Humpty Dumpty
Bob Gustafson
bobgus at rcn.com
Tue May 4 19:50:17 UTC 2004
I have newly arrived at the dangerous stage of SElinux testing - and have a
few questions.
Some recent history:
Yesterday I downloaded some of the SELinux tool stuff and rebuilt it
from the SRPMS. (This may not have been necessary).
I was able to get the apol application up and running (but I think I
need glasses - font size is a bit small) [- rich, thin, big enough screen]
The application 'seuser' did not seem to be able to find the policy.conf
file. I found the .tcl file and hacked a bit on that, but tcl is not a
native language for me. (Today I found the /usr/share/setools/seuser.conf
file with the missing 'policy' in the policy.conf path)
Also there was something about the file_contexts - it was a file instead
of a directory at one point - so I deleted the file and redid some steps
and found a populated directory afterwards - so I must have done
something (correctly?).
[Sorry about the lack of specifics - I was just playing around - thinking
that I would probably have to do it over again later - once I knew what
I was doing]
------
Then I found an application 'System Settings -> Security Level' With
this tool, I could turn my firewall on and also turn on something in
SELinux. The SELinux button said 'Active'. I clicked on it and
saw options 'Warn' and 'Disabled'. Then I went back to the Firewall
settings and decided not to do anything there. Clicking the OK button at
the bottom
gave me a dialog box - something about 'do you want security to be on'.
Since I thought security was already on, I clicked on yes...
It was soon after that I attempted to 'su' -- and found out that I could
not. This was (fortunately) not a production system. Even though I knew
that Humpty had fallen off the wall, I figured that after a reboot - the
problems would go away.
Not. The reboot only progressed about half way. There were extra
messages on the console screen. (This message repeated 63067847
times...) The messages stopped. I was concerned that the log files had
filled up the remaining 35G of disk space. I hit the power switch.
I mounted the root SCSI disk on another (non SELinux) system and saw the
file:
[root at hoho2 sysconfig]# pwd
/etc/sysconfig
[root at hoho2 sysconfig]# cat system-config-securitylevel
# Configuration file for system-config-securitylevel
--enabled
[root at hoho2 sysconfig]#
I went in with vim and changed the last line to read '--disabled' and
then attempted to reboot the SELinux enabled system.
No go - there was still something set that was preventing me from
booting. I did not even get far enough to try to log on.
-----
Fortunately, I had printed out some of the SELinux documentation
(printed out, not read as yet). I noticed an email message from Hannes
Mayer saying to pass 'selinux=0' to grub at boot time.
This I did, and wonderfully my system booted up. It did not even have
the pesky extra error messages which I had noticed for awhile when
booting my running system - 'avc denied', etc.
Reading a bit more of the email archive this morning, particularly the
helpful message from Tom Mitchell - Mon, 3 May 2004 17:36:30 -0700
I went into grub.conf and added 'enforcing=0 selinux=1' to the kernel
line and then rebooted.
Success - it looks like things are back to the point where I can do more
testing.
My immediate objective is to configure things so that I can turn
enforcing on and successfully boot my system. Maybe this is not yet
possible (not enough file_contexts set?).
A lesser goal would be to dynamically set and (hopefully) unset the
enforcing parameter as mentioned later in Tom Mitchell's timely and very
helpful email message - and then see what problems develop - in a
(hopefully) controlled environment.
Questions:
What versions of what software are currently SElinux enabled. I have rpm
4.3.1 - does that rpm do the right thing as far as installing the extra
file contexts?
What happens if I do an up2date. Will I load in non-SELinux programs which
will undo everything learned up to that point?
[I have FC2(Test3) installed and updated to the point where there are no
more updates available - and this is with a few extra 'source' paths]
How do I determine whether essential programs are still SELinux enabled?
What is rawhide? Is that a collection of setools? (or an ancient Fedora image?)
(I would like to creep up on the concept of SecurityEnabled with lots of
log messages, but not too many.. :-) )
How can I make the file context messages go away -correctly- (i.e., by
setting the file contexts)? Is there a mass process that will tweek all
files?
Fedora Core release 1.92 (FC2 Test 3)
Kernel 2.6.5-1.327custom on an i686
hoho2 login: user1
Password:
Last login: Tue May 4 10:41:38 from TZ
[user1 at hoho2 user1]$ su
Password:
audit(1083685732.396:0): avc: denied { transition } for pid=2176
exe=/bin/su
path=/bin/bash dev=sda2 ino=2605063 scontext=user_u:sysadm_r:sysadm_t
tcontext=r
oot:sysadm_r:sysadm_t tclass=process
I can guess that something is objectionable here, but see below when I did
it again
[root at hoho2 user1]# exit
[user1 at hoho2 user1]$ date
Tue May 4 10:50:49 CDT 2004
[user1 at hoho2 user1]$ su
Password:
[root at hoho2 user1]#
See, here I did another su, but did not get log messages. Why?
..
..
Could someone comment on the 'meaning' of some of these log messages (the
SELinux generated ones - the other lines are left for context.
[root at hoho2 sysconfig]# date
Tue May 4 10:54:45 CDT 2004
[root at hoho2 sysconfig]# tail /var/log/messages
May 4 10:48:33 hoho2 messagebus: messagebus startup succeeded
May 4 10:48:44 hoho2 login(pam_unix)[2136]: session opened for user
user1 by LOGIN(uid=0)
May 4 10:48:44 hoho2 login[2136]: Warning! Could not get current
context for /dev/tty1, not relabeling.
May 4 10:48:45 hoho2 -- user1[2136]: LOGIN ON tty1 BY user1
May 4 10:48:52 hoho2 su(pam_unix)[2175]: session opened for user
root by user1(uid=500)
May 4 10:48:52 hoho2 su[2175]: Warning! Could not get current
context for /dev/tty1, not relabeling.
May 4 10:48:52 hoho2 kernel: audit(1083685732.396:0): avc: denied
{ transition } for pid=2176 exe=/bin/su path=/bin/bash dev=sda2
ino=2605063
scontext=user_u:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t
tclass=process
May 4 10:50:23 hoho2 su(pam_unix)[2175]: session closed for user root
May 4 10:50:55 hoho2 su(pam_unix)[2204]: session opened for user
root by user1(uid=500)
May 4 10:50:55 hoho2 su[2204]: Warning! Could not get current
context for /dev/tty1, not relabeling.
[root at hoho2 sysconfig]#
Thanks much. SELinux seems as though it might become a usable standard.
The human path/process is important for newbie testers though. Too many
rocks and the extra eyeballs get discouraged.
More information about the fedora-selinux-list
mailing list