[ubuntu-hardened] refpolicy

Chad Sellers csellers at tresys.com
Tue Aug 5 04:59:20 BST 2008 

On 8/4/08 8:08 PM, "gdsm at tgfslp.dalmany.co.uk" <gdsm at tgfslp.dalmany.co.uk>
wrote:
> 
> Thank you for replying, I have answered inline
> 
>> On 8/4/08 4:59 PM, GDS Marshall
>> wrote:
>> 
>>> 
>>> Hello,
>>> 
>>> I have been looking at using the refpolicy from tresys.com as Ubuntu
>>> only
>>> has a policy for cups.  I am not sure if their is anyone on the list who
>>> can help.
>>> 
>>> Ubuntu hardy
>>> linux 2.6.25.10 from www.kernel.org with SELinux enabled.
>>> 
>>> At bootup, I get the following
>>> Aug  3 22:19:07 hp-laptop kernel: [    8.035418] type=1400
>>> audit(1217798318.515:
>>> 3): avc:  denied  { search } for  pid=869 comm="hotplug" name="/"
>>> dev=hda1
>>> ino=2
>>>  scontext=system_u:system_r:hotplug_t
>>> tcontext=system_u:object_r:default_t
>>> tclass=dir
>>> 
>> / should not be labeled default_t, it should be root_t. Did you relabel
>> your
>> filesystem after switching over to upstream refpolicy?
> Yes, I did, (twice, once with make relabel, the second with a touch
> /.autorelabel)
> 
Hmmm. Does the relabel complete successfully? What does your
/etc/selinux/config file look like?

>> What filesystem are
>> you using?
> ext3 with attr set
> 
>> What settings did you set in your refpolicy build.conf?
> OUTPUT_POLICY = 18

Why are you outputting version 18 policy? That's a really old version of
policy that will likely have problems on your system. You should probably
leave this commented out (as I believe it is by default), or set it to the
version Ubuntu is using (22 I believe).

> TYPE = standard
> NAME = refpolicy-strict
> DISTRO = debian
> UNK_PERMS = reject
> DIRECT_INITRC = n
> MONOLITHIC = n
> MLS_SENS = 16
> MLS_CATS = 256
> MCS_CATS = 256
> QUIET = n
> 
>> Did you
>> first install the Ubuntu selinux package to make sure you got all the
>> appropriate tools?
> I installed, selinux-basics, selinux, setools, selinux-utils,sepol-utils,
> selinux-policy-refpolicy, selinux-policy-refpolicy-unconfined, (and for
> autoloading, sysvinit.) have I missed any?
> 
I don't think so.

>> How did you install refpolicy?
> Downloaded the refpolicy
> (http://oss.tresys.com/files/refpolicy/refpolicy-20080702.tar.bz2),
> untared it, (followed the INSTALL, i.e. make install-src, make conf, make
> policy, make install, make load, make relabel)
> rebooted and went through the logs to see what needed fixing (audit2allow
> -i /var/log/syslog)
> 
Is / the only thing mislabeled, or does everything look wrong?

>> 
>>> I know this is only hotplug, but I get quite a few with
>>> name="/"
>>> and
>>> tcontext=system_u:object_r:default_t
>>> obviously my / is labelled system_u:object_r:default_t as shown below
>>> 
>>> ls -Za /
>>>     system_u:object_r:default_t .
>>>     system_u:object_r:default_t ..
>>> <snip>
>>> 
>>> Another example is syslog
>>> Aug  3 22:38:30 hp-laptop kernel: [ 1201.056587] type=1400
>>> audit(1217799510.147:457): avc:  denied  { search } for  pid=3821
>>> comm="klogd" name="/" dev=hda1 ino=2 scontext=system_u:system_r:klogd_t
>>> tcontext=system_u:object_r:default_t tclass=dir
>>> Aug  3 22:38:30 hp-laptop kernel: [ 1201.056672] type=1400
>>> audit(1217799510.147:458): avc:  denied  { search } for  pid=3756
>>> comm="syslogd" name="/" dev=hda1 ino=2
>>> scontext=system_u:system_r:syslogd_t
>>> tcontext=system_u:object_r:default_t
>>> tclass=dir
>>> 
>>> 
>>> This means when I enforce, nothing is logged.
>>> 
>> You're a long way from going into enforcing.
> Yes, I know.
> 
>> You first need to get the
>> policy installed properly, then you'll likely need to do a good bit of
>> policy development (depending on how many and which modules you selected
> I expected that, the refpolicy was just somewhere to start.
> 
That's fine. I just wanted to make sure you knew what you were getting
yourself into.

>> to
>> be installed in your modules.conf) before the system will run in
>> enforcing.
> modules.conf
> corecommands = base
> corenetwork = base
> devices = base
> domain = base
> files = base
> filesystem = base
> kernel = base
> mcs = base
> mls = base
> selinux = base
> terminal = base
> and then 248 modules (the default, I have not modified the modules.conf file)

If you're going to build a custom policy for the box, you should consider
going through the modules.conf and enable/disable the modules you need. At
the very least it will speed up any semodule/semanage operations you may do
considerably, as well as reduce the kernel memory you're using.

Hope that helps,
Chad

>> 
>> 
>>> I am presuming I do not have / labelled correctly.
>>> 
>>> What should the correct label be please?
>>> 
>>> If you need any other information, please ask.
>>> 
> Many thanks,
> 
> Spencer
> 
>

More information about the ubuntu-hardened mailing list