Humpty Dumpty

Don Patterson don.patterson at tresys.com
Tue May 4 20:41:00 UTC 2004 

You can configure font settings for apol in your $HOME/.apol file.

-Don

-----Original Message-----
From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Bob Gustafson
Sent: Tuesday, May 04, 2004 2:50 PM
To: fedora-selinux-list at redhat.com
Subject: Humpty Dumpty

I have newly arrived at the dangerous stage of SElinux testing - and have a
few questions.

Some recent history:

Yesterday I downloaded some of the SELinux tool stuff and rebuilt it
from the SRPMS. (This may not have been necessary).

I was able to get the apol application up and running (but I think I
need glasses - font size is a bit small) [- rich, thin, big enough screen]

The application 'seuser' did not seem to be able to find the policy.conf
file. I found the .tcl file and hacked a bit on that, but tcl is not a
native language for me. (Today I found the /usr/share/setools/seuser.conf
file with the missing 'policy' in the policy.conf path)

Also there was something about the file_contexts - it was a file instead
of a directory at one point - so I deleted the file and redid some steps
and found a populated directory afterwards - so I must have done
something (correctly?).

[Sorry about the lack of specifics - I was just playing around - thinking
that I would probably have to do it over again later - once I knew what
I was doing]

------

Then I found an application 'System Settings -> Security Level'  With
this tool, I could turn my firewall on and also turn on something in
SELinux.  The SELinux button said 'Active'.  I clicked on it and
saw options 'Warn' and 'Disabled'.  Then I went back to the Firewall
settings and decided not to do anything there. Clicking the OK button at
the bottom
gave me a dialog box - something about 'do you want security to be on'.
Since I thought security was already on, I clicked on yes...

It was soon after that I attempted to 'su' -- and found out that I could
not. This was (fortunately) not a production system. Even though I knew
that Humpty had fallen off the wall, I figured that after a reboot - the
problems would go away.

Not. The reboot only progressed about half way. There were extra
messages on the console screen. (This message repeated 63067847
times...)  The messages stopped.  I was concerned that the log files had
filled up the remaining 35G of disk space.  I hit the power switch.

I mounted the root SCSI disk on another (non SELinux) system and saw the
file:

  [root at hoho2 sysconfig]# pwd
  /etc/sysconfig
  [root at hoho2 sysconfig]# cat system-config-securitylevel
  # Configuration file for system-config-securitylevel

  --enabled
  [root at hoho2 sysconfig]#

I went in with vim and changed the last line to read '--disabled' and
then attempted to reboot the SELinux enabled system.

No go - there was still something set that was preventing me from
booting. I did not even get far enough to try to log on.

-----

Fortunately, I had printed out some of the SELinux documentation
(printed out, not read as yet).  I noticed an email message from Hannes
Mayer saying to pass 'selinux=0' to grub at boot time.

This I did, and wonderfully my system booted up. It did not even have
the pesky extra error messages which I had noticed for awhile when
booting my running system - 'avc denied', etc.

Reading a bit more of the email archive this morning, particularly the
helpful message from Tom Mitchell - Mon, 3 May 2004 17:36:30 -0700

I went into grub.conf and added 'enforcing=0 selinux=1' to the kernel
line and then rebooted.

Success - it looks like things are back to the point where I can do more
testing.

My immediate objective is to configure things so that I can turn
enforcing on and successfully boot my system. Maybe this is not yet
possible (not enough file_contexts set?).

A lesser goal would be to dynamically set and (hopefully) unset the
enforcing parameter as mentioned later in Tom Mitchell's timely and very
helpful email message - and then see what problems develop -  in a
(hopefully) controlled environment.


Questions:

What versions of what software are currently SElinux enabled. I have rpm
4.3.1 - does that rpm do the right thing as far as installing the extra
file contexts?

What happens if I do an up2date. Will I load in non-SELinux programs which
will undo everything learned up to that point?

[I have FC2(Test3) installed and updated to the point where there are no
more updates available - and this is with a few extra 'source' paths]

How do I determine whether essential programs are still SELinux enabled?

What is rawhide? Is that a collection of setools? (or an ancient Fedora
image?)

(I would like to creep up on the concept of SecurityEnabled with lots of
log messages, but not too many.. :-) )

How can I make the file context messages go away -correctly- (i.e., by
setting the file contexts)?  Is there a mass process that will tweek all
files?


   Fedora Core release 1.92 (FC2 Test 3)
   Kernel 2.6.5-1.327custom on an i686

   hoho2 login: user1
   Password:
   Last login: Tue May  4 10:41:38 from TZ
   [user1 at hoho2 user1]$ su
   Password:
   audit(1083685732.396:0): avc:  denied  { transition } for  pid=2176
   exe=/bin/su
   path=/bin/bash dev=sda2 ino=2605063 scontext=user_u:sysadm_r:sysadm_t
   tcontext=r
   oot:sysadm_r:sysadm_t tclass=process

I can guess that something is objectionable here, but see below when I did
it again

   [root at hoho2 user1]# exit

   [user1 at hoho2 user1]$ date
   Tue May  4 10:50:49 CDT 2004
   [user1 at hoho2 user1]$ su
   Password:
   [root at hoho2 user1]#

See, here I did another su, but did not get log messages. Why?
..
..

Could someone comment on the 'meaning' of some of these log messages (the
SELinux generated ones - the other lines are left for context.

   [root at hoho2 sysconfig]# date
   Tue May  4 10:54:45 CDT 2004

   [root at hoho2 sysconfig]# tail /var/log/messages
   May  4 10:48:33 hoho2 messagebus: messagebus startup succeeded
   May  4 10:48:44 hoho2 login(pam_unix)[2136]: session opened for user
   user1 by LOGIN(uid=0)
   May  4 10:48:44 hoho2 login[2136]: Warning!  Could not get current
   context for /dev/tty1, not relabeling.
   May  4 10:48:45 hoho2  -- user1[2136]: LOGIN ON tty1 BY user1
   May  4 10:48:52 hoho2 su(pam_unix)[2175]: session opened for user
   root by user1(uid=500)
   May  4 10:48:52 hoho2 su[2175]: Warning!  Could not get current
   context for /dev/tty1, not relabeling.
   May  4 10:48:52 hoho2 kernel: audit(1083685732.396:0): avc:  denied
   { transition } for  pid=2176 exe=/bin/su path=/bin/bash dev=sda2
ino=2605063
   scontext=user_u:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t
tclass=process
   May  4 10:50:23 hoho2 su(pam_unix)[2175]: session closed for user root
   May  4 10:50:55 hoho2 su(pam_unix)[2204]: session opened for user
   root by user1(uid=500)
   May  4 10:50:55 hoho2 su[2204]: Warning!  Could not get current
   context for /dev/tty1, not relabeling.
   [root at hoho2 sysconfig]#

Thanks much. SELinux seems as though it might become a usable standard.

The human path/process is important for newbie testers though.  Too many
rocks and the extra eyeballs get discouraged.
--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list