[Bug 581505] New: SELinux tools
http://bugzilla.novell.com/show_bug.cgi?id=581505 http://bugzilla.novell.com/show_bug.cgi?id=581505#c0 Summary: SELinux tools Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: alan@rouses.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; MS-RTC LM 8; .NET CLR 3.5.30729; .NET CLR 3.0.30618) Please make the latest upstream policycoreutils available. It has fixes that are necessary to getting SELinux working. During a "fixfiles relabel" the inability for even root to traverse a FUSE mount that is owned by another user was worked around by a change to setfiles in policycoreutils 2.0.71 to skip inaccessible mounts. Also please make available the version of findutils which is built with the selinux patch. Also necessary for "fixfiles relabel" to work. The lack of support for the -context predicate in find indicates that the findutils package was not built with SELinux support. It appears that this support is still a separate patch in the Fedora package rather than being part of upstream findutils, so you would need to grab it from the Fedora .src.rpm or source repository. Reproducible: Always Steps to Reproduce: The following will allow you to get to a Gnome desktop with selinux enabled in permissive mode -- and will demonstrate the above bugs along the way. Hopefully helpful to you in providing support to the growing population of folks interested in selinux!: 1. Default install of OpenSuse 11.2 (used Gnome desktop) 2. Boot normally to desktop, open terminal, su - 3. Do this: zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy setools-console make m4 gcc findutils-locate git vi /boot/grub/menu.lst -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0" cd /etc/selinux cp -R refpolicy-standard targeted <i>(Note, this is a workaround for another bug but I don't know enough about it yet to describe the solution).</i> usermod -s /sbin/nologin nobody reboot <should boot to desktop> ============================================================================= Get policy src: This is necessary because the policy in the OpenSuse repository is built with MONOLITHIC=y. ============================================================================= -- launch firefox, go to http://software.opensuse.org/search/ -- search for selinux-policy, download src -- install src rpm cp /usr/src/packages/SOURCES/refpolicy-2.20081210.tar.bz2 /tmp cd /tmp bunzip2 refpolicy-2.20081210.tar.bz2 tar xvf refpolicy-2.20081210.tar cd refpolicy vi build.conf (set NAME = refpolicy-standard; set DISTRO = suse; set MONOLITHIC = n) make clean; make conf; make; make install; make load; make install-src cd /etc/selinux/refpolicy-standard/src/policy make clean; make conf; make; make install; make load cd /etc/selinux rsync -avz refpolicy-standard/ targeted reboot ============================= End of getting policy source: ============================= setsebool -P init_upstart=on fixfiles relabel (at this point you'll see the error messages) -- put SETLOCALDEFS=0 in /etc/selinux/config reboot <you should find yourself at the Gnome desktop with selinux enabled> -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c1
Thomas Biege
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c2
Stephen Smalley
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c3
Justin mattock
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c4
--- Comment #4 from Justin mattock
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c5
--- Comment #5 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c6
--- Comment #6 from Alan Rouse
Please include the setroubleshoot package. sorry... please ignore!
-- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c7
--- Comment #7 from Alan Rouse
(In reply to comment #5)
Please include the setroubleshoot package. sorry... please ignore!
Actually, please make sure packages can be installed without broken dependencies. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c8
--- Comment #8 from Pavol Rusnak
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c9
--- Comment #9 from Pavol Rusnak
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c10
--- Comment #10 from Justin mattock
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c11
--- Comment #11 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c12
--- Comment #12 from Justin mattock
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c13
--- Comment #13 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c14
--- Comment #14 from Pavol Rusnak
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c15
--- Comment #15 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c16
--- Comment #16 from Pavol Rusnak
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c17
--- Comment #17 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c18
--- Comment #18 from Pavol Rusnak
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c19
--- Comment #19 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c20
--- Comment #20 from Pavol Rusnak
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c21
--- Comment #21 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c22
--- Comment #22 from Pavol Rusnak
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c23
--- Comment #23 from Alan Rouse
Alan: These should be fixed as well.
In ...repositories/security:/SELinux/openSUSE_Factory/i586/ setroubleshoot-2.2.64-10.1.i586.rpm requires setroubleshoot-plugins >= 2.0.4 but nothing provides it. setroubleshoot-server-2.2.64-10.1.i586.rpm requires libselinux-python but nothing provides it. Also, another selinux-related issue: /usr/lib/libcrypto.so.0.9.8 unnecessarily (?) requires executable stack, which selinux does not permit. This prevents logging in (among other things I'm sure...) with selinux in enforcing mode. After "zypper install prelink" you get the tools needed to confirm and fix this. To confirm: execstack -q /usr/lib/libcrypto.so.0.9.8 return "X" at the start of the line, confirming the library wants an executable stack. To fix: execstack -c /usr/lib/libcrypto.so.0.9.8 For more info, see http://etbe.coker.com.au/2007/10/07/executable-stack-and-shared-objects/ -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c
Thomas Biege
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c
Thomas Biege
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c24
Pavol Rusnak
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c25
--- Comment #25 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c26
--- Comment #26 from Pavol Rusnak
By the way, are you interested in a working selinux policy for OpenSUSE? I'm currently able to boot to runlevel 5 and log in with selinux in enforcing mode. Obviously there's more to do but I'm making progress...
Wow, good to hear! I'm not interested in process of creating a SELinux policy, but I think Thomas is (included in CC). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c27
--- Comment #27 from Thomas Biege
I just wanted to make you aware of the fact that the version of these packages in the factory were not fixed as of the time I added that comment. Those tools would be useful to me, and I'm sure others also.
By the way, are you interested in a working selinux policy for OpenSUSE? I'm currently able to boot to runlevel 5 and log in with selinux in enforcing mode. Obviously there's more to do but I'm making progress...
A working policy for openSUSE... that would be great! We can put it in security:SELinux at OBS. Alan, are you familiar with the openSUSE build service or did you already share it via a version control system like gitorious.org? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c28
--- Comment #28 from Alan Rouse
http://bugzilla.novell.com/show_bug.cgi?id=581505
http://bugzilla.novell.com/show_bug.cgi?id=581505#c29
Pavol Rusnak
participants (1)
-
bugzilla_noreply@novell.com