Re: Non-Computing Abstractions & An Issue Thereof

Re: Non-Computing Abstractions & An Issue Thereof

[Richard Haines]

[-- Attachment #1: Type: text/plain, Size: 2324 bytes --]

I've modified your module to compile and added a few notes - HOWEVER it does get a bit complicated as you need to add your new object classes and permissions to the base policy (as explained in the various emails). 

I've attached a tarball with sample files and a README. If you want, try these but of course you will not be able to enforce any policy but at least
it compiles.

Both examples in the README use information from the SELinux Notebook at:
http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html

One is based on a simple policy and the other on the Fedora 12 targeted reference policy.

Richard

--- On Sat, 29/5/10, Joshua Kramer <josh@globalherald.net> wrote:

> From: Joshua Kramer <josh@globalherald.net>
> Subject: Non-Computing Abstractions & An Issue Thereof
> To: "SE Linux" <selinux@tycho.nsa.gov>
> Date: Saturday, 29 May, 2010, 22:40
> Hello,
> 
> I am trying to wrap my head around using SELinux to secure
> data objects in userspace.  My learning style suggests
> that for a topic like this, I abstract the theory away from
> how it's actually implemented in software.  To those
> ends, I have created the type enforcement file attached to
> this email, that loosely models the behavior of teams of
> sled dogs using SELinux.
> 
> When I try to install the policy using these commands:
> 
> checkmodule -M -m -o seSledDogs.mod seSledDogs.te
> semodule_package -o seSledDogs.pp -m seSledDogs.mod
> semodule -i ./seSledDogs.pp
> 
> ...I get this error from semodule:
> 
> libsepol.print_missing_requirements: seSledDogs's global
> requirements were not met: role dog_owner_r (No such file or
> directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No
> such file or directory).
> semodule:  Failed!
> 
> If I comment out the roles, I get a similar message about
> the types:
> 
> libsepol.print_missing_requirements: seSledDogs's global
> requirements were not met: type/attribute medicine_t (No
> such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No
> such file or directory).
> semodule:  Failed!
> 
> Where do I need to be defining these roles and types? 
> I was under the impression that the te files were
> self-contained.
> 
> Thanks!
> -Joshua Kramer
> 
> 
>

[-- Attachment #2: SledDogs.tar.gz --]
[-- Type: application/x-gzip, Size: 6714 bytes --]

Re: Non-Computing Abstractions & An Issue Thereof

[Joshua Kramer]

On 06/03/2010 12:28 PM, Richard Haines wrote:
> I've modified your module to compile and added a few notes - HOWEVER it does get a bit complicated as you need to add your new object classes and permissions to the base policy (as explained in the various emails).
>    
THANKS Richard!  I am in the process of putting together a step-by-step 
'from the ground up' on how to do this on RedHat EL6.  I have consulted 
your notebooks and it's the best companion to the RH documentation for 
recent developments in SELinux.  And yeah, I do intend to write a 
userspace object manager next...

Thanks,
-JK

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Rebuilding Modified Base Policy on RHEL6 (was on-Computing Abstractions & An Issue Thereof)

[Joshua Kramer]

"I've modified your module to compile and added a few notes - HOWEVER it 
does get a bit complicated as you need to add your new object classes 
and permissions to the base policy (as explained in the various emails)."

Is the method for rebuilding policy explained in the following guide, 
still effective for RHEL6?

http://danwalsh.livejournal.com/26428.html

Thanks!
-Josh


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Rebuilding Modified Base Policy on RHEL6 (was on-Computing Abstractions & An Issue Thereof)

[Joshua Kramer]

[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]


> Is the method for rebuilding policy explained in the following guide, 
> still effective for RHEL6?
> http://danwalsh.livejournal.com/26428.html
>
Ok, so I followed the instructions on the noted page; specifically, near 
the bottom.  This line works to rebuild policy on RHEL6:

*make validate UNK_PERMS=allow NAME=strict TYPE=mcs DISTRO=redhat UBAC=n 
DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 base

However, if I do this*, to switch the build from strict to targeted:

cd ~/sources/BUILD/serefpolicy-VERSION
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n 
DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 bare
make conf
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n 
DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 conf

...the make breaks with this error:

Creating targeted base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf 
tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling targeted base module
/usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/kernel/domain.te":195:ERROR 'type selinux_config_t is not 
within scope' at token ';' on line 9468:
#line 195
     dontaudit domain selinux_config_t:dir { getattr search open };
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1

It breaks even with a non-modified policy (i.e. install src.rpm and run 
this make command).

Do I need to do this, even if I only want to build a modified "targeted" 
version of the policy?  Is it "strict" by default?

Thanks,
-Josh

[-- Attachment #2: Type: text/html, Size: 2304 bytes --]

Re: Rebuilding Modified Base Policy on RHEL6 (was on-Computing Abstractions & An Issue Thereof)

[Justin P. Mattock]

On 06/26/2010 04:06 PM, Joshua Kramer wrote:
>
>> Is the method for rebuilding policy explained in the following guide,
>> still effective for RHEL6?
>> http://danwalsh.livejournal.com/26428.html
>>
> Ok, so I followed the instructions on the noted page; specifically, near
> the bottom. This line works to rebuild policy on RHEL6:
>
> *make validate UNK_PERMS=allow NAME=strict TYPE=mcs DISTRO=redhat UBAC=n
> DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 base
>
> However, if I do this*, to switch the build from strict to targeted:
>
> cd ~/sources/BUILD/serefpolicy-VERSION
> make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
> DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 bare
> make conf
> make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
> DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 conf
>
> ...the make breaks with this error:
>
> Creating targeted base module base.conf
> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf
> tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> Compiling targeted base module
> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> policy/modules/kernel/domain.te":195:ERROR 'type selinux_config_t is not
> within scope' at token ';' on line 9468:
> #line 195
> dontaudit domain selinux_config_t:dir { getattr search open };
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
>
> It breaks even with a non-modified policy (i.e. install src.rpm and run
> this make command).
>
> Do I need to do this, even if I only want to build a modified "targeted"
> version of the policy? Is it "strict" by default?
>
> Thanks,
> -Josh
>


thats a bug in flex(tried to bisect flex a while back, but found myself 
in a nightmare doing so). one thing I do when I hit this is downgrade 
flex to 2.5.4a then build only checkmodule/policy then try the policy 
again(just remember to put flex back to the latest afterwards)

hope this helps,

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Rebuilding Modified Base Policy on RHEL6 (was on-Computing Abstractions & An Issue Thereof)

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2679 bytes --]

On 06/27/2010 01:06 AM, Joshua Kramer wrote:
> 
>> Is the method for rebuilding policy explained in the following guide,
>> still effective for RHEL6?
>> http://danwalsh.livejournal.com/26428.html
>>
> Ok, so I followed the instructions on the noted page; specifically, near
> the bottom.  This line works to rebuild policy on RHEL6:
> 
> *make validate UNK_PERMS=allow NAME=strict TYPE=mcs DISTRO=redhat UBAC=n
> DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 base
> 
> However, if I do this*, to switch the build from strict to targeted:
> 
> cd ~/sources/BUILD/serefpolicy-VERSION
> make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
> DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 bare
> make conf
> make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
> DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 conf
> 
> ...the make breaks with this error:
> 
> Creating targeted base module base.conf
> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf
> tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> Compiling targeted base module
> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> /usr/bin/checkmodule:  loading policy configuration from base.conf
> policy/modules/kernel/domain.te":195:ERROR 'type selinux_config_t is not
> within scope' at token ';' on line 9468:
> #line 195
>     dontaudit domain selinux_config_t:dir { getattr search open };
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
> 
> It breaks even with a non-modified policy (i.e. install src.rpm and run
> this make command).
> 
> Do I need to do this, even if I only want to build a modified "targeted"
> version of the policy?  Is it "strict" by default?
> 
> Thanks,
> -Josh

that is because with redhat policy some of the modules need to be in
base i believe. You should use the selinux-policy.spec that is shipped
in the selinux-policy.src.rpm, modify it if required.

The spec replaces the modules*.conf. redhat ships modules.conf files
that are modified (some modules get moved to base to avoid these out of
scope issues)

in short, use the selinux-policy.spec provided by redhat.

basically you download the source rpm, extract it, apply the include
patch to the serefpolicy.tgz (extract it, apply patch, edit it, create
new serefpolicy.tgz. Than copy all of it to ~/rpmbuild/SOURCES/ (minus
the patch). modify the spec : (remove all patch entries (two i think).
Also copy the spec to ~/rpmbuild/SPECS/

rpmbuild -ba ~/rpmbuild/SPECS/selinux-policy.spec




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: Rebuilding Modified Base Policy on RHEL6 (was on-Computing Abstractions & An Issue Thereof)

[Stephen Smalley]

On Sat, 2010-06-26 at 16:24 -0700, Justin P. Mattock wrote:
> On 06/26/2010 04:06 PM, Joshua Kramer wrote:
> >
> >> Is the method for rebuilding policy explained in the following guide,
> >> still effective for RHEL6?
> >> http://danwalsh.livejournal.com/26428.html
> >>
> > Ok, so I followed the instructions on the noted page; specifically, near
> > the bottom. This line works to rebuild policy on RHEL6:
> >
> > *make validate UNK_PERMS=allow NAME=strict TYPE=mcs DISTRO=redhat UBAC=n
> > DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 base
> >
> > However, if I do this*, to switch the build from strict to targeted:
> >
> > cd ~/sources/BUILD/serefpolicy-VERSION
> > make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
> > DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 bare
> > make conf
> > make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
> > DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 conf
> >
> > ...the make breaks with this error:
> >
> > Creating targeted base module base.conf
> > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf
> > tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> > Compiling targeted base module
> > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> > /usr/bin/checkmodule: loading policy configuration from base.conf
> > policy/modules/kernel/domain.te":195:ERROR 'type selinux_config_t is not
> > within scope' at token ';' on line 9468:
> > #line 195
> > dontaudit domain selinux_config_t:dir { getattr search open };
> > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > make: *** [tmp/base.mod] Error 1
> >
> > It breaks even with a non-modified policy (i.e. install src.rpm and run
> > this make command).
> >
> > Do I need to do this, even if I only want to build a modified "targeted"
> > version of the policy? Is it "strict" by default?
> >
> > Thanks,
> > -Josh
> >
> 
> 
> thats a bug in flex(tried to bisect flex a while back, but found myself 
> in a nightmare doing so). one thing I do when I hit this is downgrade 
> flex to 2.5.4a then build only checkmodule/policy then try the policy 
> again(just remember to put flex back to the latest afterwards)

No, it isn't related to that issue - you would get a syntax error if it
was the flex problem, not a "type ... is not within scope" error.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Rebuilding Modified Base Policy on RHEL6 (was on-Computing Abstractions & An Issue Thereof)

[Stephen Smalley]

On Sat, 2010-06-26 at 19:06 -0400, Joshua Kramer wrote:
> 
> > Is the method for rebuilding policy explained in the following
> > guide, still effective for RHEL6? 
> > http://danwalsh.livejournal.com/26428.html 
> > 
> Ok, so I followed the instructions on the noted page; specifically,
> near the bottom.  This line works to rebuild policy on RHEL6:
> 
> make validate UNK_PERMS=allow NAME=strict TYPE=mcs DISTRO=redhat
> UBAC=n DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024
> base
> 
> However, if I do this, to switch the build from strict to targeted:
> 
> cd ~/sources/BUILD/serefpolicy-VERSION
> make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
> DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 bare
> make conf
> make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
> DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 conf

NAME= just defines an arbitrary name for the policy; it is only used as
the name of the directory into which the policy is installed
(under /usr/share/selinux and /etc/selinux).  It does not select the
kind of policy that is built.

TYPE= selects the kind of policy that is built, and there are no longer
distinct cases for targeted vs strict, as they have long since been
merged together.  TYPE=mcs is what you want for Fedora/RHEL unless you
want MLS, in which case you want TYPE=mls.

I note that you ran make conf twice above, once without any settings and
once with a collection of settings, and I have to wonder what state that
left your build tree in.  I'd do a 'make bare' again and then just edit
build.conf with the settings you want so that you don't have worry about
getting them all right on the command line each time.

> ...the make breaks with this error:
> 
> Creating targeted base module base.conf
> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf >
> base.conf
> Compiling targeted base module
> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> /usr/bin/checkmodule:  loading policy configuration from base.conf
> policy/modules/kernel/domain.te":195:ERROR 'type selinux_config_t is
> not within scope' at token ';' on line 9468:
> #line 195
>     dontaudit domain selinux_config_t:dir { getattr search open };
> /usr/bin/checkmodule:  error(s) encountered while parsing
> configuration
> make: *** [tmp/base.mod] Error 1
> 
> It breaks even with a non-modified policy (i.e. install src.rpm and
> run this make command).
> 
> Do I need to do this, even if I only want to build a modified
> "targeted" version of the policy?  Is it "strict" by default?

No, you don't need to do that, and there is no such thing as strict
policy anymore.  If you want the behavior of strict policy, you just map
users to confined roles via semanage and if you want to go fully to
strict behavior, you can remove the unconfined module.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.