Installing the new policy - bravo

Bob Gustafson bobgus at rcn.com
Sun May 30 05:38:17 UTC 2004 

Great, your receipe worked pretty well - (but I'm not quite up at enforcing=1)

  It is good to make the changes to /etc/security/selinux first.

  I made mine with the active lines:

SELINUX=enforcing
SELINUXTYPE=strict
POLICYTYPE=strict

  Then I copied it over to /etc/selinux/config

[root at hoho2 user1]# cd /etc/selinux
[root at hoho2 selinux]# ls -l
total 20
-rw-r--r--  1 root root  332 May 29 23:47 config
drwxr-xr-x  5 root root 4096 May 29 12:05 strict
drwxr-xr-x  5 root root 4096 May 29 12:06 targeted
[root at hoho2 selinux]#

Adding the word 'single' to the grub.conf kernel line was a timesaver, and
potentially avoided more problems.

I think I was running for awhile with the kernel boot param 'selinux=0' -
doing a few yum updates during this time too. Many of the files that were
listed in the 'fixfiles relabel' run seemed as though they may have
appeared during yum updates when 'selinux=0' or when selinux was disabled
(by the /etc/sysconfig/selinux file settings).  Boot params override this
file.

For the next few boots, I ran with 'selinux=1 enforcing=0'

Just as a test, I ran 'fixfiles relabel' twice. The second time, there were
no diagnostic output lines - leaving me with a good feeling.

I booted up again and looked in the /var/log/messages file - no audit
messages. Either something is working well, or not at all.

---

Then I tried to boot with the boot param 'enforcing=1'

In the RedHat nash phase (or maybe just after), I got the message:

Enforcing mode requested, but no policy loaded. Halting now.
Kernel panic: Attempted to kill init!

-----

After a power cycle, I set the boot param back to 'enforcing=0'

I remembered seeing a Makefile with the targets: ...,..., reload

I believe this Makefile was in /etc/sysconfig/selinux/src/policy, but I
noticed that /etc/sysconfig/selinux was now a file - in fact it was the
file that I edited a few minutes before.

Having seen a policy directory under /etc/syslinux/strict, I went there

[root at hoho2 policy]# pwd
/etc/selinux/strict/src/policy

[root at hoho2 policy]# ls -lt | head
total 11708
-rw-r--r--  1 root root      97 May 29 23:57 reload.out
drwxr-xr-x  2 root root    4096 May 29 23:57 tmp
drwxr-xr-x  4 root root    4096 May 29 12:06 file_contexts
-rw-r--r--  1 root root 4207890 May 29 12:05 policy.conf
drwx------  2 root root    4096 May 29 12:05 flask
drwx------  3 root root    4096 May 29 12:05 macros
drwx------  2 root root    4096 May 29 12:05 types
drwx------  2 root root    4096 May 29 12:05 appconfig
drwx------  4 root root    4096 May 29 12:05 domains

This is after I did a 'make reload 2>&1 | tee reload.out` twice. The first
time I got a lot of diagnostic lines, 'inode ...'. The second time I got:

[root at hoho2 policy]# cat reload.out
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat
/selinux/policyvers
`
touch tmp/load

  This looked pretty good, so I tried to go into enforcing mode by doing

[root at hoho2 policy]# setenforce 1

Immediately, I got:

su[2804]: Error!
  Unable to set executable context (null).
login (pam_unix)[2534]: session closed for user1

INIT: cannot execute "/sbin/mngetty"
INIT: cannot execute "/sbin/mngetty"
INIT: cannot execute "/sbin/mngetty"
...
INIT: Id "1" respawing too fast, disabled for 5 minutes

-----

Another power cycle, and I am ready for bed.

Hopefully there are some clues in the above for selinux gurus.

BobG

on Sat, 29 May 2004 17:37:04 -0700, Tom London wrote:
>I also had some issues in the newest selinux-policy installs from the
>development tree.
>
>First, I had to remove setools to remove a yum/rpm conflict.
>
>After successfully yum'ing selinux-policy-strict-sources (which also
>installed selinux-policy-strict and removed policy and policy-sources),
>I rebooted in single user mode, where I did the usual 'fixfiles
>relabel'.  I then rebooted to multiuser mode, where I determined that
>the 'mode' was set to 'disabled' (i.e., 'getenforce->disabled').
>
>Rooting around uncovered that there was no /etc/selinux/config
>installed, nor was /etc/sysconfig/selinux updated with the
>'SELINUXTYPE=strict' line.  Since the thread on this was confusing to
>me, I also added a line 'POLICYTYPE=strict').
>
>I modified /etc/syconfig/selinux copied it to /etc/selinux/config and
>rebooted.  Still came up with selinux in 'disabled' mode.
>
>Checking /var/log/messages showed 'SELinux disabled at boot'.  So, I
>rebooted adding 'selinux=1' to the boot line. This time, the boot failed
>with 'can't read /etc/fstab' and brought me up in 'filesystem repair'
>mode.  There I determined that /etc/fstab had no security context
>assigned to it (Did it get rewritten during a 'disabled' boot?)
>
>I rebooted without the 'selinux=1' but in single-user mode, where I
>adjusted the context of /etc/fstab, /etc/sysconfig/selinux and
>/etc/selinux/config.  I also changed /etc/sysconfig/selinux to boot up
>in permissive mode.
>
>Rebooting with 'selinux=1 single' worked,  I reran 'fixfiles relabel'.
>
>Rebooting with 'selinux=1' into permissive/multi-user worked.  I changed
>/etc/sysconfig/selinux and /etc/selinux/config to 'enforce'.  Rebooting
>single-user (i.e., with 'selinux=1 single') worked.
>
>Rebooting strict/multi-user (i.e. with 'selinux=1') did not work.  It
>got jammed setting up X.org log files.  Seems that
>/var/log/Xorg.0.log.old had no security context so the attempt to move
>/var/log/Xorg.0.log 'on top of it' failed.  I'm guessing it was a
>leftover from a 'disabled' boot.)
>
>I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed
>/tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.
>
>So here's the condensed version;
>1. installing selinux-policy-strict-sources (and selinux-policy-strict)
>did not setup /etc/selinux/config, nor did it modify
>/etc/sysconfig/selinux.  (I must admit that I was confused by the
>message thread. Did I need to remove /etc/sysconfig/selinux before doing
>the 'yum install selinux-policy-strict-sources'?  I thought the install
>would add the 'SELINUXTYPE=strict' line to an existing file, but I may
>have read this wrong.)
>2. My system was 'setup' to boot by default into 'disabled' mode. This
>caused a lot of problems with unlabeled files, directories, etc.
>Accidently forgetting to add 'selinux=1' to the boot line may cause this.
>3. I had to 'yum remove setools'. Did this cause my booting or other
>problems?
>4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to
>/etc/sysconfig/selinux and to /etc/selinux/config.  Are both
>needed/correct?  /sbin/fixfiles seems to want 'SELINUXTYPE'...
>5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does
>that provide the correct info/format?
>
>System is up and running in strict/enforcing mode.  I will later try to
>install selinux-policy-targeted*.
>
>tom
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list