A note on NTP: ntpd / ntpdate on my selinux installation has (surprsingly) not raised any AVC: messages in develop/permissive mode. Does this suggest that setting system time is not LSM / SEL hooked?
I'll be updating to 2.4.17 shortly, wondered what is the safe matrix for mixing versions?
If I need to still sometimes boot the .12 kernel will it be able to deal with PSID's left by .17? and are the .17 version utils likely to cause problems on .12 kernel?
>From all I've read I'll be happy to have .17 in place and not look back,
but thought it would be prudent to check for possible gotcha's
forrest
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Paul Krumviede <pwk_at_acm.org>
--On Tuesday, 22 January, 2002 17:15 -0500 forrest whitcher
<fw@fwsystems.com> wrote:
>
> A note on NTP: ntpd / ntpdate on my selinux installation has
> (surprsingly) not raised any AVC: messages in develop/permissive mode.
> Does this suggest that setting system time is not LSM / SEL hooked?
if ntpddate/ntpd are (only) run out of the init scripts, then ntpd is probably still running in the initrc domain, which may not be desirable. i recall having to make some changes for things like adjtime at system shutdown (this was interesting because it occured after syslog was stopped, so i only saw it as a console message).
every version of the selinux/README file i've read has text along the lines of "run 'ps -e --context' and if anything is running in the initrc domain then check it carefully as it should either have its own domain or the executable may not have been labelled correctly."
as to selinux/kernel versions, i've had problems with the utilities from versions 2.4.16 and afterwards running on pre-2.4.16 kernels. i'm not sure if the selinux versions of login will work correctly on the different kernel versions (i know i wound up with a version of login that wouldn't allow logins in the process of booting yet another selinux version, but i don't recall the exact details). for safety's sake i keep one non-selinux kernel around i can boot from in an emergency, along with all the selinux/utils directories so i can do a combination of "make install" for the utilities and then relabel (but i might not do that on production machines).
-paul
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Tue, 22 Jan 2002, forrest whitcher wrote:
> A note on NTP: ntpd / ntpdate on my selinux installation has (surprsingly) not
> raised any AVC: messages in develop/permissive mode. Does this suggest that
> setting system time is not LSM / SEL hooked?
No, it just means that ntpd is still running in the initrc_t domain. You need to define a domain for it if you want to run it safely.
> I'll be updating to 2.4.17 shortly, wondered what is the safe matrix for
> mixing versions?
>
> If I need to still sometimes boot the .12 kernel will it be able to deal
> with PSID's left by .17? and are the .17 version utils likely to cause
> problems on .12 kernel?
The on-disk persistent label mapping format hasn't changed, so that isn't an issue. However, the on-disk policydb format has changed, so the 2.4.12 kernel won't be able to use the same policy, and some of the new system calls have undergone changes, so the newer utilities will not work on the 2.4.12 kernel. So you can't easily swap back and forth. Also, when you perform the build and install of the .17 release, remove /usr/local/selinux/bin from your path to avoid trying to use the modified utilities during the install.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: forrest whitcher <fw_at_fwsystems.com>
On Wed, 23 Jan 2002 09:24:39 -0500 (EST)
Stephen Smalley <sds@tislabs.com> wrote:
>
> On Tue, 22 Jan 2002, forrest whitcher wrote:
>
> > A note on NTP: ntpd / ntpdate on my selinux installation has (surprsingly) not
> > raised any AVC: messages in develop/permissive mode. Does this suggest that
> > setting system time is not LSM / SEL hooked?
>
> No, it just means that ntpd is still running in the initrc_t domain. You
> need to define a domain for it if you want to run it safely.
>
That's not it. Ntpd was startd from the commandline - sysadm_r:sysadm_t role/domain
Syslog messages indicate that ntpd is choosing kernel/pll (I have systems on which ntpd uses tickadj() is the pll a kernel function that's not hooked?
hermes ntpd[3099]: using kernel phase-lock loop 0041
> > I'll be updating to 2.4.17 shortly, wondered what is the safe matrix for
> > mixing versions?
> >
> > If I need to still sometimes boot the .12 kernel will it be able to deal
> > with PSID's left by .17? and are the .17 version utils likely to cause
> > problems on .12 kernel?
>
> The on-disk persistent label mapping format hasn't changed, so that isn't
> an issue. However, the on-disk policydb format has changed, so the 2.4.12
> kernel won't be able to use the same policy, and some of the new system
> calls have undergone changes, so the newer utilities will not work on the
> 2.4.12 kernel. So you can't easily swap back and forth. Also, when you
> perform the build and install of the .17 release, remove
> /usr/local/selinux/bin from your path to avoid trying to use the modified
> utilities during the install.
Thanks, that's useful to know.
forrest
>
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
>
>
>
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Wed, 23 Jan 2002, forrest whitcher wrote:
> That's not it. Ntpd was startd from the commandline -
> sysadm_r:sysadm_t role/domain
sysadm_t is likewise a domain that has many permissions, so it isn't surprising that you aren't encountering denials. You need to put ntpd into its own domain.
> Syslog messages indicate that ntpd is choosing kernel/pll (I have systems on which
> ntpd uses tickadj() is the pll a kernel function that's not hooked?
>
> hermes ntpd[3099]: using kernel phase-lock loop 0041
I'm not sure what you mean. I would expect that ntpd would use adjtimex(). That call, like other time-related calls, requires the CAP_SYS_TIME capability to modify the time. LSM hooks capable, and SELinux performs a parallel permission check for each Linux capability.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT