Humpty Dumpty - some successes

Bob Gustafson bobgus at rcn.com
Wed May 5 06:12:45 UTC 2004


Thanks much for all your replies.

I did what you recommended and at the end of it all I rebooted with

   grub parameters 'selinux=1 enforcing=1'

It does seem to be working and securely (I cannot telnet in from another
system and my sound does not work ..)

[I really shouldn't mention telnet on this list..]

----- I do have a few questions though - some may be OT -----

Yum must have a different header cache as the command line below refetched
a lot of header files. The sources file for my up2date contains 'yum' lines
- why is it not the same cache.

[root at hoho2 user1]# yum install setools*

...
  unarj-debuginfo-0-2.63a-5 100% |=========================| 1.5 kB    00:00
  pidentd-debuginfo-0-3.0.1 100% |=========================| 4.6 kB    00:00
  commons-modeler-debuginfo 100% |=========================| 2.3 kB    00:00
  VFlib2-debuginfo-0-2.25.6 100% |=========================| 5.6 kB    00:00
  radvd-debuginfo-0-0.7.2-7 100% |=========================| 3.6 kB    00:00
  Cannot find a package matching setools-1.3-2.i386.rpm
  Cannot find a package matching setools-gui-1.3-2.i386.rpm
  No actions to take
  [root at hoho2 user1]#

I did it again with the '-t' option - got less output lines, but the Cannot
find lines were still there.

  [root at hoho2 user1]# yum -t install setools*
  Gathering header information file(s) from server(s)
  Server: Fedora Core 1.92 - Development Tree
  Finding updated packages
  Downloading needed headers
  Cannot find a package matching setools-1.3-2.i386.rpm
  Cannot find a package matching setools-gui-1.3-2.i386.rpm
  No actions to take
  [root at hoho2 user1]#

Setools is installed on my system though. (Maybe the yum default sources
file is not pointed correctly?)

  [root at hoho2 user1]# rpm -q -i setools | more
  Name        : setools                      Relocations: /usr
  Version     : 1.3                               Vendor: Red Hat, Inc.
  Release     : 2                             Build Date: Mon 19 Apr 2004
  07:50:44 PM CDT
  Install Date: Mon 03 May 2004 01:50:24 PM CDT      Build Host:
  tweety.devel.redhat.com

  [root at hoho2 user1]# rpm -q -i setools-gui | more
  Name        : setools-gui                  Relocations: /usr
  Version     : 1.3                               Vendor: Red Hat, Inc.
  Release     : 2                             Build Date: Mon 19 Apr 2004
  07:50:44 PM CDT
  Install Date: Mon 03 May 2004 01:50:38 PM CDT      Build Host:
  tweety.devel.redhat.com

Then I did:

  fixfiles relabel

One supposes (me at least) that once 'fixfiles relabel' has been run, then
a second run of that program will not find any files to fix.

This was not the case for me.  I actually did 'fixfiles relabel' three
times and even on the last one I got diagnostic output.

A typical bunch of diagnostics looked like this:

  Cleaning out /tmp
  /usr/sbin/setfiles:  conflicting specifications for
  /lib/modules/2.6.3-2.1.253.2.1custom/modules.dep and
  /lib/modules/2.6.5-1.327/build/include/config/MARKER, using
  system_u:object_r:modules_dep_t.

  /usr/sbin/setfiles:  conflicting specifications for
  /usr/src/redhat/BUILD/ooo-build-1.1.53pre/build/OOO_1_1_1/setup2/
  unxlngi4.pro/bin/tplx64533.res and
  /var/tmp/openoffice.org-1.1.1-root/usr/lib/ooo-1.1/program/
  resource/tplx64533.res, using system_u:object_r:src_t.

  /usr/sbin/setfiles:  conflicting specifications for
  /usr/src/redhat/BUILD/ooo-build-1.1.53pre/build/OOO_1_1_1/
  setup2/unxlngi4.pro/bin/tplx64590.res and
  /var/tmp/openoffice.org-1.1.1-root/usr/lib/ooo-1.1/program/resource/
  tplx64590.res, using system_u:object_r:src_t.

There is a pattern here, but I can't express it in fixable terms.

------

This is my new virgin login after the fixfiles and with
grub parameters 'selinux=1 enforcing=0'

  Fedora Core release 1.92 (FC2 Test 3)
  Kernel 2.6.5-1.327custom on an i686

  hoho2 login: user1
  Password:
  Your default context is user_u:user_r:user_t.

  Do you want to choose a different one? [n]
  Last login: Tue May  4 11:05:30 from TZ
  [user1 at hoho2 user1]$ date
  Tue May  4 16:45:14 CDT 2004
  [user1 at hoho2 user1]$


System Tools -> Sound Card Detection -> play sound

  May  4 19:43:51 hoho2 udev[3472]: creating device node '/udev/audio'
  May  4 19:43:51 hoho2 udev[3479]: creating device node '/udev/adsp'
  May  4 19:43:51 hoho2 kernel: audit(1083717831.232:0): avc:  denied
  relabelfrom } for  pid=3485 exe=/sbin/restorecon name=mixer dev=sda2
  ino=5374112 scontext=system_u:system_r:udev_t
  tcontext=system_u:object_r:device_t tclass=lnk_file

  May  4 19:43:51 hoho2 kernel: audit(1083717831.232:0): avc:  denied  {
  relabelto } for  pid=3485 exe=/sbin/restorecon name=mixer dev=sda2
ino=5374112
  scontext=system_u:system_r:udev_t tcontext=system_u:object_r:sound_device_t
  tclass=lnk_file

Seems to be a problem with the sound card stuff - even though it is not
enforcing at the moment. It worked before SELinux.

----- Now the acid test - reboot with grub parameters 'selinux=1 enforcing=1'

  Fedora Core release 1.92 (FC2 Test 3)
  Kernel 2.6.5-1.327custom on an i686

  hoho2 login: audit(1083719173.508:0): avc:  denied  { getattr } for  pid=2035
  exe=/bin/bash path=/etc/hotplug dev=sda2 ino=1458282
  scontext=system_u:system_r:udev_t tcontext=system_u:object_r:hotplug_etc_t
  tclass=dir

  audit(1083719173.508:0): avc:  denied  { search } for  pid=2035
exe=/bin/bash
  name=hotplug dev=sda2 ino=1458282 scontext=system_u:system_r:udev_t
  tcontext=system_u:object_r:hotplug_etc_t tclass=dir

  audit(1083719173.508:0): avc:  denied  { search } for  pid=2035
exe=/bin/bash
  name=hotplug dev=sda2 ino=1458282 scontext=system_u:system_r:udev_t
  tcontext=system_u:object_r:hotplug_etc_t tclass=dir

  audit(1083719173.512:0): avc:  denied  { search } for  pid=2035
exe=/bin/bash
  name=hotplug dev=sda2 ino=1458282 scontext=system_u:system_r:udev_t
  tcontext=system_u:object_r:hotplug_etc_t tclass=dir

  audit(1083719173.513:0): avc:  denied  { search } for  pid=2035
exe=/bin/bash
  name=log dev=sda2 ino=720918 scontext=system_u:system_r:udev_t
  tcontext=system_u:object_r:var_log_t tclass=dir

  audit(1083719173.514:0): avc:  denied  { search } for  pid=2035
exe=/bin/bash
  name=log dev=sda2 ino=720918 scontext=system_u:system_r:udev_t
  tcontext=system_u:object_r:var_log_t tclass=dir
  user1
  Password:
  Your default context is user_u:user_r:user_t.

  Do you want to choose a different one? [n]
  Last login: Tue May  4 20:27:17 from TZ
  [user1 at hoho2 user1]$

Lots of diagnostic messages between the login: and the 'user1' response!!

--- Note that it really is enforcing ---

  [user1 at hoho2 user1]$ od -c /selinux/enforce
  0000000   1
  0000001
  [user1 at hoho2 user1]$

--- However the /etc/sysconfig/selinux file still says 'disabled'

  [root at hoho2 user1]# cat /etc/sysconfig/selinux
  # This file controls the state of SELinux on the system.
  # SELINUX= can take one of these three values:
  #       enforcinfg - SELinux security policy is enforced.
  #       permissive - SELinux prints warnings instead of enforcing.
  #       disabled - No SELinux policy is loaded.
  SELINUX=disabled
  [root at hoho2 user1]# date
  Tue May  4 20:35:31 CDT 2004
  [root at hoho2 user1]#

(Note typo in the enforcing line of this file)

Maybe the grub kernel line overrides whatever is in this file? Perhaps the
information in this file controls the boot situation when there is no
additional boot grub parameter?

Here is a try at rsync to a machine without SELinux

  [root at hoho2 user1]# vim nextboot.bug
  [root at hoho2 user1]# rsync nextboot.bug hoho0:/home/bobg
  root at hoho0's password:
  Warning: No xauth data; using fake authentication data for X11 forwarding.
  Server is very old version of rsync, upgrade recommended.
  [root at hoho2 user1]#

It seems to say that it has faked it, but no file was transfered.

up2date does not work with enforcing=1

I noticed that there were a bunch more update files available, so I
installed all (including the 349 kernel), and then rebooted with enforcing=1

It actually does boot - and I can also 'su'

bedtime




More information about the fedora-selinux-list mailing list