MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Daniel J Walsh]

selinux-policy-3.6.32-99.fc12 on Fedora 12

I did remove setroubleshoot and abrt, since these are really not 
appropriate with an MLS machine.
Everything else is a straight install.

My account logs in as user_t.

Only AVC I am seeing now is


allow user_t xserver_t:x_screen { saver_hide saver_setattr saver_show };


I think this is caused by the screen saver kicking in.

and

#============= pulseaudio_t ==============
#!!!! This avc is a constraint violation.  You will need to add an 
attribute to either the source or target type to make it work.

allow pulseaudio_t device_t:dir read;


Which is caused because the /dev/snd directory gets created as SystemHigh.
I have no idea why.  I need to investigate who is creating the directory.

Matchpathcon says it is supposed to be SystemLow.  It must be a 
SystemHigh process that creates it.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 612 bytes --]

On 03/05/2010 06:32 PM, Daniel J Walsh wrote:
> selinux-policy-3.6.32-99.fc12 on Fedora 12

Should users be able to login using gdm/gui if they are not assigned a
default level of s0?

semanage login -m -s user_u -r s1-s1 joe

I could not get that to work.

Also attached is a modification that i implemented to get MLS to "work"
on previous f13 policy versions:

> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


[-- Attachment #1.2: mlswm.fc --]
[-- Type: text/plain, Size: 0 bytes --]



[-- Attachment #1.3: mlswm.if --]
[-- Type: text/plain, Size: 1210 bytes --]

## <summary>Window manager.</summary>

########################################
## <summary>
##	Role access for Window manager.
## </summary>
## <param name="role prefix">
##	<summary>
##	Role prefix.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
interface(`mlswm_role',`
	gen_require(`
		type $1_wm_t, $1_dbusd_t, xserver_t, root_xdrawable_t;
		class x_drawable { read manage show setattr };
		class x_resource { write };
		class x_keyboard { manage freeze };
		class x_screen { setattr };
	')

	allow $3 $1_wm_t:process signal;
	allow $3 $1_wm_t:unix_stream_socket connectto;

	allow $1_wm_t self:process signal;
	allow $1_wm_t $1_dbusd_t:unix_stream_socket connectto;

	allow $3 $1_wm_t:x_drawable { read setattr };
	allow $3 $1_wm_t:x_resource write;

	allow $1_wm_t root_xdrawable_t:x_drawable manage;
	allow $1_wm_t $3:x_drawable { read manage setattr show };
	allow $1_wm_t $3:x_resource write;
	allow $1_wm_t xserver_t:x_keyboard { manage freeze };
	allow $1_wm_t xserver_t:x_screen setattr;
')

[-- Attachment #1.4: mlswm.te --]
[-- Type: text/plain, Size: 937 bytes --]

policy_module(mlswm, 1.0.0)
# optional_policy(`
gen_require(`
	type staff_t, xdm_var_lib_t, root_xdrawable_t, xdm_t, xserver_t;
	role staff_r;
	class x_drawable { read write add_child };
	class x_client { destroy };
	class x_resource { write };
	class x_keyboard { read manage };
	class x_pointer { get_property manage set_property list_property };
	class x_screen { saver_setattr };
	class x_server { manage };
')

allow staff_t xdm_var_lib_t:file { read open };

allow staff_t root_xdrawable_t:x_drawable write;
allow staff_t xdm_t:x_client destroy;
allow staff_t xdm_t:x_drawable { read add_child };
allow staff_t xdm_t:x_resource write;
allow staff_t xserver_t:x_keyboard { read manage };
allow staff_t xserver_t:x_pointer { get_property manage set_property list_property };
allow staff_t xserver_t:x_screen saver_setattr;
allow staff_t xserver_t:x_server manage;

mlswm_role(staff, staff_r, staff_t)
# ')

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Daniel J Walsh]

On 03/05/2010 12:55 PM, Dominick Grift wrote:
> On 03/05/2010 06:32 PM, Daniel J Walsh wrote:
>    
>> selinux-policy-3.6.32-99.fc12 on Fedora 12
>>      
> Should users be able to login using gdm/gui if they are not assigned a
> default level of s0?
>
> semanage login -m -s user_u -r s1-s1 joe
>
>    
I think you need to setup the homedir with this label.  Or use 
polyinstatiated homedirs.
The homedir is probably labeled s0 so it would not be allowed.

> I could not get that to work.
>
> Also attached is a modification that i implemented to get MLS to "work"
> on previous f13 policy versions:
>
>    
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>      
>    


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1214 bytes --]

On 03/05/2010 07:03 PM, Daniel J Walsh wrote:
> On 03/05/2010 12:55 PM, Dominick Grift wrote:
>> On 03/05/2010 06:32 PM, Daniel J Walsh wrote:
>>   
>>> selinux-policy-3.6.32-99.fc12 on Fedora 12
>>>      
>> Should users be able to login using gdm/gui if they are not assigned a
>> default level of s0?
>>
>> semanage login -m -s user_u -r s1-s1 joe
>>
>>    
> I think you need to setup the homedir with this label.  Or use
> polyinstatiated homedirs.
> The homedir is probably labeled s0 so it would not be allowed.

I tried that and even than it does not work but i will try it again as
soon as i installed your latest policy.

Also i noticed last time i tried MLS policy that some modules werent
installed. I am not sure which ones, except rtkit policy.

>> I could not get that to work.
>>
>> Also attached is a modification that i implemented to get MLS to "work"
>> on previous f13 policy versions:
>>
>>   
>>> -- 
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>      
>>    
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Daniel J Walsh]

The latest policy package includes a lot more policy from targeted.  I 
had fixes for wm in the package that I sent upstream.  But any help 
testing this would be appreciated.  Especially where this is not my 
primary focus.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 322 bytes --]

On 03/05/2010 07:11 PM, Daniel J Walsh wrote:
> The latest policy package includes a lot more policy from targeted.  I
> had fixes for wm in the package that I sent upstream.  But any help
> testing this would be appreciated.  Especially where this is not my
> primary focus.

Are these fixes also in f13 policy?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Daniel J Walsh]

On 03/05/2010 01:20 PM, Dominick Grift wrote:
> On 03/05/2010 07:11 PM, Daniel J Walsh wrote:
>    
>> The latest policy package includes a lot more policy from targeted.  I
>> had fixes for wm in the package that I sent upstream.  But any help
>> testing this would be appreciated.  Especially where this is not my
>> primary focus.
>>      
> Are these fixes also in f13 policy?
>
>    
Yes

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Justin P. mattock]

On 03/05/2010 10:11 AM, Daniel J Walsh wrote:
> The latest policy package includes a lot more policy from targeted.  I
> had fixes for wm in the package that I sent upstream. But any help
> testing this would be appreciated. Especially where this is not my
> primary focus.
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
>


this sounds good, I'll load it up
and see.

Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Tyler Durvik]

This is great news.  Is there any installation docs on this or is it
as simple as:

installing the policy
updating SELinux config file
touch /.autorelabel
reboot

Thank you



On Fri, Mar 5, 2010 at 1:32 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> selinux-policy-3.6.32-99.fc12 on Fedora 12
>
> I did remove setroubleshoot and abrt, since these are really not appropriate
> with an MLS machine.
> Everything else is a straight install.
>
> My account logs in as user_t.
>
> Only AVC I am seeing now is
>
>
> allow user_t xserver_t:x_screen { saver_hide saver_setattr saver_show };
>
>
> I think this is caused by the screen saver kicking in.
>
> and
>
> #============= pulseaudio_t ==============
> #!!!! This avc is a constraint violation.  You will need to add an attribute
> to either the source or target type to make it work.
>
> allow pulseaudio_t device_t:dir read;
>
>
> Which is caused because the /dev/snd directory gets created as SystemHigh.
> I have no idea why.  I need to investigate who is creating the directory.
>
> Matchpathcon says it is supposed to be SystemLow.  It must be a SystemHigh
> process that creates it.
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: MLS Now working in Fedora 12/RHEL6 in Full Desktop mode.

[Daniel J Walsh]

On 03/29/2010 02:28 PM, Tyler Durvik wrote:
> This is great news.  Is there any installation docs on this or is it
> as simple as:
>
> installing the policy
> updating SELinux config file
> touch /.autorelabel
> reboot
>
> Thank you
>
>    
Yes although I am testing with F13 policy on a F12 system.  (RHEL6)

>
> On Fri, Mar 5, 2010 at 1:32 PM, Daniel J Walsh<dwalsh@redhat.com>  wrote:
>    
>> selinux-policy-3.6.32-99.fc12 on Fedora 12
>>
>> I did remove setroubleshoot and abrt, since these are really not appropriate
>> with an MLS machine.
>> Everything else is a straight install.
>>
>> My account logs in as user_t.
>>
>> Only AVC I am seeing now is
>>
>>
>> allow user_t xserver_t:x_screen { saver_hide saver_setattr saver_show };
>>
>>
>> I think this is caused by the screen saver kicking in.
>>
>> and
>>
>> #============= pulseaudio_t ==============
>> #!!!! This avc is a constraint violation.  You will need to add an attribute
>> to either the source or target type to make it work.
>>
>> allow pulseaudio_t device_t:dir read;
>>
>>
>> Which is caused because the /dev/snd directory gets created as SystemHigh.
>> I have no idea why.  I need to investigate who is creating the directory.
>>
>> Matchpathcon says it is supposed to be SystemLow.  It must be a SystemHigh
>> process that creates it.
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>>      
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>    


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.