Volume Management: No volume groups found
ext2fs_check_if_mount: Permission denied while determining whether 
/dev/hda7 is mounted
/etc/selinux/refpolicy/contexts/files/file_contexts: Multiple different 
specifications for /usr/bin/mplayer 
(system_u:object_r:unconfined_execmem_exec_t and 
system_u:object_r:mplayer_exec_t)
....

-- 
Catalin Dima, 
Paris 12 University




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems installing current version of refpolicy with FC6

[Karl MacMillan]

Catalin DIMA wrote:
> I am trying to install different versions of refpolicy on Dell X1 
> machines with FC6, for teaching purposes, but no choice of build.conf 
> parameters can make it.

Just to check - are you certain that you want the full policy? You may 
be able to do the teaching you need with policy modules only.

  I get outcomes from "kernel panic" (when trying
> to install the "strict monolithic" version of refpolicy) to system stall 
> (when trying to install "targeted monolithic" version), or outputs like 
> below (when trying to install "targeted modular" version -- this 
> installation ends in stack problems which also cause system halt). Every 
> time the kernel does not panic, there's a whole list of booleans that 
> are unknown to libsepol.load_booleans, though generated from refpolicy 
> via the "install" target of the Makefile.
> 

Did you enable mcs? The standard FC6 policy is targeted-mcs and the 
presence of the mcs components in the file system labels may be the 
cause of your problems.

> I have tried on two different laptops but the outcome is the same. I 
> have also tried with the latest or older versions and the output is the 
> same. Did anyone observe similar behaviors with laptops/FC6/refpolicy ?...
> 
> Output :
> libsepol.load_booleans: unknown boolean user_ttyfile_stat (and others)

The unknown boolean messages should be harmless I believe.

You can extract the build.conf from the policy source rpm as well, which 
is likely a good starting point.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems installing current version of refpolicy with FC6

[Catalin DIMA]

Karl MacMillan wrote:

> Just to check - are you certain that you want the full policy? You may 
> be able to do the teaching you need with policy modules only.

Do you mean I should compile&load the modular policy ? I certainly would 
like to do this, as it's supposed to be easily configurable & suitable 
for experimenting small modules.

> Did you enable mcs? The standard FC6 policy is targeted-mcs and the 
> presence of the mcs components in the file system labels may be the 
> cause of your problems.

I tried again this build.conf format :

TYPE = targeted-mcs
NAME = refpolicy
DISTRO = redhat
DIRECT_INITRC=n
MONOLITHIC=n
MLS-SENS=16
MLS_CATS=256

Done make conf, make install and make load, then configured for 
refpolicy & asked for relabeling, and the system gets stuck...

Btw, forgot to mention the libsepol.sepol_genbools: error while reading 
/etc/selinx/refpolicy/booleans error...

In permissive refpolicy mode, the only selinux message talks about 
NetworkManager.

> The unknown boolean messages should be harmless I believe.
>
> You can extract the build.conf from the policy source rpm as well, 
> which is likely a good starting point.

The problem is the same with the rpm and the bz2...

Thanks,
Catalin.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems installing current version of refpolicy with FC6

[Karl MacMillan]

Catalin DIMA wrote:
> Karl MacMillan wrote:
> 
>> Just to check - are you certain that you want the full policy? You may 
>> be able to do the teaching you need with policy modules only.
> 
> Do you mean I should compile&load the modular policy ? I certainly would 
> like to do this, as it's supposed to be easily configurable & suitable 
> for experimenting small modules.
> 
>> Did you enable mcs? The standard FC6 policy is targeted-mcs and the 
>> presence of the mcs components in the file system labels may be the 
>> cause of your problems.
> 
> I tried again this build.conf format :
> 
> TYPE = targeted-mcs
> NAME = refpolicy
> DISTRO = redhat
> DIRECT_INITRC=n
> MONOLITHIC=n
> MLS-SENS=16
> MLS_CATS=256
> 
> Done make conf, make install and make load, then configured for 
> refpolicy & asked for relabeling, and the system gets stuck...
> 

Could you elaborate on where it gets stuck. Does the labeling happen? 
You might try relabeling in permissive.

> Btw, forgot to mention the libsepol.sepol_genbools: error while reading 
> /etc/selinx/refpolicy/booleans error...
> 

In permissive or enforcing?

> In permissive refpolicy mode, the only selinux message talks about 
> NetworkManager.
> 

Just to clarify, things work fine in permissive mode and you are only 
getting a single AVC message, correct? Could you check /var/log/messages 
and /var/log/audit/audit.log for avc messages after a permissive boot. 
Also check the selinux messages in dmesg for errors.

>> The unknown boolean messages should be harmless I believe.
>>
>> You can extract the build.conf from the policy source rpm as well, 
>> which is likely a good starting point.
> 
> The problem is the same with the rpm and the bz2...
> 

Not certain what you mean here - the source rpm or the binary rpm? I was 
suggesting that you rebuild refpolicy using the configuration from the 
source rpm - which means extracting the correct build.conf, 
modules.conf, and booleans.conf, seusers, and users_extra files and 
installing the in the source tree. You can read the spec file to see how 
this is done during the build process.

Dan - do you have better directions on how to get a patched and 
configured refpolicy tree out of the source rpm?

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems installing current version of refpolicy with FC6

[Catalin DIMA]

On Mon, 29 Jan 2007 16:35:59 -0500, Karl MacMillan wrote
> Could you elaborate on where it gets stuck. Does the labeling 
> happen? 

No, it crashes before labeling, just after starting udev and the 2nd service
(don't remember the name, I just left home...).

> You might try relabeling in permissive.

I suspect it's not the relabeling process, though I have to check it back
(tomorrow...)

> > Btw, forgot to mention the libsepol.sepol_genbools: error while reading 
> > /etc/selinx/refpolicy/booleans error...
> >
> 
> In permissive or enforcing?

Enforcing.

> > In permissive refpolicy mode, the only selinux message talks about 
> > NetworkManager.
> >
> 
> Just to clarify, things work fine in permissive mode and you are 
> only getting a single AVC message, correct? 

Yes, at least during the booting process. I think I also did a setfiles check
in permissive, and everything was ok (to be checked tomorrow again).

> Could you check 
> /var/log/messages and /var/log/audit/audit.log for avc messages 
> after a permissive boot. Also check the selinux messages in dmesg 
> for errors.

The machine on which I noticed the avc:denied message about the NetworkManager
does not have setools installed -- I then only looked at /var/log/messages.
Hope I did not forget what machine I was working on...

> >> The unknown boolean messages should be harmless I believe.
> >>
> >> You can extract the build.conf from the policy source rpm as well, 
> >> which is likely a good starting point.
> > 
> > The problem is the same with the rpm and the bz2...
> >
> 
> Not certain what you mean here - the source rpm or the binary rpm? I 
> was suggesting that you rebuild refpolicy using the configuration 
> from the source rpm - which means extracting the correct build.conf, 
> modules.conf, and booleans.conf, seusers, and users_extra files and 
> installing the in the source tree. You can read the spec file to see 
> how this is done during the build process.

I meant the source rpm. Tried to install both from source rpm and bz2 and both
lead to the same problem. It does not seem to be a problem with
missing/misplaced source files, no problem occurs at compile time.

I'll try to do a neat reinstallation of FC6 and then a reinstallation of
refpolicy sources, the machines are used for many other teaching purposes by
different people and God only knows what bazaar is inside... though nobody
else tried to install/do anything about/against selinux...

Btw, during setools installation on one of the machines, I also encountered a
problem : the need to enable text relocation for libqpol. Is this normal ? The
problem seems to recur every time I do a relabel to targeted (in order to put
back the system in a "stable state") -- that means, after relabeling,
launching apol issues again an avc:denied about text relocation.

Catalin.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems installing current version of refpolicy with FC6

[Karl MacMillan]

Catalin DIMA wrote:
> On Mon, 29 Jan 2007 16:35:59 -0500, Karl MacMillan wrote
>> Could you elaborate on where it gets stuck. Does the labeling 
>> happen? 
> 
> No, it crashes before labeling, just after starting udev and the 2nd service
> (don't remember the name, I just left home...).
> 
>> You might try relabeling in permissive.
> 
> I suspect it's not the relabeling process, though I have to check it back
> (tomorrow...)
> 
>>> Btw, forgot to mention the libsepol.sepol_genbools: error while reading 
>>> /etc/selinx/refpolicy/booleans error...
>>>
>> In permissive or enforcing?
> 
> Enforcing.
> 
>>> In permissive refpolicy mode, the only selinux message talks about 
>>> NetworkManager.
>>>
>> Just to clarify, things work fine in permissive mode and you are 
>> only getting a single AVC message, correct? 
> 
> Yes, at least during the booting process. I think I also did a setfiles check
> in permissive, and everything was ok (to be checked tomorrow again).
> 
>> Could you check 
>> /var/log/messages and /var/log/audit/audit.log for avc messages 
>> after a permissive boot. Also check the selinux messages in dmesg 
>> for errors.
> 
> The machine on which I noticed the avc:denied message about the NetworkManager
> does not have setools installed -- I then only looked at /var/log/messages.
> Hope I did not forget what machine I was working on...
> 

Setools is not required - you can just cat the logs (or use ausearch for 
the audit logs). Without some more detailed debugging info I'm not 
certain what the problem is.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: DWARF2 [was : Problems installing refpolicy with FC6]

[Catalin DIMA]

Having a little more time to try to solve the problem, I checked again 
several solutions, especially the following :
- relabeled file system
- rebooted without X in refpolicy, _permissive_ mode
and got a pretty looking DWARF2 unwinding... >:-(
As I never encountered such debugging problems, can someone tell me how 
could I "catch it" in some logfile, at least to post it  ? there's no 
trace of the debugging information in either dmesg or messages.

Catalin.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: DWARF2 [was : Problems installing refpolicy with FC6]

[Paul Moore]

On Friday, February 2 2007 11:15 am, Catalin DIMA wrote:
> Having a little more time to try to solve the problem, I checked again
> several solutions, especially the following :
> - relabeled file system
> - rebooted without X in refpolicy, _permissive_ mode
> and got a pretty looking DWARF2 unwinding... >:-(
> As I never encountered such debugging problems, can someone tell me how
> could I "catch it" in some logfile, at least to post it  ? there's no
> trace of the debugging information in either dmesg or messages.

Hi Catalin,

Just to be certain, you are still doing a "targeted-mcs" policy build yes?  
The only reason I ask is that there is a known problem (my fault :( )with the 
standard FC6 kernels with SELinux policies that do not use MCS or MLS.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: DWARF2 [was : Problems installing refpolicy with FC6]

[Catalin DIMA]

I actually forgot to remove the MLS_SENS declaration when configuring 
the policy : it used to declare 16 sensitivity levels with an MCS 
policy... :'(

Paul Moore wrote:

> Hi Catalin,
>
>Just to be certain, you are still doing a "targeted-mcs" policy build yes?  
>The only reason I ask is that there is a known problem (my fault :( )with the 
>standard FC6 kernels with SELinux policies that do not use MCS or MLS.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems installing current version of refpolicy with FC6

[Stephen Smalley]

On Mon, 2007-01-29 at 22:08 +0100, Catalin DIMA wrote:
> Karl MacMillan wrote:
> 
> > Just to check - are you certain that you want the full policy? You may 
> > be able to do the teaching you need with policy modules only.
> 
> Do you mean I should compile&load the modular policy ? I certainly would 
> like to do this, as it's supposed to be easily configurable & suitable 
> for experimenting small modules.

Just to clarify, you don't need to install refpolicy from tresys to
compile and load policy modules; FC6 ships with a modular policy based
on refpolicy, so you can create your own policy modules and load them
without ever touching the base policy.  See the Fedora SELinux FAQ and
wiki pages.  You only need to rebuild the base policy if you want to
make a fundamental change to the policy.

Also, you can grab the selinux-policy .src.rpm from the Fedora site
(just like any other .src.rpm) and build from it rather than building
from an upstream release if you want to keep it as close as possible to
the Fedora settings.

> 
> > Did you enable mcs? The standard FC6 policy is targeted-mcs and the 
> > presence of the mcs components in the file system labels may be the 
> > cause of your problems.
> 
> I tried again this build.conf format :
> 
> TYPE = targeted-mcs
> NAME = refpolicy
> DISTRO = redhat
> DIRECT_INITRC=n
> MONOLITHIC=n
> MLS-SENS=16
> MLS_CATS=256
> 
> Done make conf, make install and make load, then configured for 
> refpolicy & asked for relabeling, and the system gets stuck...
> 
> Btw, forgot to mention the libsepol.sepol_genbools: error while reading 
> /etc/selinx/refpolicy/booleans error...
> 
> In permissive refpolicy mode, the only selinux message talks about 
> NetworkManager.
> 
> > The unknown boolean messages should be harmless I believe.
> >
> > You can extract the build.conf from the policy source rpm as well, 
> > which is likely a good starting point.
> 
> The problem is the same with the rpm and the bz2...
> 
> Thanks,
> Catalin.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.