ut it might be interesting to tell the users how you came to the
numbers, or use online resources to back up the figures
Generally, I get the feeling the document is more an article (one-time
useful read) rather than a to-be-maintained document. It's a good read
to refer people to when they as
y log on (through
SSH) in the sysadm_r role. Once they are logged on, they can always use
newrole.
wkr,
Sven Vermeulen
pgpWmWMtaMl4Y.pgp
Description: PGP signature
x27;s also hardly possible to
create any documentation on it. However, I am planning on starting with
documentation (even if based upon overlay ebuilds) soon - right after I get
X working properly :p )
Wkr,
Sven Vermeulen
pgpCgSrYzg6D6.pgp
Description: PGP signature
ight one (unless I'm also running the wrong one ;-)
Wkr,
Sven Vermeulen
pgpPJPYPHIB5f.pgp
Description: PGP signature
he time being the document only supports the type enforcement features
of SELinux. MLS/MCS has not been touched yet.
Feedback is always welcome, including language mistakes, typos or just plain
lies.
Wkr,
Sven Vermeulen
pgpkLHTDcvYaK.pgp
Description: PGP signature
ersonal
preference goes to the patches themselves so that we do not drift away from the
reference policy and are forced to keep track of it. Also, when a new release is
made, we can look at the individual patches to see which still need to be
included and which not.
Wkr,
Sven Vermeulen
pgpv3gXhISi0q.pgp
Description: PGP signature
On Mon, Jan 10, 2011 at 08:44:06AM -0500, Chris PeBenito wrote:
> On 1/6/2011 5:32 PM, Sven Vermeulen wrote:
> > I've been working on bringing the SELinux handbook as currently available on
> > http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml more
> > u
logging clean, or do we then expect the administrator to manage his
own dontaudits?
Wkr,
Sven Vermeulen
e SELinux policy
developer a clearer scope of his tasks.
The problem with the first approach is that other users have a higher
likelihood of having a malfunctioning system than with the last (what the
developer sees as cosmetic might be important on other systems).
Wkr,
Sven Vermeulen
- how do I then know that a rule is cosmetic ;-)
Wkr,
Sven Vermeulen
omething similar. The boolean could provide additional benefit as it sais
to the end user "hey, if you enable this, you'll get less AVC denials but we
are not fully confident yet that they are true ignorable denials", unlike
the "semodule -D" approach which also disables all real ignorable dontaudit
denials.
Wkr,
Sven Vermeulen
On Sun, Jan 16, 2011 at 11:06:47AM -0600, Chris Richards wrote:
> On 01/16/2011 09:09 AM, Sven Vermeulen wrote:
> > When writing security policies, it is important to first have a vision on
> > how the security policies should be made. Of course, final vision should be
> > wit
in the same module (think the bootloader case) or use a different naming
convention for those particular packages.
So, what are your thoughts on this?
Wkr,
Sven Vermeulen
if
"sec-policy/selinux-gpg" works equally well (or better), but I haven't read
the discussion on this online (just heard from others about it). I also
don't mind if general consensus is not my preference as I think it is more
important that we set a rule/guideline for the developers to follow
strictly.
Wkr,
Sven Vermeulen
with being
the policy name used by the reference policy, that we can use that as well
in the Gentoo Hardened SELinux Policy document [1].
By doing so, future developers immediately know how Gentoo Hardened works
(it is documented, so they don't need to start pondering how to call the
policy package for module "foo").
Wkr,
Sven Vermeulen
[1] goo.gl/2U0Zr
On Sat, Feb 12, 2011 at 02:25:29PM -0600, Chris Richards wrote:
> On 02/12/2011 02:03 PM, Sven Vermeulen wrote:
> > Actually, I'm rather hoping that if everyone agrees on the guideline that
> > SELinux policy packages are called "selinux-" with being
> > t
-policy/selinux-gpg-1
sec-policy/selinux-gnupg-Y blocks !~sec-policy/selinux-gnupg-X
Phase 3 (fade-out)
==
sec-policy/selinux-gnupg is removed from Portage tree.
BTW, the selinux-desktop one is a weird one and my suggestion would be to
purge it (it's not manageable).
Wkr,
Sven Vermeulen
package) that's fine too,
but in that case don't forget to clean the files/ folder too.
Wkr,
Sven Vermeulen
(until the 2.20101213's stabilize) we
at least are more confident that that won't happen.
Wkr,
Sven Vermeulen
an agree to: first stabilize the 2.20101213 set, then start with the
clean-up operation.
Wkr,
Sven Vermeulen
nfirmed, and (2.)
regressions can be detected.
For the time being you'll see that the tests aren't advanced, but at least
it's a start and it can grow more easily ;-)
Wkr,
Sven Vermeulen
iggered through
specific dynamic variables (&doc=3&chap=1)
Any objections to this?
Wkr,
Sven Vermeulen
On Thu, Mar 03, 2011 at 04:24:13AM +0100, klondike wrote:
> 2011/3/2 Sven Vermeulen :
[... Suggestion to make a SELinux FAQ document instead of having it as
a chapter in the SELinux Handbook ...]
> > Any objections to this?
> Nope, maybe you'd like to blend it with the harde
Anyhow, #346563 is about that weird multilib/nomultilib situation. SELinux
profiles currently enable multilib and "-multilib" (aka "no-multilib") is
for the time being not supported. But we might need to focus on this in the
near future as I would assume in server environments no-multilib is
preferred.
Wkr,
Sven Vermeulen
x264
tcc
Runs in enforcing mode (strict policy), gcc -v shows "--disable-multilib".
Wkr,
Sven Vermeulen
be completely wrong in this small analysis.
I'm no profile/portage wizard though. Anyone up to the challenge?
Wkr,
Sven Vermeulen
d "parent" showing
something like:
../
../../../../features/selinux
I just tried this on my no-multilib system as well as on a multilib one, and
apart from USE="gdbm bzip2 urandom nptl justify -fortran" I have had no
other changes (checked the different outputs of "emerge --info" as well as a
"emerge -puDN world").
Wkr,
Sven Vermeulen
esterday as well, adding two more
FAQs. One is about rlpkg complaining about conflicting types, the other one
is about portage complaining about libsandbox.so not being loaded.
FAQ preview at http://goo.gl/uaaf4
Wkr,
Sven Vermeulen
f people have objections, any other ideas on how to tackle the
problem that current SELinux profiles do not support no-multilib (but do
not enable "multilib" USE flag) [4]?
Wkr,
Sven Vermeulen
[1] http://thread.gmane.org/gmane.linux.gentoo.hardened/4820/focus=482
odule -b base.pp" to (re)try
and get the proper failure messages.
I'm thinking about not ignoring the failure but making sure that the
build logs of the (failed) install contains all information needed to fix.
Oh darn, almost a full page of rambling, I'll shut up now.
Sven Vermeulen
ding the means to
switch it off (refpolicy has it as a configurable setting, so why not) might
be a bit harsh. But I wouldn't mind having USE="ubac" forced on by the
SELinux profiles (so a user would need to use.force it in their local profile
override location). Is that a situation you can live with?
Wkr,
Sven Vermeulen
fstab has been put in the SELinux handbook
in hardened-doc.git overlay.
Wkr,
Sven Vermeulen
y various other domains, which would
then also need to be patched, and all that just for Gentoo.
The moment I notice that I'm deviating too much from things because of a
single reason (having wrappers over /sbin/rc) I tend to look for other
answers. I have a few ones up my sleeve, but nee
airly well on my systems, but that's
again another change just for SELinux-enabled Gentoo systems :-(
Chris R.: in https://bugs.gentoo.org/351712 the use of the wrappers was
suggested instead of symlinks (which would've caused the same problems here
I think) just for the reason that I'm writing out now. How did you resolve
the problem on your system?
Wkr,
Sven Vermeulen
On Sun, May 15, 2011 at 12:25:32AM +0200, Sven Vermeulen wrote:
> I just pushed selinux-base-policy-2.20101213-r15 to hardened-dev.git
> overlay. It does not resolve all problems, but at least Gentoo Hardened with
> SELinux now boots up properly with OpenRC (and the Gentoo SELinux handb
It is the /sbin/rc binary which uses the information in /lib64/rc/init.d (a
tmpfs mount). The tmpfs location has directories like "started" in which
symlinks exist to the files in /etc/init.d.
Wkr,
Sven Vermeulen
On Mon, May 16, 2011 at 2:49 AM, "Tóth Attila" wrote:
>
ys thought "Gentoo Hardened" is the correct one. "Hardened Gentoo" is
the result of applying the projects in "Gentoo Hardened" imo.
Wkr,
Sven Vermeulen
[1] http://xrl.us/bkpo6j
[2] http://xrl.us/bkpo62
[3] http://xrl.us/bkpo73
feedback, ... always appreciated.
Wkr,
Sven Vermeulen
not propagated so you'll have to "wait" a week (if you
desperately need a build that's more recent than a few weeks old).
Considering that Gentoo is a rolling upgrade distribution, working from a
month-old stage is not an issue. Even several months old isn't an issue.
Wkr,
Sven Vermeulen
upstream here and start our own path (in
my opinion, we can't as long as we do not have a critical developer mass -
in numbers, not in kilogram).
Wkr,
Sven Vermeulen
ing it here) and contains the necessary
file context definitions specific for lighttpd.
Wkr,
Sven Vermeulen
's what
we'll go to. I'll make the necessary preparations for it.
Wkr,
Sven Vermeulen
ou mean "SELinux in permissive mode", right?
Could you
- setenforce 0
- /etc/init.d/dbus stop
- setenforce 1
- clear avc.log
- /etc/init.d/dbus start
And then send in your avc.log file? The excerpt you pasted earlier is too
big and spans multiple days, so is probably an amalgamation of different
issues (cosmetic or not).
Wkr,
Sven Vermeulen
, do not seem
to be happy with the string -> bytes or string -> unicode or ... changes
that occur). I might take another stab at this in the future, but for now
I've had about it :-(
Wkr,
Sven Vermeulen
pens then?
My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you
want to test things out, you can subscribe to the overlay or put the
necessary files in your own.
[1]
https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet
Wkr,
Sven Vermeulen
ERIFIED
#371425 - Mark as VERIFIED
#374991 - Mark as FIXED
#375475 - Mark as CONFIRMED
#375617 - Mark as IN_PROGRESS
#373381 - Mark as CONFIRMED
Thanks in advance.
Wkr,
Sven Vermeulen
on it. Problem is that
the definitions are ambiguous.
Wkr,
Sven Vermeulen
POLICY_TYPES="strict targeted"
must be changed to
POLICY_TYPES="strict targeted mcs mls"
otherwise the base policy could support MCS/MLS but the modules themselves
not.
Wkr,
Sven Vermeulen
-3.3.6 not being able to be built,
which was confirmed fixed by the reporter. It doesn't talk about encryption
or luks.
I guess you mean bug #361911, which is about cryptsetup. This one is still
open.
Wkr,
Sven Vermeulen
"semanage" that
fubar'ed /etc/selinux labels).
Wkr,
Sven Vermeulen
g" so it doesn't have to provide a
logging method for itself, then the AVC denial is to be expected. If you
still want this to succeed, see if you can put a "cat" in between, so
instead of
procmail ... | postlog
use
procmail ... | cat | postlog
But again, please find out what procmail is doing so we can see that it gets
a proper fix ;-)
Wkr,
Sven Vermeulen
Linux booleans).
Wkr,
Sven Vermeulen
ugh the xserver
module. Is sec-policy/selinux-xserver installed on your system?
Wkr,
Sven Vermeulen
system_r:xdm_t
>
Hmm... assuming xdm works through some PAM configuration, can you tell me
how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
If it doesn't source system-auth (which is where we put the pam_selinux.so
call in) that might be the reason...
Wkr,
Sven Vermeulen
/hardened/linux/package.mask
Okay if those get removed?
Report courtesy of http://qa-reports.gentoo.org/output/invalid-mask.txt
Wkr,
Sven Vermeulen
like logon through terminals)?
If not, does it fix the KDM logons?
Wkr,
Sven Vermeulen
:
~# getseuser swift system_u:system_r:xdm_t
seuser: staff_u, level (null)
Context 0 staff_u:staff_r:staff_t
When I try it with kdm_t, I get an incorrect result as well (in my case, it
would use sysadm_t which is definitely not something I would like to happen
;-)
Wkr,
Sven Vermeulen
e need to
"open" the privileges on initrc_t towards all potential services. Not only
does that require lots of work, it also brings in patches in our policy that
upstream will never accept (and they're right not to accept it).
Hence I'll be working on that the upcoming days.
Wkr,
Sven Vermeulen
On Fri, Aug 19, 2011 at 08:51:48PM +, Sven Vermeulen wrote:
> Okay, but what is this "in-depth" change that I was talking about. Well,
> SELinux policies support labeled init scripts. For instance,
> "slapd_initrc_exec_t" which allows the init script to run in an
eed to "open" up
initrc_t stays in place (we just don't have a choice here). That initrc_t
is a highly privileged domain is obvious from a first look at its .te file.
So it looks as if we just need to add the proper optional_policy statements
here.
BTW, glad to hear you're seeing some free time in the near future ;-)
Wkr,
Sven Vermeulen
this then support the reason for this (i.e. role-based
support for calling only selected init scripts)?
Wkr,
Sven Vermeulen
pdate - I think - the init_script_file
interface to support the Gentoo integrated run_init as well. But that's
something to test and find out.
Wkr,
Sven Vermeulen
On Mon, Aug 22, 2011 at 03:18:16PM +, Sven Vermeulen wrote:
> What you are suggesting (label init script) is exactly what I was talking
> about: instead of having the init scripts labeled initrc_exec_t, they should
> be labeled like slapd_initrc_exec_t, postfix_initrc_exec_t, ... and
status: started
Unless you mean to support it without asking for re-authentication. In that
case, check out bug #365761. It contains a "fix" for this if you prepend
your runscript activities with run_init. However, it seems not to support
the use of rc-service though.
Wkr,
Sven Vermeulen
ou have _role or _run templates to execute applications, or _admin
templates to manage daemons).
Perhaps it would be better if someone drafts up a nice document on how to
create your own roles (and maintain them)?
Wkr,
Sven Vermeulen
like some
of our booleans).
Any objections here?
Wkr,
Sven Vermeulen
ructure fixed it. Handbooks are possible indeed, so you can watch the
current SELinux handbook at
http://dev.gentoo.org/~swift/docs/previews/selinux/selinux-handbook.xml
Wkr,
Sven Vermeulen
but it
is still in ~arch. I'll see to it that it gets stabilized.
Wkr,
Sven Vermeulen
ot;.
Ah yes, the package was stabilized. I'll update the documents accordingly.
> Are there any other packages that need to be unmasked?
There shouldn't be, although we're quite near a stabilization of the more
recent userspace utilities now (which is needed for the latest policies).
Wkr,
Sven Vermeulen
install done according to
> the guide :)
If I'm not mistaken, that would be:
sys-libs/libselinux
sys-apps/policycoreutils
sys-libs/libsemanage
sys-libs/libsepol
app-admin/setools
dev-python/sepolgen
sys-apps/checkpolicy
sec-policy/*
Wkr,
Sven Vermeulen
to unmask files.
That's the old one (and still working), but for consistency sake,
portage now uses /etc/portage/package.FOOBAR where FOOBAR is the same
as the variable in make.conf (so accept_keywords, accept_licenses,
...)
Wkr,
Sven Vermeulen
On Wed, Oct 19, 2011 at 2:54 PM, J. Roeleveld wrote:
> To the latest ~amd64? Or to which version? :)
Latest is fine (for now ;-)
Wkr,
Sven Vermeulen
g else. Only when your context is sysadm_t, then you can run
"setenforce 1" to switch to enforcing mode.
Keep that terminal logged on, work around a bit. If you get stuck, switch
back to the terminal, type in "setenforce 0" and you are back in permissive.
Wkr,
Sven Vermeulen
thub.com/sjvermeu/small.coding/tree/HEAD/selinux-modules/patches
Wkr,
Sven Vermeulen
you think we need an ebuild for a specific policy
module, ask and I'll gladly add it to the tree.
Wkr,
Sven Vermeulen
re) but
I'd like to confirm that with the above information.
Wkr,
Sven Vermeulen
On Sat, Nov 12, 2011 at 11:55:47AM +0100, Rados??aw Smogura wrote:
> I unmerged selinux-gnupg-2.20101213-r1 and installed selinux-gpg-2.20110726-
> r2.
Good, that's confirmed then ;-) I've updated the dependency line in
selinux-gpg accordingly.
Wkr,
Sven Vermeulen
yle)
I have also cleaned out our previous policies in the main portage tree
(those before 2.20110627) which was quite some work (removal itself doesn't
take that much time, but verifying that one isn't going to break systems is)
but I'm glad that is now done.
Wkr,
Sven Vermeulen
=proj/hardened-docs.git;a=blob_plain;f=html/selinux-bugreporting.html;hb=HEAD
I'll add in a live example the moment I find one that fulfills these ;-) Not
saying there aren't any, just that I'm too lazy to find one right now.
Wkr,
Sven Vermeulen
enials, I
gather that you were still running in staff_r role. You need to transition
to sysadm_r role first and then try to perform your administrative tasks.
Wkr,
Sven Vermeulen
vde_conf_t type for the VDE module, etc_t is sufficient
- Update links_t domain with upstream feedback
- Udev tempnode, when used for fisk devices, should be of type
fixed_disk_device_t
- Mark wpa_cli as an interactive application
Wkr,
Sven Vermeulen
There is no need to put pam_selinux for su in the first place.
At least, I don't have it on my systems. The only place where pam_selinux is
called is in the system-login definition for PAM (which is sourced by login,
slim and sshd PAM definitions).
Meh.
Sven Vermeulen
://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html.
With the instructions given, you can even have your system validated (as far
as possible) automatically.
Wkr,
Sven Vermeulen
-the-box).
Wkr,
Sven Vermeulen
On Sun, Dec 11, 2011 at 02:20:43PM +0200, Alex Efros wrote:
> On Sun, Dec 11, 2011 at 10:18:51AM +0000, Sven Vermeulen wrote:
> > Also consider hardening your system settings-wise. I would appreciate if you
> > take a look at
> > http://dev.gentoo.org/~swift/docs/previ
he
system was running in enforcing.
On a side-note, I've moved the SELinux module documentation to the Gentoo
Wiki @ http://wiki.gentoo.org/wiki/SELinux and I've also copied quite a few
entries from our FAQ into the Knowledge Base
(http://wiki.gentoo.org/wiki/Knowledge_Base:Main_P
ng firefox binary (on the system).
Wkr,
Sven Vermeulen
this was previously nicely shielded off through the PAM
helpers). I don't know how to handle this case yet. I can definitely start
updating the policies so they work without PAM, but I'd first like to know
if there are people using SELinux without PAM...
Wkr,
Sven Vermeulen
s found in syslog - try
> >dmesg | tail or so
> >
> > mount: unknown filesystem type 'selinuxfs'
What is the output of "zgrep SELINUX /proc/config.gz" (or "grep SELINUX
/usr/src/linux/.config")?
Wkr,
Sven Vermeulen
not by forcing unconfined domains or switching to permissive first)
working (through dracut for the moment). Hopefully that'll work in the near
future :-(
Wkr,
Sven Vermeulen
ldn't hurt to start out with a no-multilib and see if it indeed works.
Otherwise you'll never know ;-)
Wkr,
Sven Vermeulen
led on RMD160 verification
> * Got: ccc74ad3d44a453a7a325d562d6f72425a883014
> * Expected: 7426b7c6b055da1222ba81bbb7138cec66bc8498
> Is this problem with digest updates or does someone tries do make bed thing?
I goofed up, but I hope it is fixed now.
Wkr,
Sven Vermeulen
Give it your best shot.
TIA,
Sven Vermeulen
y well. There's an open bug on
it, and I hope I can get us with a working initramfs soon.
But for the mean time, either drop the initramfs/initrd system, or boot in
permissive mode and switch to enforcing during the boot-up (for instance
through an init script in the boot runlevel).
Wkr,
Sven Vermeulen
setfiles in the SELinux installation instructions just for
that) and enable dontaudits again (semodule -B).
Wkr,
Sven Vermeulen
boot in permissive mode, relabel the system,
and then reboot in enforcing again.
Wkr,
Sven Vermeulen
w initrc_t self:capability ~{ sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
I'll need to check the commit history to see if there was a particular
reason why it is explicitly not set.
Wkr,
Sven Vermeulen
is also possible that the policy is not up to date with
recent dovecot development (and then needs policy updates).
At first sight, I don't see the dovecot_t domain to be capable of doing much
with dovecot_etc_t if it is a directory:
allow dovecot_t dovecot_etc_t:file read_file_perms;
Wkr,
Sven Vermeulen
ional)
I will now focus on getting 2.20120215 in shape (together with the tools
release), stabilize the 2.20110726 ones (around r11 which has now been
around for a bit more than 30 days), work further on initramfs and our docs.
Wkr,
Sven Vermeulen
rc_t, or we
transition when we call sysctl (to sysctl_t or so). Individual initrc_t
domains (like sysctl_initrc_t) we don't support (yet).
Wkr,
Sven Vermeulen
1 - 100 of 258 matches
Mail list logo
