From: Dominick Grift <domg472@gmail.com>
To: Alan Rouse <alan.rouse@ericsson.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
"'selinux@tycho.nsa.gov'" <selinux@tycho.nsa.gov>
Subject: Re: SELinux Policy in OpenSUSE 11.2
Date: Tue, 16 Feb 2010 23:52:18 +0100 [thread overview]
Message-ID: <4B7B21A2.3080006@gmail.com> (raw)
In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F529A5588F8@EUSAACMS0703.eamcs.ericsson.se>
[-- Attachment #1: Type: text/plain, Size: 5818 bytes --]
On 02/16/2010 10:30 PM, Alan Rouse wrote:
> I had been trying various things in this image. So, just to be sure I have a repeatable state, I've rebuilt my system from scratch as follows:
>
> 1. standard OpenSuse 11.2 install (using Gnome); boot; start terminal; su -
> 2. install packages:
>
> selinux-tools
> selinux-policy
> libselinux*
> libsemanage*
> policycoreutils
> checkpolicy
> make
> m4
> gcc
> findutils-locate
> git
>
> 3. add "3 security=selinux selinux=1 enforcing=0" to the grub boot line (boot to runlevel 3 with selinux in permissive mode) and reboot.
> 4. git clone http://oss.tresys.com/git/refpolicy.git
> 5. change build.conf: "DIST = suse" and "MONOLITHIC = n"
> 6. make clean; make conf; make; make install-src;
> 7. change /etc/refpolicy to point to the just-built policy version, and reboot
> 8. restorecon -R /; reboot
>
> sestatus -v gives:
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 24
> Policy from config file: refpolicy
>
> Process contexts:
> Current context: system_u:system_r:sysadm_t
> Init context: system_u:system_r:init_t
> /sbin/mingetty system_u:system_r:sysadm_t
>
> File contexts:
> Controlling term: system_u:object_r:tty_device_t
> /etc/passwd system_u:object_r:etc_t
> /etc/shadow system_u:object_r:shadow_t
> /bin/bash system_u:object_r:shell_exec_t
> /bin/login system_u:object_r:login_exec_t
> /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
> /sbin/agetty system_u:object_r:getty_exec_t
> /sbin/init system_u:object_r:init_exec_t
> /sbin/mingetty system_u:object_r:getty_exec_t
> /usr/sbin/sshd system_u:object_r:sshd_exec_t
> /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
> /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
>
> pstree- Z gives:
> init(`system_u:system_r:init_t')
> |-acpid(`system_u:system_r:sysadm_t')
> |-auditd(`system_u:system_r:sysadm_t')
> | |-audispd(`system_u:system_r:sysadm_t')
> | | `-{audispd}(`system_u:system_r:sysadm_t')
> | `-{auditd}(`system_u:system_r:sysadm_t')
> |-cron(`system_u:system_r:sysadm_t')
> |-cupsd(`system_u:system_r:sysadm_t')
> |-dbus-daemon(`system_u:system_r:sysadm_dbusd_t')
> | `-{dbus-daemon}(`system_u:system_r:sysadm_dbusd_t')
> |-dhcpcd(`system_u:system_r:dhcpc_t')
> |-login(`system_u:system_r:sysadm_t')
> | `-bash(`system_u:system_r:sysadm_t')
> | `-pstree(`system_u:system_r:sysadm_t')
> |-master(`system_u:system_r:sysadm_t')
> | |-pickup(`system_u:system_r:sysadm_t')
> | `-qmgr(`system_u:system_r:sysadm_t')
> |-mingetty(`system_u:system_r:sysadm_t')
> |-mingetty(`system_u:system_r:sysadm_t')
> |-mingetty(`system_u:system_r:sysadm_t')
> |-mingetty(`system_u:system_r:sysadm_t')
> |-mingetty(`system_u:system_r:sysadm_t')
> |-nscd(`system_u:system_r:sysadm_t')
> |-rpcbind(`system_u:system_r:sysadm_t')
> |-rsyslogd(`system_u:system_r:sysadm_t')
> | |-{rsyslogd}(`system_u:system_r:sysadm_t')
> | |-{rsyslogd}(`system_u:system_r:sysadm_t')
> | |-{rsyslogd}(`system_u:system_r:sysadm_t')
> | `-{rsyslogd}(`system_u:system_r:sysadm_t')
> |-startpar(`system_u:system_r:sysadm_t')
> |-udevd(`system_u:system_r:sysadm_t')
> | |-udevd(`system_u:system_r:sysadm_t')
> | `-udevd(`system_u:system_r:sysadm_t')
> `-vmtoolsd(`system_u:system_r:sysadm_t')
>
> Now, I tried setsebool -P init_upstart=1. It gives an error message:
> ----------------
> Libsemanage.get_home_dirs: nobody homedir /var/lib/nobody or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 1000 or its log in shell is /sbin/nologin.
> ----------------
>
> So I did "usermod -s /sbin/nologin nobody" and repeated the setsebool (no error message returned, and "getsebool init_upstart" reports that it was on. But after reboot it is off again...
If you used the -P option with setsebool than the settings should be
persistent across reboots.
> -----Original Message-----
> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: Tuesday, February 16, 2010 2:39 PM
> To: Alan Rouse
> Cc: 'selinux@tycho.nsa.gov'
> Subject: RE: SELinux Policy in OpenSUSE 11.2
>
> On Tue, 2010-02-16 at 14:19 -0500, Alan Rouse wrote:
>> "sestatus -v" reports the following:
>>
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: permissive
>> Policy version: 24
>> Policy from config file: refpolicy
>>
>> Process contexts:
>> Current context: system_u:system_r:sysadm_t
>> Init context: system_u:system_r:init_t
>> /sbin/mingetty system_u:system_r:sysadm_t
>
> Ok, so init is in the right security context, but getty is not.
> refpolicy has a rule that says if init runs a shell, transition to sysadm_t - that is for single-user mode. But that gets disabled if using upstart since upstart runs everything via a shell.
>
> Try:
> setsebool -P init_upstart=1
> reboot
>
> pstree -Z output might also be interesting.
>
> --
> Stephen Smalley
> National Security Agency
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]
next prev parent reply other threads:[~2010-02-16 22:52 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-16 14:55 SELinux Policy in OpenSUSE 11.2 Alan Rouse
2010-02-16 15:22 ` Dominick Grift
2010-02-16 18:04 ` Alan Rouse
2010-02-16 18:35 ` Dominick Grift
2010-02-16 18:52 ` Dominick Grift
2010-02-16 19:28 ` Stephen Smalley
2010-02-16 20:06 ` Justin P. mattock
2010-02-16 19:10 ` Stephen Smalley
2010-02-16 19:19 ` Alan Rouse
2010-02-16 19:38 ` Stephen Smalley
2010-02-16 21:30 ` Alan Rouse
2010-02-16 22:52 ` Dominick Grift [this message]
2010-02-17 3:36 ` Justin P. mattock
2010-02-17 7:16 ` Justin P. mattock
2010-02-17 13:43 ` Stephen Smalley
2010-02-17 15:35 ` Justin P. mattock
2010-02-17 16:34 ` Alan Rouse
2010-02-17 16:58 ` Stephen Smalley
2010-02-17 18:34 ` Alan Rouse
2010-02-17 18:50 ` Justin P. mattock
2010-02-17 18:58 ` Stephen Smalley
2010-02-17 19:39 ` Alan Rouse
2010-02-17 19:47 ` Justin P. mattock
2010-02-17 20:00 ` Stephen Smalley
2010-02-17 20:03 ` Alan Rouse
2010-02-17 20:12 ` Dominick Grift
2010-02-17 20:18 ` Stephen Smalley
2010-02-17 20:17 ` Alan Rouse
2010-02-17 20:25 ` Stephen Smalley
[not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A7802A0@EUSAACMS0703.eamcs.ericsson.se>
[not found] ` <1266438910.4945.137.camel@moss-pluto.epoch.ncsc.mil>
2010-02-17 20:49 ` Alan Rouse
2010-02-17 21:09 ` Stephen Smalley
2010-02-17 21:11 ` Alan Rouse
2010-02-17 21:29 ` Stephen Smalley
2010-02-17 21:37 ` Stephen Smalley
2010-02-17 21:48 ` Alan Rouse
2010-02-18 14:16 ` Stephen Smalley
2010-02-18 21:28 ` Stephen Smalley
2010-02-18 16:03 ` Stephen Smalley
2010-02-18 17:36 ` Alan Rouse
2010-02-18 17:53 ` Stephen Smalley
2010-02-18 18:21 ` Alan Rouse
2010-02-19 14:49 ` Stephen Smalley
2010-02-19 15:29 ` Alan Rouse
2010-02-19 17:46 ` Stephen Smalley
2010-02-19 20:23 ` Alan Rouse
2010-02-19 21:06 ` Stephen Smalley
2010-02-19 21:10 ` Alan Rouse
[not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780365@EUSAACMS0703.eamcs.ericsson.se>
2010-02-18 14:12 ` Stephen Smalley
2010-02-18 14:45 ` Alan Rouse
2010-02-17 20:08 ` Alan Rouse
2010-02-18 21:40 ` Justin P. mattock
2010-02-18 21:53 ` Alan Rouse
2010-02-18 23:17 ` Justin P. mattock
2010-02-19 14:35 ` Stephen Smalley
2010-02-19 15:43 ` Justin P. mattock
2010-02-19 15:58 ` Alan Rouse
2010-02-19 16:26 ` Justin P. mattock
2010-02-19 14:28 ` Stephen Smalley
2010-02-19 15:48 ` Justin P. mattock
2010-02-19 18:46 ` Justin P. mattock
2010-02-19 21:08 ` Alan Rouse
2010-02-19 21:19 ` Dominick Grift
2010-02-19 21:22 ` Justin P. mattock
2010-02-19 21:25 ` Stephen Smalley
2010-02-19 21:30 ` Alan Rouse
2010-02-19 21:37 ` Stephen Smalley
2010-02-19 21:53 ` Alan Rouse
2010-02-22 14:10 ` Stephen Smalley
[not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF16B@EUSAACMS0703.eamcs.ericsson.se>
[not found] ` <1266850844.15933.38.camel@moss-pluto.epoch.ncsc.mil>
2010-02-22 17:39 ` Alan Rouse
2010-02-22 17:56 ` Stephen Smalley
2010-02-22 19:12 ` Alan Rouse
2010-02-22 19:37 ` Stephen Smalley
2010-02-19 23:48 ` Justin P. mattock
2010-02-22 1:29 ` Justin P. mattock
2010-02-19 21:47 ` Justin P. mattock
2010-02-22 14:00 ` Stephen Smalley
2010-02-22 19:27 ` Justin Mattock
[not found] ` <dd18b0c31002221129s4be9b56cha13b7be39c2cba36@mail.gmail.com>
2010-02-22 19:57 ` Justin P. mattock
2010-02-22 20:24 ` Stephen Smalley
2010-02-22 21:25 ` Justin Mattock
2010-02-22 21:42 ` Stephen Smalley
2010-02-22 22:10 ` Justin P. mattock
2010-02-22 22:35 ` Justin Mattock
2010-02-23 6:17 ` Justin P. mattock
2010-02-23 13:40 ` Stephen Smalley
2010-02-23 14:13 ` Justin P. mattock
2010-02-23 15:56 ` Alan Rouse
2010-02-23 16:10 ` Stephen Smalley
2010-02-23 17:41 ` Justin P. mattock
2010-02-23 18:01 ` Stephen Smalley
2010-02-23 18:30 ` Justin P. mattock
2010-02-23 18:42 ` Stephen Smalley
2010-02-23 18:58 ` Justin P. mattock
2010-02-23 19:00 ` Stephen Smalley
2010-02-23 19:03 ` Justin Mattock
2010-02-23 20:37 ` Justin P. mattock
2010-02-22 17:58 ` Alan Rouse
2010-02-22 18:23 ` Justin P. mattock
2010-02-22 18:31 ` Alan Rouse
2010-02-22 18:49 ` Justin P. mattock
[not found] ` <5A5E55DF96F73844AF7DFB0F48721F0F529A780232@EUSAACMS0703.eamcs.ericsson.se>
2010-02-17 19:58 ` Stephen Smalley
2010-02-17 20:09 ` Justin P. mattock
2010-02-17 20:21 ` Stephen Smalley
2010-02-17 23:22 ` Justin P. mattock
2010-02-18 15:17 ` Alan Rouse
2010-02-18 18:33 ` Justin P. mattock
2010-02-18 18:44 ` Alan Rouse
2010-02-17 13:35 ` Stephen Smalley
2010-02-17 15:14 ` Alan Rouse
2010-02-17 15:33 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2010-02-17 14:04 Thomas
2010-04-29 6:43 Justin P. Mattock
2010-04-29 7:01 ` Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B7B21A2.3080006@gmail.com \
--to=domg472@gmail.com \
--cc=alan.rouse@ericsson.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.