From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie2.ncsc.mil (zombie2.ncsc.mil [144.51.88.133]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mALEx3iK032264 for ; Fri, 21 Nov 2008 09:59:03 -0500 Received: from web50206.mail.re2.yahoo.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie2.ncsc.mil (8.12.10/8.12.10) with SMTP id mALEv9av016493 for ; Fri, 21 Nov 2008 14:57:09 GMT Date: Fri, 21 Nov 2008 06:59:03 -0800 (PST) From: Rahul Jain Reply-To: erahul29@yahoo.com Subject: Problem Setting Policy To Enforcing Mode To: selinux@tycho.nsa.gov MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1521159587-1227279543=:37401" Message-ID: <459507.37401.qm@web50206.mail.re2.yahoo.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --0-1521159587-1227279543=:37401 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi All, =A0 This is the first time I am writing to this mailing list in hope of receivi= ng help. I am trying to port reference policy by tresys on Montavista. I am= able to run the policy well in permmisive mode with no avc messages in aud= it log, kern.log or messages. But when I put the policy into enforcing mode= my system fails to boot, reason seems to be=A0problem with init process.= =A0I am not able to debug the problem because=A0no=A0avc messages are gener= ated for the same, probably because the issue comes up even before logging = deamons start. Is=A0there anyway I can=A0debug my policy and=A0log=A0the av= c messages=A0from the very beginning of the system startup. =A0 Rahul Jain Rahul=A0Jain=A0=A0=0A=0A=0A --0-1521159587-1227279543=:37401 Content-Type: text/html; charset=us-ascii
Hi All,
 
This is the first time I am writing to this mailing list in hope of receiving help. I am trying to port reference policy by tresys on Montavista. I am able to run the policy well in permmisive mode with no avc messages in audit log, kern.log or messages. But when I put the policy into enforcing mode my system fails to boot, reason seems to be problem with init process. I am not able to debug the problem because no avc messages are generated for the same, probably because the issue comes up even before logging deamons start. Is there anyway I can debug my policy and log the avc messages from the very beginning of the system startup.
 
Rahul Jain
Rahul Jain  

--0-1521159587-1227279543=:37401-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie2.ncsc.mil (zombie2.ncsc.mil [144.51.88.133]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mALFk401005248 for ; Fri, 21 Nov 2008 10:46:04 -0500 Received: from wf-out-1314.google.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie2.ncsc.mil (8.12.10/8.12.10) with ESMTP id mALFi9av019948 for ; Fri, 21 Nov 2008 15:44:10 GMT Received: by wf-out-1314.google.com with SMTP id 28so1309617wff.30 for ; Fri, 21 Nov 2008 07:46:03 -0800 (PST) Subject: Re: Problem Setting Policy To Enforcing Mode From: "Justin P. Mattock" To: erahul29@yahoo.com Cc: selinux@tycho.nsa.gov In-Reply-To: <459507.37401.qm@web50206.mail.re2.yahoo.com> References: <459507.37401.qm@web50206.mail.re2.yahoo.com> Content-Type: text/plain Date: Fri, 21 Nov 2008 07:45:59 -0800 Message-Id: <1227282359.3138.1.camel@LiNuX> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Fri, 2008-11-21 at 06:59 -0800, Rahul Jain wrote: > Hi All, > > This is the first time I am writing to this mailing list in hope of > receiving help. I am trying to port reference policy by tresys on > Montavista. I am able to run the policy well in permmisive mode with > no avc messages in audit log, kern.log or messages. But when I put the > policy into enforcing mode my system fails to boot, reason seems to > be problem with init process. I am not able to debug the problem > because no avc messages are generated for the same, probably because > the issue comes up even before logging deamons start. Is there anyway > I can debug my policy and log the avc messages from the very beginning > of the system startup. > > Rahul Jain > Rahul Jain > Have you tyied the command "make enableaudit" should open the policy up more and generate avc's. regards; -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: Problem Setting Policy To Enforcing Mode From: Stephen Smalley To: erahul29@yahoo.com Cc: selinux@tycho.nsa.gov In-Reply-To: <459507.37401.qm@web50206.mail.re2.yahoo.com> References: <459507.37401.qm@web50206.mail.re2.yahoo.com> Content-Type: text/plain Date: Fri, 21 Nov 2008 13:37:16 -0500 Message-Id: <1227292636.7319.37.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Fri, 2008-11-21 at 06:59 -0800, Rahul Jain wrote: > Hi All, > > This is the first time I am writing to this mailing list in hope of > receiving help. I am trying to port reference policy by tresys on > Montavista. I am able to run the policy well in permmisive mode with > no avc messages in audit log, kern.log or messages. But when I put the > policy into enforcing mode my system fails to boot, reason seems to > be problem with init process. I am not able to debug the problem > because no avc messages are generated for the same, probably because > the issue comes up even before logging deamons start. Is there anyway > I can debug my policy and log the avc messages from the very beginning > of the system startup. > > Rahul Jain > Rahul Jain If you boot the system in permissive mode, check to see if you have a policy loaded and whether your filesystem is labeled correctly. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mALJf80v029333 for ; Fri, 21 Nov 2008 14:41:09 -0500 Received: from mx2.redhat.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with ESMTP id mALJf8MA006074 for ; Fri, 21 Nov 2008 19:41:08 GMT Message-ID: <49270ECE.4010300@redhat.com> Date: Fri, 21 Nov 2008 14:41:02 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: erahul29@yahoo.com CC: selinux@tycho.nsa.gov Subject: Re: Problem Setting Policy To Enforcing Mode References: <459507.37401.qm@web50206.mail.re2.yahoo.com> In-Reply-To: <459507.37401.qm@web50206.mail.re2.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rahul Jain wrote: > Hi All, > > This is the first time I am writing to this mailing list in hope of receiving help. I am trying to port reference policy by tresys on Montavista. I am able to run the policy well in permmisive mode with no avc messages in audit log, kern.log or messages. But when I put the policy into enforcing mode my system fails to boot, reason seems to be problem with init process. I am not able to debug the problem because no avc messages are generated for the same, probably because the issue comes up even before logging deamons start. Is there anyway I can debug my policy and log the avc messages from the very beginning of the system startup. > > Rahul Jain > Rahul Jain > > > AVC Messages should come to the screen. Try semodule -DB to turn off dontaudit rules. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkknDs4ACgkQrlYvE4MpobMW1wCfXWKS0t678aMoumM3izMLMhEk RPEAn25rhlfbw8Opq3FZymzRsUKsShFi =DlJu -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie2.ncsc.mil (zombie2.ncsc.mil [144.51.88.133]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mAMB9KcL012915 for ; Sat, 22 Nov 2008 06:09:21 -0500 Received: from web50212.mail.re2.yahoo.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie2.ncsc.mil (8.12.10/8.12.10) with SMTP id mAMB7PvP015830 for ; Sat, 22 Nov 2008 11:07:25 GMT Date: Sat, 22 Nov 2008 03:09:20 -0800 (PST) From: Rahul Jain Reply-To: erahul29@yahoo.com Subject: Problem Setting Policy To Enforcing Mode To: selinux@tycho.nsa.gov Cc: justinmattock@gmail.com, sds@tycho.nsa.gov, dwalsh@redhat.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1449585364-1227352160=:15460" Message-ID: <674101.15460.qm@web50212.mail.re2.yahoo.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --0-1449585364-1227352160=:15460 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Thankyou all for your kind help. =A0 Finally I was able to boot my policy. As suggested, I removed dontaudit rul= es from my policy by doing "make enableaudit". Then I did some quick fixes = and was finally able to boot the policy.=A0However I am still facing some i= ssues: Firstly - My syslog daemon takes too long to start almost 10 min. Please no= te my test systems are high end multiprocessor express servers with 8 GB of= RAM. Secondly: I am not able to come back to permissive mode, not even by=A0logi= n as sysadm_r role. My file system is read only and so I am not able to edi= t the /etc/selinux/config file.=A0"setenforce" command temperoraly puts the= policy in permissive mode but still config file could not be edited. I eve= n tried=A0it in linux single user mode, but=A0the problem persists. Is it t= he property of the tresys reference policy or=A0my policy is still not beha= ving properly? I reallly appreciate your kind help =A0 Thanks=20 Rahul=A0=A0=A0=A0=0A=0A=0A --0-1449585364-1227352160=:15460 Content-Type: text/html; charset=us-ascii
Thankyou all for your kind help.
 
Finally I was able to boot my policy. As suggested, I removed dontaudit rules from my policy by doing "make enableaudit". Then I did some quick fixes and was finally able to boot the policy. However I am still facing some issues:
Firstly - My syslog daemon takes too long to start almost 10 min. Please note my test systems are high end multiprocessor express servers with 8 GB of RAM.
Secondly: I am not able to come back to permissive mode, not even by login as sysadm_r role. My file system is read only and so I am not able to edit the /etc/selinux/config file. "setenforce" command temperoraly puts the policy in permissive mode but still config file could not be edited. I even tried it in linux single user mode, but the problem persists. Is it the property of the tresys reference policy or my policy is still not behaving properly?
I reallly appreciate your kind help
 
Thanks
Rahul    

--0-1449585364-1227352160=:15460-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mAMHIqZW029703 for ; Sat, 22 Nov 2008 12:18:52 -0500 Received: from wa-out-1112.google.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with ESMTP id mAMHIqcq007747 for ; Sat, 22 Nov 2008 17:18:52 GMT Received: by wa-out-1112.google.com with SMTP id j5so1622774wah.18 for ; Sat, 22 Nov 2008 09:18:51 -0800 (PST) Subject: Re: Problem Setting Policy To Enforcing Mode From: "Justin P. Mattock" To: erahul29@yahoo.com Cc: selinux@tycho.nsa.gov, sds@tycho.nsa.gov, dwalsh@redhat.com In-Reply-To: <674101.15460.qm@web50212.mail.re2.yahoo.com> References: <674101.15460.qm@web50212.mail.re2.yahoo.com> Content-Type: text/plain Date: Sat, 22 Nov 2008 09:18:47 -0800 Message-Id: <1227374327.3205.14.camel@LiNuX> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Sat, 2008-11-22 at 03:09 -0800, Rahul Jain wrote: > Thankyou all for your kind help. > > Finally I was able to boot my policy. As suggested, I removed > dontaudit rules from my policy by doing "make enableaudit". Then I did > some quick fixes and was finally able to boot the policy. However I am > still facing some issues: > Firstly - My syslog daemon takes too long to start almost 10 min. > Please note my test systems are high end multiprocessor express > servers with 8 GB of RAM. > Secondly: I am not able to come back to permissive mode, not even > by login as sysadm_r role. My file system is read only and so I am not > able to edit the /etc/selinux/config file. "setenforce" command > temperoraly puts the policy in permissive mode but still config file > could not be edited. I even tried it in linux single user mode, > but the problem persists. Is it the property of the tresys reference > policy or my policy is still not behaving properly? > I reallly appreciate your kind help > > Thanks > Rahul > Cool, glad to hear you're up and running. Like what Stephen had mentioned, you should check and make sure the files are labeled correctly. before doing a make enable audit.(this way you don't strip down you're policy); With the syslog either you have it installed incorrectly, or there still is denials showing up causing syslog to partially work. i.g. I usually do a "rm /var/log/syslog, touch /var/log/syslog, reboot, audit2allow -i /var/log/syslog", to see any dbus avc's (that is if dbus is running correctly); most likely if you are booting into permissive and syslog start's right up, as opposed to enforcing, then there's a denial floating around that needs to be allowed. As for setting permissive mode, what is you're initial context? (i.g. id -Z once you've started up.); regards; -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: Problem Setting Policy To Enforcing Mode From: Stephen Smalley To: erahul29@yahoo.com Cc: selinux@tycho.nsa.gov, justinmattock@gmail.com, dwalsh@redhat.com In-Reply-To: <674101.15460.qm@web50212.mail.re2.yahoo.com> References: <674101.15460.qm@web50212.mail.re2.yahoo.com> Content-Type: text/plain Date: Mon, 24 Nov 2008 08:47:56 -0500 Message-Id: <1227534476.28401.3.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Sat, 2008-11-22 at 03:09 -0800, Rahul Jain wrote: > Thankyou all for your kind help. > > Finally I was able to boot my policy. As suggested, I removed > dontaudit rules from my policy by doing "make enableaudit". Then I did > some quick fixes and was finally able to boot the policy. However I am > still facing some issues: > Firstly - My syslog daemon takes too long to start almost 10 min. > Please note my test systems are high end multiprocessor express > servers with 8 GB of RAM. > Secondly: I am not able to come back to permissive mode, not even > by login as sysadm_r role. My file system is read only and so I am not > able to edit the /etc/selinux/config file. "setenforce" command > temperoraly puts the policy in permissive mode but still config file > could not be edited. I even tried it in linux single user mode, > but the problem persists. Is it the property of the tresys reference > policy or my policy is still not behaving properly? > I reallly appreciate your kind help > > Thanks > Rahul > Boot with enforcing=0 on the kernel command line, resolve any denials by fixing your filesystem labeling and/or your policy configuration, then reboot. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mAOHbFKk022538 for ; Mon, 24 Nov 2008 12:37:15 -0500 Received: from web50204.mail.re2.yahoo.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with SMTP id mAOHbFbP021669 for ; Mon, 24 Nov 2008 17:37:15 GMT Date: Mon, 24 Nov 2008 09:37:15 -0800 (PST) From: Rahul Jain Reply-To: erahul29@yahoo.com Subject: Problem Setting Policy To Enforcing Mode To: sds@tycho.nsa.gov, justinmattock@gmail.com, dwalsh@redhat.com Cc: selinux@tycho.nsa.gov MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-72862731-1227548235=:6402" Message-ID: <250575.6402.qm@web50204.mail.re2.yahoo.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --0-72862731-1227548235=:6402 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi All, =A0 Thanks you all, for your kind support. After your suggestion I was able to = fix all my problems. So to put my policy in enforcing mode I deleted the "d= ontaudit" rule=A0using "make enableaudit' . Then I did the fixes. My syslog= d was taking long time to start because there were still some avc messages = left, I fixed them and issue got resolved.=A0 I was=A0able to come back to = permissive by adjusting the DAC permissions of the /etc/selinux/config file= . My initial context on login was root:sysadm_r:sysadm_t. I checked the "se= status" to see that my policy got loaded and that it is=A0enforcing mode. =A0 So finally my policy is up and running.=20 =A0 Thanks and Regards Rahul=20 =A0=0A=0A=0A --0-72862731-1227548235=:6402 Content-Type: text/html; charset=us-ascii
Hi All,
 
Thanks you all, for your kind support. After your suggestion I was able to fix all my problems. So to put my policy in enforcing mode I deleted the "dontaudit" rule using "make enableaudit' . Then I did the fixes. My syslogd was taking long time to start because there were still some avc messages left, I fixed them and issue got resolved.  I was able to come back to permissive by adjusting the DAC permissions of the /etc/selinux/config file. My initial context on login was root:sysadm_r:sysadm_t. I checked the "sestatus" to see that my policy got loaded and that it is enforcing mode.
 
So finally my policy is up and running.
 
Thanks and Regards
Rahul
 

--0-72862731-1227548235=:6402-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie2.ncsc.mil (zombie2.ncsc.mil [144.51.88.133]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mAOINAU7027371 for ; Mon, 24 Nov 2008 13:23:10 -0500 Received: from wf-out-1314.google.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie2.ncsc.mil (8.12.10/8.12.10) with ESMTP id mAOILCj8001042 for ; Mon, 24 Nov 2008 18:21:12 GMT Received: by wf-out-1314.google.com with SMTP id 28so3032556wff.30 for ; Mon, 24 Nov 2008 10:23:09 -0800 (PST) Subject: Re: Problem Setting Policy To Enforcing Mode From: "Justin P. Mattock" To: erahul29@yahoo.com Cc: sds@tycho.nsa.gov, dwalsh@redhat.com, selinux@tycho.nsa.gov In-Reply-To: <250575.6402.qm@web50204.mail.re2.yahoo.com> References: <250575.6402.qm@web50204.mail.re2.yahoo.com> Content-Type: text/plain Date: Mon, 24 Nov 2008 10:23:05 -0800 Message-Id: <1227550985.3191.4.camel@LiNuX> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Mon, 2008-11-24 at 09:37 -0800, Rahul Jain wrote: > Hi All, > > Thanks you all, for your kind support. After your suggestion I was > able to fix all my problems. So to put my policy in enforcing mode I > deleted the "dontaudit" rule using "make enableaudit' . Then I did the > fixes. My syslogd was taking long time to start because there were > still some avc messages left, I fixed them and issue got resolved. I > was able to come back to permissive by adjusting the DAC permissions > of the /etc/selinux/config file. My initial context on login was > root:sysadm_r:sysadm_t. I checked the "sestatus" to see that my policy > got loaded and that it is enforcing mode. > > So finally my policy is up and running. > > Thanks and Regards > Rahul > > Cool, glad you're up and running. regards; -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.