[DSE-User] Upgrade difficulties

[Mantaray]

Update:

I am beginning to wonder if this list has any active members, but in 
case it does (and anyone is interested), I have made some progress with 
my problem.

First, #2 and #3 (below) resulted from labeling differences in the new 
policy.  I have resolved these difficulties and the new policy is 
working fine.

Secondly, I have made some progress towards understanding #1.  My web 
browser now accesses the internet more indirectly, using tcp_socket and 
udp_socket permissions, so it is not constrained by node or netif 
constraints.  It seems, however, that these constraints should still 
have stopped whatever process was attempting to use the netif and node 
permissions; and I am wondering why this is not the case.  If anyone is 
knowledgeable enough to help me to understand this, and has the time, I 
would still appreciate a reply.  So far the best public information I 
have been able to find regarding object classes and permissions has come 
from the book "SELinux by Example" (written by Frank Mayer, Karl 
MacMillan, and David Caplan) and the SELinux Project Wiki 
(http://selinuxproject.org/page/ObjectClassesPerms).  As stated on the 
wiki: "The permission descriptions are only for providing a general idea 
of the purposes of the permissions; a permission may mediate many 
operations."  Since I am not a 'Linux-guru', it would be a major 
undertaking for me if I needed to wade through the source of the policy 
compiler and/or the Linux Kernel to get the information, and I would 
like to understand how this works and why/how the constraints can be 
bypassed.

-Ken-


Mantaray wrote:
> Hello,
>
> I have been using Debian since the Etch release, and I have been using 
> a 2007 SELinux policy with some adaptations (I compile my own policy) 
> from December 2007 to the present.  I am getting ready to use Debian 
> 6, so I have a copy running on my test drive.  My policy is broken on 
> Debian 6.
>
> Explanation of "broken":
> 1)  I have node-based restrictions on internet access for two of my 
> user accounts (I have defined my own users with their own role and 
> type).  One of these is for an rdc connection to a company server 
> (used on a "work" user account), which is restricted to one ip 
> address; and another is for my young son, to keep him limited to his 
> "pbs kids" site.  This has been accomplished by defining nodes, and 
> using constraints relating to the node names and the user role.  These 
> have consistently worked with every upgrade until now.  When I compile 
> my policy with the current "testing" distribution, these restrictions 
> no longer take effect, and the web browser can access any site from 
> any account.
>
> 2)  When the restrictions no longer took effect, I decided to upgrade 
> the policy, so I replaced the SELinux source with the source that is 
> currently being used for "testing."  When I compile this source, with 
> the same changes to the base module, all of the user directories are 
> labeled "user_u ...", and when I attempt to log in, The following 
> message appears: "Would you like to enter a security context?"  When I 
> attempt to enter the appropriate context, I receive a message 
> declaring that the context is invalid.  In an attempt to resolve this, 
> I copied my original pam login file to pam.d, with no effect.  I am 
> not sure what to look at next with regard to the login.
>
> 3)  My users names show up in the per-user context file when I compile 
> the policy, however none of the labeling rules from the related .fc 
> file  (compiled as a loadable module after the base module) appear in 
> this file.
>
> I have spent a great deal of time working on my policy, and I would 
> really like to get it working on the new Debian.  If anyone has 
> suggestions that may help me to troubleshoot the problems I am having, 
> I would really appreciate it.
>
> -Ken-
>
>
> _______________________________________________
> Selinux-user mailing list
> Selinux-user at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/selinux-user
>