[ubuntu-hardened] refpolicy

GDS Marshall gdsm at tgfslp.dalmany.co.uk
Tue Aug 5 23:30:45 BST 2008


On Tue, August 5, 2008 4:59 am, Chad Sellers wrote:
> On 8/4/08 8:08 PM, GDS Marshall
> wrote:
>>
>> Thank you for replying, I have answered inline
>>
>>> On 8/4/08 4:59 PM, GDS Marshall
>>> wrote:
>>>
>>>>
>>>> Hello,
>>>>
>>>> I have been looking at using the refpolicy from tresys.com as Ubuntu
>>>> only
>>>> has a policy for cups.  I am not sure if their is anyone on the list
>>>> who
>>>> can help.
>>>>
>>>> Ubuntu hardy
>>>> linux 2.6.25.10 from www.kernel.org with SELinux enabled.
>>>>
>>>> At bootup, I get the following
>>>> Aug  3 22:19:07 hp-laptop kernel: [    8.035418] type=1400
>>>> audit(1217798318.515:
>>>> 3): avc:  denied  { search } for  pid=869 comm="hotplug" name="/"
>>>> dev=hda1
>>>> ino=2
>>>>  scontext=system_u:system_r:hotplug_t
>>>> tcontext=system_u:object_r:default_t
>>>> tclass=dir
>>>>
>>> / should not be labeled default_t, it should be root_t. Did you relabel
>>> your
>>> filesystem after switching over to upstream refpolicy?
>> Yes, I did, (twice, once with make relabel, the second with a touch
>> /.autorelabel)
>>
> Hmmm. Does the relabel complete successfully?
I get the following error (plus similar ones, but all for cups)
/sbin/setfiles /etc/selinux/refpolicy-strict/contexts/files/file_contexts /
filespec_add:  conflicting specifications for
/usr/lib/cups/backend/parallel and
/usr/lib/cups/backend-available/parallel, using system_u:object_r:bin_t.

Apart from that, it completes successfully.

> What does your
> /etc/selinux/config file look like?
SELINUX=enforcing
SELINUXTYPE=refpolicy-strict
SETLOCALDEFS=0

>
>>> What filesystem are
>>> you using?
>> ext3 with attr set
>>
>>> What settings did you set in your refpolicy build.conf?
>> OUTPUT_POLICY = 18
>
> Why are you outputting version 18 policy?
It is what is compiled by default irrespective of what is in the build.conf

> That's a really old version of
> policy that will likely have problems on your system. You should probably
> leave this commented out (as I believe it is by default), or set it to the
> version Ubuntu is using (22 I believe).
checkpolicy -V
gives the output
22 (compatibility range 22-15)

>
>> TYPE = standard
>> NAME = refpolicy-strict
>> DISTRO = debian
>> UNK_PERMS = reject
>> DIRECT_INITRC = n
>> MONOLITHIC = n
>> MLS_SENS = 16
>> MLS_CATS = 256
>> MCS_CATS = 256
>> QUIET = n
>>
>>> Did you
>>> first install the Ubuntu selinux package to make sure you got all the
>>> appropriate tools?
>> I installed, selinux-basics, selinux, setools,
>> selinux-utils,sepol-utils,
>> selinux-policy-refpolicy, selinux-policy-refpolicy-unconfined, (and for
>> autoloading, sysvinit.) have I missed any?
>>
> I don't think so.
>
>>> How did you install refpolicy?
>> Downloaded the refpolicy
>> (http://oss.tresys.com/files/refpolicy/refpolicy-20080702.tar.bz2),
>> untared it, (followed the INSTALL, i.e. make install-src, make conf,
>> make
>> policy, make install, make load, make relabel)
>> rebooted and went through the logs to see what needed fixing
>> (audit2allow
>> -i /var/log/syslog)
>>
> Is / the only thing mislabeled, or does everything look wrong?
The first time all of /dev looked wrong, that seemed to fix itself.

>
>>>
>>>> I know this is only hotplug, but I get quite a few with
>>>> name="/"
>>>> and
>>>> tcontext=system_u:object_r:default_t
>>>> obviously my / is labelled system_u:object_r:default_t as shown below
>>>>
>>>> ls -Za /
>>>>     system_u:object_r:default_t .
>>>>     system_u:object_r:default_t ..
>>>> <snip>
>>>>
>>>> Another example is syslog
>>>> Aug  3 22:38:30 hp-laptop kernel: [ 1201.056587] type=1400
>>>> audit(1217799510.147:457): avc:  denied  { search } for  pid=3821
>>>> comm="klogd" name="/" dev=hda1 ino=2
>>>> scontext=system_u:system_r:klogd_t
>>>> tcontext=system_u:object_r:default_t tclass=dir
>>>> Aug  3 22:38:30 hp-laptop kernel: [ 1201.056672] type=1400
>>>> audit(1217799510.147:458): avc:  denied  { search } for  pid=3756
>>>> comm="syslogd" name="/" dev=hda1 ino=2
>>>> scontext=system_u:system_r:syslogd_t
>>>> tcontext=system_u:object_r:default_t
>>>> tclass=dir
>>>>
>>>>
>>>> This means when I enforce, nothing is logged.
>>>>
>>> You're a long way from going into enforcing.
>> Yes, I know.
>>
>>> You first need to get the
>>> policy installed properly, then you'll likely need to do a good bit of
>>> policy development (depending on how many and which modules you
>>> selected
>> I expected that, the refpolicy was just somewhere to start.
>>
> That's fine. I just wanted to make sure you knew what you were getting
> yourself into.
>
>>> to
>>> be installed in your modules.conf) before the system will run in
>>> enforcing.
>> modules.conf
>> corecommands = base
>> corenetwork = base
>> devices = base
>> domain = base
>> files = base
>> filesystem = base
>> kernel = base
>> mcs = base
>> mls = base
>> selinux = base
>> terminal = base
>> and then 248 modules (the default, I have not modified the modules.conf
>> file)
>
> If you're going to build a custom policy for the box, you should consider
> going through the modules.conf and enable/disable the modules you need. At
> the very least it will speed up any semodule/semanage operations you may
> do
> considerably, as well as reduce the kernel memory you're using.
I was thinking of making a generic policy for Ubuntu as no one seems to be
working on one.

>
> Hope that helps,
Thank you,

Spencer




More information about the ubuntu-hardened mailing list