[MLS Policy]:- MLS policy enforcing mode problem when manully restart the system services.

prakash hallalli prakashkhallalli at gmail.com
Thu Jun 12 12:14:29 UTC 2008 

HI All
I have to configure the Role-based access control (RBAC) for smbldap user.
How should i set the roles for users and which policy i should use?

Now i am using MLS Policy for configure the RBAC.
I am not sure this the correct way for configure the RBAC on CentOS 5.1.

Please help me what i am going wrong.

Thanks,
Prakash,






On Wed, Jun 11, 2008 at 8:38 PM, Stephen Smalley <sds at tycho.nsa.gov> wrote:

>
> On Wed, 2008-06-11 at 20:32 +0530, prakash hallalli wrote:
> > HI ALL
> > I have configured SELinux on ContOS 5.1. I have configured the RBAC
> > using MLS (Multilevel Security) Policy using enforcing mode. I am
> > trying to restart the system services and they are not restarting and
> > it is throwing some error message.
> >
> > Steps to reproduce:
> >
> > 1 ) MLS Policy configuration.
> >
> > 1. Install selinux-policy-mls
> > 2. Set SELINUXTYPE=MLS in /etc/selinux/config file
> > 3. touch ./autorelabel; on root's home directory, and reboot the
> > machine.
>
> As others noted, this should have been touch /.autorelabel, not
> touch ./autorelabel on root's home directory.  But I don't think that is
> relevant any more - you already manually relabeled.
>
> > 4. While machine is rebooting, change the GRUB parameter.
> > enforcing=0
> >
> > 2) Now system is in permissive mode and SELinux status is as follows.
> >
> > [root at turtle11 ~]# sestatus
> > SELinux status:                  enabled
> > SELinuxfs mount:                /selinux
> > Current mode:                      permissive
> > Mode from config file:          enforcing
> > Policy version:                    21
> > Policy from config file:         mls
> >
> > 3) Restart the system services and they restart successfully.
> >
> > [root at turtle11 ~]# service nfs restart
> > Shutting down NFS mountd:                                  [  OK  ]
> > Shutting down NFS daemon:                                  [  OK  ]
> > Shutting down NFS quotas:                                  [  OK  ]
> > Shutting down NFS services:                                [  OK  ]
> > Starting NFS services:                                         [
> > OK  ]
> > Starting NFS quotas:                                           [
> > OK  ]
> > Starting NFS daemon:                                         [  OK  ]
> > Starting NFS mountd:                                         [  OK  ]
> >
> > 3) Now i am setting enforcing mode using setenforce command.
> >
> > root at turtle11 ~]#setenforce 1
> > root at turtle11 ~]# sestatus
> > SELinux status:             enabled
> > SELinuxfs mount:          /selinux
> > Current mode:               enforcing
> > Mode from config file:    enforcing
> > Policy version:              21
> > Policy from config file:   mls
> >
> > 4) a) Now system is in enforcing mode and i am trying to restart the
> > system service. The restart will result in error message.
> >
> > [root at turtle11 ~]# service nfs restart
> > nfs: unrecognized service
> >
> > [root at turtle11 ~]# run_init /etc/init.d/nfs restart
> > Authenticating root.
> > Password: XXXXXX
> > run_init: incorrect password for root
> > authentication failed.
> > [root at turtle11 ~]#
> >
> > [root at turtle11 ~]# run_init /etc/init.d/ldap restart
> > Authenticating root.
> > Password: XXXXXX
> > run_init: incorrect password for root
> > authentication failed.
>
> This implies that the existing policy isn't allowing these domains to do
> what they need to perform the authentication.  Elsewhere you said you
> are using ldap, so they may need additional permissions for the network
> lookup.
>
> > 5) I am using sysadm_r
> >
> > [root at turtle11 ~]# id
> > uid=0(root) gid=0(root)
> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> > context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
> > [root at turtle11 ~]#
> >
> > 6) This is i am getting /sbin/ausearch log messages.
> >
> > [root at turtle11 ~]#/sbin/ausearch -i -m AVC -sv no
> > type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64
> > syscall=recvfrom success=no exit=-13(Permission denied) a0=5
> > a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root
> > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> > tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd
> > subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
> > type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc:  denied
> > { read } for  pid=3103 comm=dhcpd lport=1
> > scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
> > tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket
>
> On this one, as I said, dhcpd shouldn't be running in sysadm_t.
> How did you start it?
>
> --
> Stephen Smalley
> National Security Agency
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080612/60fb3108/attachment.htm>

More information about the fedora-selinux-list mailing list