Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: selinux on intrepid

  1. #1
    Join Date
    Dec 2006
    Location
    UK
    Beans
    128
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Question selinux on intrepid

    Hi All,

    I'm having some issues running SELinux on Intrepid. The issue is this: when I run SELinux in enforcing mode, I can't do anything. I fully understand that's the point of SELinux in some regards, but I get messages like these:
    • Unable to switch to tty1: permission denied
    • Unable to execute /bin/bash: permission denied

    I know what's happening: SELinux is blocking these applications,
    Code:
    cat /var/log/syslog | grep 'avc'
    will tell me that. So the problem is: how do I fix this situation?

    I'm going to explain what I've done so far as well, as perhaps there's something I've missed here.

    1. I was running 8.04 earlier this year which lets you just
      Code:
      sudo apt-get install selinux
      . However, on intrepid, that doesn't seem to work (i.e. installs no policy) which is interesting. Anyway, I installed selinux-policy-default which pulled all it's dependencies in i.e. setools.
    2. This didn't work and I realised from my last exploration you have to have a running selinux kernel first. So I set about selinux=1'ing it into existence.
    3. I found that actually the initramfs scripts are broken in /etc/initramfs-tools/scripts/init-bottom/_load_policy (see https://bugs.launchpad.net/ubuntu/+s...ux/+bug/277030) and fixed it for my system, regenerated the initramfs.
    4. I added selinux=1 to the defopts in /boot/grub/menu.lst and ran update grub, so now all kernels will be selinux-enabled.
    5. Loaded up with the new all-powerful kernel and re-installed selinux-policy-default just to make sure. I don't get asked about .tc files (I did on Hardy) as described here: http://mctalby.mc.man.ac.uk/~mc/_uni....SE_Linux.html .
    6. Reboot. We are still in permissive mode. Check with sestatus:
      Code:
      sestatus
      SELinux status:                 enabled
      SELinuxfs mount:                /selinux
      Current mode:                   permissive
      Mode from config file:          permissive
      Policy version:                 23
      Policy from config file:        default
    7. OK, now reboot, edit grub on the fly adding enforcing=1 to the end of the boot line and boot. Hey presto, up comes X, or a tty, but gnome sessions last less than 10 seconds and ttys give the above error.


    I should also add that I modified /etc/pam.d/login, changing the word on the end of pam_selinux.so from close (which denied access to X11 also!) to multiple (implying give me a choice on a MLS system). I will try removing multiple too.

    I suppose I could use audit2allow to enable all the things being denied to be allowed but there are such a number of avc errors I'm not convinced that would necessarily be secure... might as well not run selinux at all.

    Any ideas? What am I doing wrong please?

    I may be wrong... but it appears the full policy isn't implemented, hence why simple things are denied? Or am I missing something? Can I install the refpolicy myself and if so does anyone know of any tutorials for doing so on ubuntu/debian?

    Thanks in advance for anything you have!

    P.S. I don't want to use AppArmor, I am aware it exists, is easier, installed and enabled by default and all that. I'm also aware Fedora has working SELinux... I am tempted, but prefer Ubuntu's way of doing things at the moment, plus 8.04 SELinux worked for me.

    Quark_77
    QUARK_77
    Lenovo R61 | Core2 (x64) | 3GB | nVidia Quadro | SATA || Ubuntu Linux | dm-crypt/LUKS | nv | truecrypt (win)

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: selinux on intrepid

    It depends on how much time you wish to spend debugging the SELinux policies.

    IMO, if you wish to use SELinux I would re-examine the choice to run Fedora. I am currently running Fedora 10 and it is a fine OS. In some ways Fedora is superior to Ubuntu and in others Ubuntu is superior. IMO it is best to be flexible and I can say, after doing this for some time, it is not *that* hard to switch distros.

    Fedora has some very nice tools to debug SELinux as well. So, IMO, if I were weighing the difference / hassle factor, I think it will be more hassle for you to re-write the SELinux policies on Intrepid then switch to Fedora.

    Another "problem" with Ubuntu, you are unlikely to fine many on these forums with much experinece with SELinux (it can be hard enough with AppArmor).

    As a "one pager" I found this quite helpful :

    http://wiki.centos.org/HowTos/SELinux
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,552
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: selinux on intrepid

    bodhi

    What distros are you running now? It sounds like you have a few machines?

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: selinux on intrepid

    Quote Originally Posted by kevdog View Post
    bodhi

    What distros are you running now? It sounds like you have a few machines?
    I dabble in several distros, always nice to learn a new trick.

    At the moment I run virtualization (the over head is low with openvz) :

    Centos 5.1, Fedora 10, Ubuntu 8.04, Ubuntu 8.10, and 9.04 Alpha. I have Wolvix on an old laptop as well.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #5
    Join Date
    Dec 2006
    Location
    UK
    Beans
    128
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: selinux on intrepid

    Quote Originally Posted by bodhi.zazen View Post
    IMO, if you wish to use SELinux I would re-examine the choice to run Fedora...
    I'm beginning to consider that to be honest. I like Ubuntu and the way it works and would like to stick with it, but at the same time I think I'm going to look at Fedora. Ubuntu Hardened doesn't seem to be doing SELinux well at the moment. Something else I noticed, selinux package conflicts with selinux-policy-default... ?!

    Quote Originally Posted by bodhi.zazen View Post
    I think it will be more hassle for you to re-write the SELinux policies on Intrepid then switch to Fedora.
    Are we saying, basically, that the policies weren't updated/packaged for Intrepid? That would be a shame. I assume I can't just pull the package from Hardy, unpack the policy and it's .te files and try that.

    Quote Originally Posted by bodhi.zazen View Post
    Another "problem" with Ubuntu, you are unlikely to fine many on these forums with much experinece with SELinux (it can be hard enough with AppArmor).
    No, which is a shame. I asked [about selinux] pre 8.04 and nobody answered it... Hardy was good because I could use enforcing mode with a full policy.

    Does anybody have SELinux working on Intrepid?

    Thanks everyone.
    QUARK_77
    Lenovo R61 | Core2 (x64) | 3GB | nVidia Quadro | SATA || Ubuntu Linux | dm-crypt/LUKS | nv | truecrypt (win)

  6. #6
    Join Date
    Dec 2006
    Location
    UK
    Beans
    128
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: selinux on intrepid

    All,

    I came up with a new idea:
    Code:
    sudo apt-get install selinux-policy-src
    cd /usr/src
    tar -xvf selinux-policy-src.tar.gz
    Then compile from source. (make, then make install, then make load).

    I personally set the policy to standard (not mls/mcs) and to monolithic which generates a policy.n file in /etc/selinux/'name of policy'/policy/policy.23

    This policy also loads, unfortunately it denies mount permission to access anything under /dev/mapper/ thereby killing cryptsetup startup for my encrypted /home.

    Looks like you are right bodhi.zazen... I'll either be modifying the policy all the time or I'll have to change to Fedora.

    Anybody any other ideas?

    Thanks,

    Quark_77
    QUARK_77
    Lenovo R61 | Core2 (x64) | 3GB | nVidia Quadro | SATA || Ubuntu Linux | dm-crypt/LUKS | nv | truecrypt (win)

  7. #7
    Join Date
    Dec 2008
    Beans
    3

    Re: selinux on intrepid

    quark_77,

    I have tried something very similar. I install II and did several apt-gets for various selinux packages. I set selinux=1 and enforcing=0 in menu.lst. I have logged in and done a sudo su.
    I have tried newrole -t sysadm_t and that works but I cannot do
    newrole -r sysadm_r and I get an invalid context message. It seems that I am stuck in the unconfined_u and do not know how to get to sysadm_u. Anyway I can see that things are not going to work but I have tried setenforce 1 and I get immediately logged out without proper permissions for /bin/bash.

    I have tried downloading ref-policy and compiling it and it compiles nicely but I get run-time errors. I have not been able to compile a policy downloaded from ubuntu.

    I have edited config:

    SELINUX=enforcing
    SELINUXTYPE=default
    SETLOCALDEFS=1


    I have edited /etc/selinux/default/users/local.users

    user clare roles { user_r staff_r sysadm_r };

    Do you see anything wrong with these?

    Clare Jarvis

  8. #8
    Join Date
    Dec 2008
    Beans
    3

    Thumbs down Re: selinux on intrepid

    I abandoned my experiments with intrepid . I installed hardy and selinux and am making more progress . I have used semange to:

    semanage login -m -s staff_u johnd

    but when johnd logs in then .bash_profile and .bash_logout will not execute. (obivously selinux is doing something). But if I use semanage to:
    semanage login -m -s unconfined_u johnd
    then .bash_profile and .bash_logout work normally. I still cannot get newrole to do anything useful. How do I get a login with multiple roles? Could you provide examples of using semange and newrole or any other process that will assist?


    Thanks and Happy New Year

  9. #9
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: selinux on intrepid

    Not sure of the details you are running , see if these links help :

    http://www.gentoo.org/proj/en/harden...?part=3&chap=1

    http://www.ibm.com/developerworks/li...-rbac-selinux/
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #10
    Join Date
    Dec 2008
    Beans
    3

    Re: selinux on intrepid

    Thanks for your help, bodhi.zazen. I now have this problem:

    If I type in:
    newrole -r sysadm_r

    I get the error message:
    Cannot find your entry in the shadow passwd file.


    I tried resetting the password using passwd but that did not help.

    How do I update the shadow passwd file?

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •