I am trying to install different versions of refpolicy on Dell X1
machines with FC6, for teaching purposes, but no choice of build.conf
parameters can make it. I get outcomes from "kernel panic" (when trying
to install the "strict monolithic" version of refpolicy) to system stall
(when trying to install "targeted monolithic" version), or outputs like
below (when trying to install "targeted modular" version -- this
installation ends in stack problems which also cause system halt). Every
time the kernel does not panic, there's a whole list of booleans that
are unknown to libsepol.load_booleans, though generated from refpolicy
via the "install" target of the Makefile.
I have tried on two different laptops but the outcome is the same. I have also tried with the latest or older versions and the output is the same. Did anyone observe similar behaviors with laptops/FC6/refpolicy ?...
Output :
libsepol.load_booleans: unknown boolean user_ttyfile_stat (and others)
libsepol.sepol_genbools: error while reading /etc/selinux/refpolicy/booleans
bash: initialize_job_control : setpgid: Permission denied
bash: /sbin/consoletype: Permission denied
No devices found
Setting up Logival Volume Management: No volume groups found
ext2fs_check_if_mount: Permission denied while determining whether
/dev/hda7 is mounted
/etc/selinux/refpolicy/contexts/files/file_contexts: Multiple different
specifications for /usr/bin/mplayer
(system_u:object_r:unconfined_execmem_exec_t and
system_u:object_r:mplayer_exec_t)
....
-- Catalin Dima, Paris 12 University -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Karl MacMillan <kmacmillan_at_mentalrootkit.com>
Catalin DIMA wrote:
> I am trying to install different versions of refpolicy on Dell X1
> machines with FC6, for teaching purposes, but no choice of build.conf
> parameters can make it.
Just to check - are you certain that you want the full policy? You may be able to do the teaching you need with policy modules only.
I get outcomes from "kernel panic" (when trying
> to install the "strict monolithic" version of refpolicy) to system stall
> (when trying to install "targeted monolithic" version), or outputs like
> below (when trying to install "targeted modular" version -- this
> installation ends in stack problems which also cause system halt). Every
> time the kernel does not panic, there's a whole list of booleans that
> are unknown to libsepol.load_booleans, though generated from refpolicy
> via the "install" target of the Makefile.
>
Did you enable mcs? The standard FC6 policy is targeted-mcs and the presence of the mcs components in the file system labels may be the cause of your problems.
> I have tried on two different laptops but the outcome is the same. I
> have also tried with the latest or older versions and the output is the
> same. Did anyone observe similar behaviors with laptops/FC6/refpolicy ?...
>
> Output :
> libsepol.load_booleans: unknown boolean user_ttyfile_stat (and others)
The unknown boolean messages should be harmless I believe.
You can extract the build.conf from the policy source rpm as well, which is likely a good starting point.
Karl
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Catalin DIMA <dima_at_univ-paris12.fr>
Karl MacMillan wrote:
> Just to check - are you certain that you want the full policy? You may
> be able to do the teaching you need with policy modules only.
Do you mean I should compile&load the modular policy ? I certainly would like to do this, as it's supposed to be easily configurable & suitable for experimenting small modules.
> Did you enable mcs? The standard FC6 policy is targeted-mcs and the
> presence of the mcs components in the file system labels may be the
> cause of your problems.
I tried again this build.conf format :
TYPE = targeted-mcs
NAME = refpolicy
DISTRO = redhat
DIRECT_INITRC=n
MONOLITHIC=n
MLS-SENS=16
MLS_CATS=256
Done make conf, make install and make load, then configured for
refpolicy & asked for relabeling, and the system gets stuck...
Btw, forgot to mention the libsepol.sepol_genbools: error while reading /etc/selinx/refpolicy/booleans error...
In permissive refpolicy mode, the only selinux message talks about NetworkManager.
> The unknown boolean messages should be harmless I believe.
>
> You can extract the build.conf from the policy source rpm as well,
> which is likely a good starting point.
The problem is the same with the rpm and the bz2...
Thanks,
Catalin.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Karl MacMillan <kmacmillan_at_mentalrootkit.com>
Catalin DIMA wrote:
> Karl MacMillan wrote:
>
>> Just to check - are you certain that you want the full policy? You may >> be able to do the teaching you need with policy modules only.
>> Did you enable mcs? The standard FC6 policy is targeted-mcs and the >> presence of the mcs components in the file system labels may be the >> cause of your problems.
Could you elaborate on where it gets stuck. Does the labeling happen? You might try relabeling in permissive.
> Btw, forgot to mention the libsepol.sepol_genbools: error while reading
> /etc/selinx/refpolicy/booleans error...
>
In permissive or enforcing?
> In permissive refpolicy mode, the only selinux message talks about
> NetworkManager.
>
Just to clarify, things work fine in permissive mode and you are only getting a single AVC message, correct? Could you check /var/log/messages and /var/log/audit/audit.log for avc messages after a permissive boot. Also check the selinux messages in dmesg for errors.
>> The unknown boolean messages should be harmless I believe. >> >> You can extract the build.conf from the policy source rpm as well, >> which is likely a good starting point.
Not certain what you mean here - the source rpm or the binary rpm? I was suggesting that you rebuild refpolicy using the configuration from the source rpm - which means extracting the correct build.conf, modules.conf, and booleans.conf, seusers, and users_extra files and installing the in the source tree. You can read the spec file to see how this is done during the build process.
Dan - do you have better directions on how to get a patched and configured refpolicy tree out of the source rpm?
Karl
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Catalin DIMA <dima_at_univ-paris12.fr>
On Mon, 29 Jan 2007 16:35:59 -0500, Karl MacMillan wrote
> Could you elaborate on where it gets stuck. Does the labeling
> happen?
No, it crashes before labeling, just after starting udev and the 2nd service (don't remember the name, I just left home...).
> You might try relabeling in permissive.
I suspect it's not the relabeling process, though I have to check it back (tomorrow...)
> > Btw, forgot to mention the libsepol.sepol_genbools: error while reading
> > /etc/selinx/refpolicy/booleans error...
> >
>
> In permissive or enforcing?
Enforcing.
> > In permissive refpolicy mode, the only selinux message talks about
> > NetworkManager.
> >
>
> Just to clarify, things work fine in permissive mode and you are
> only getting a single AVC message, correct?
Yes, at least during the booting process. I think I also did a setfiles check in permissive, and everything was ok (to be checked tomorrow again).
> Could you check
> /var/log/messages and /var/log/audit/audit.log for avc messages
> after a permissive boot. Also check the selinux messages in dmesg
> for errors.
The machine on which I noticed the avc:denied message about the NetworkManager does not have setools installed -- I then only looked at /var/log/messages. Hope I did not forget what machine I was working on...
> >> The unknown boolean messages should be harmless I believe.
> >>
> >> You can extract the build.conf from the policy source rpm as well,
> >> which is likely a good starting point.
> >
> > The problem is the same with the rpm and the bz2...
> >
>
> Not certain what you mean here - the source rpm or the binary rpm? I
> was suggesting that you rebuild refpolicy using the configuration
> from the source rpm - which means extracting the correct build.conf,
> modules.conf, and booleans.conf, seusers, and users_extra files and
> installing the in the source tree. You can read the spec file to see
> how this is done during the build process.
I meant the source rpm. Tried to install both from source rpm and bz2 and both lead to the same problem. It does not seem to be a problem with missing/misplaced source files, no problem occurs at compile time.
I'll try to do a neat reinstallation of FC6 and then a reinstallation of refpolicy sources, the machines are used for many other teaching purposes by different people and God only knows what bazaar is inside... though nobody else tried to install/do anything about/against selinux...
Btw, during setools installation on one of the machines, I also encountered a problem : the need to enable text relocation for libqpol. Is this normal ? The problem seems to recur every time I do a relabel to targeted (in order to put back the system in a "stable state") -- that means, after relabeling, launching apol issues again an avc:denied about text relocation.
Catalin.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Karl MacMillan <kmacmillan_at_mentalrootkit.com>
Catalin DIMA wrote:
> On Mon, 29 Jan 2007 16:35:59 -0500, Karl MacMillan wrote
>> Could you elaborate on where it gets stuck. Does the labeling >> happen?
>> You might try relabeling in permissive.
>>> Btw, forgot to mention the libsepol.sepol_genbools: error while reading >>> /etc/selinx/refpolicy/booleans error... >>> >> In permissive or enforcing?
>>> In permissive refpolicy mode, the only selinux message talks about >>> NetworkManager. >>> >> Just to clarify, things work fine in permissive mode and you are >> only getting a single AVC message, correct?
>> Could you check >> /var/log/messages and /var/log/audit/audit.log for avc messages >> after a permissive boot. Also check the selinux messages in dmesg >> for errors.
Setools is not required - you can just cat the logs (or use ausearch for the audit logs). Without some more detailed debugging info I'm not certain what the problem is.
Karl
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Catalin DIMA <dima_at_univ-paris12.fr>
Having a little more time to try to solve the problem, I checked again
several solutions, especially the following :
- relabeled file system
Catalin.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Paul Moore <paul.moore_at_hp.com>
On Friday, February 2 2007 11:15 am, Catalin DIMA wrote:
> Having a little more time to try to solve the problem, I checked again
> several solutions, especially the following :
> - relabeled file system
> - rebooted without X in refpolicy, _permissive_ mode
> and got a pretty looking DWARF2 unwinding... >:-(
> As I never encountered such debugging problems, can someone tell me how
> could I "catch it" in some logfile, at least to post it ? there's no
> trace of the debugging information in either dmesg or messages.
Hi Catalin,
Just to be certain, you are still doing a "targeted-mcs" policy build yes? The only reason I ask is that there is a known problem (my fault :( )with the standard FC6 kernels with SELinux policies that do not use MCS or MLS.
-- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Catalin DIMA <dima_at_univ-paris12.fr>
I actually forgot to remove the MLS_SENS declaration when configuring
the policy : it used to declare 16 sensitivity levels with an MCS
policy... :'(
Paul Moore wrote:
> Hi Catalin,
>
>Just to be certain, you are still doing a "targeted-mcs" policy build yes?
>The only reason I ask is that there is a known problem (my fault :( )with the
>standard FC6 kernels with SELinux policies that do not use MCS or MLS.
>
>
>
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tycho.nsa.gov>
On Mon, 2007-01-29 at 22:08 +0100, Catalin DIMA wrote:
> Karl MacMillan wrote:
>
> > Just to check - are you certain that you want the full policy? You may
> > be able to do the teaching you need with policy modules only.
>
> Do you mean I should compile&load the modular policy ? I certainly would
> like to do this, as it's supposed to be easily configurable & suitable
> for experimenting small modules.
Just to clarify, you don't need to install refpolicy from tresys to compile and load policy modules; FC6 ships with a modular policy based on refpolicy, so you can create your own policy modules and load them without ever touching the base policy. See the Fedora SELinux FAQ and wiki pages. You only need to rebuild the base policy if you want to make a fundamental change to the policy.
Also, you can grab the selinux-policy .src.rpm from the Fedora site (just like any other .src.rpm) and build from it rather than building from an upstream release if you want to keep it as close as possible to the Fedora settings.
>
> > Did you enable mcs? The standard FC6 policy is targeted-mcs and the
> > presence of the mcs components in the file system labels may be the
> > cause of your problems.
>
> I tried again this build.conf format :
>
> TYPE = targeted-mcs
> NAME = refpolicy
> DISTRO = redhat
> DIRECT_INITRC=n
> MONOLITHIC=n
> MLS-SENS=16
> MLS_CATS=256
>
> Done make conf, make install and make load, then configured for
> refpolicy & asked for relabeling, and the system gets stuck...
>
> Btw, forgot to mention the libsepol.sepol_genbools: error while reading
> /etc/selinx/refpolicy/booleans error...
>
> In permissive refpolicy mode, the only selinux message talks about
> NetworkManager.
>
> > The unknown boolean messages should be harmless I believe.
> >
> > You can extract the build.conf from the policy source rpm as well,
> > which is likely a good starting point.
>
> The problem is the same with the rpm and the bz2...
>
> Thanks,
> Catalin.
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:11:03 EDT