[DSE-User] Upgrade difficulties

Mantaray mantaray_1 at cox.net
Mon Jan 11 21:15:08 UTC 2010 

Mantaray wrote:
> Update:
> 
> I am beginning to wonder if this list has any active members, but in 
> case it does (and anyone is interested), I have made some progress with 
> my problem.
> 
> First, #2 and #3 (below) resulted from labeling differences in the new 
> policy.  I have resolved these difficulties and the new policy is 
> working fine.
> 
> Secondly, I have made some progress towards understanding #1.  My web 
> browser now accesses the internet more indirectly, using tcp_socket and 
> udp_socket permissions, so it is not constrained by node or netif 
> constraints.  It seems, however, that these constraints should still 
> have stopped whatever process was attempting to use the netif and node 
> permissions; and I am wondering why this is not the case.  If anyone is 
> knowledgeable enough to help me to understand this, and has the time, I 
> would still appreciate a reply.  So far the best public information I 
> have been able to find regarding object classes and permissions has come 
> from the book "SELinux by Example" (written by Frank Mayer, Karl 
> MacMillan, and David Caplan) and the SELinux Project Wiki 
> (http://selinuxproject.org/page/ObjectClassesPerms).  As stated on the 
> wiki: "The permission descriptions are only for providing a general idea 
> of the purposes of the permissions; a permission may mediate many 
> operations."  Since I am not a 'Linux-guru', it would be a major 
> undertaking for me if I needed to wade through the source of the policy 
> compiler and/or the Linux Kernel to get the information, and I would 
> like to understand how this works and why/how the constraints can be 
> bypassed.
> 
> -Ken-
> 
> 
> Mantaray wrote:
>> Hello,
>>
>> I have been using Debian since the Etch release, and I have been using 
>> a 2007 SELinux policy with some adaptations (I compile my own policy) 
>> from December 2007 to the present.  I am getting ready to use Debian 
>> 6, so I have a copy running on my test drive.  My policy is broken on 
>> Debian 6.
>>
>> Explanation of "broken":
>> 1)  I have node-based restrictions on internet access for two of my 
>> user accounts (I have defined my own users with their own role and 
>> type).  One of these is for an rdc connection to a company server 
>> (used on a "work" user account), which is restricted to one ip 
>> address; and another is for my young son, to keep him limited to his 
>> "pbs kids" site.  This has been accomplished by defining nodes, and 
>> using constraints relating to the node names and the user role.  These 
>> have consistently worked with every upgrade until now.  When I compile 
>> my policy with the current "testing" distribution, these restrictions 
>> no longer take effect, and the web browser can access any site from 
>> any account.
>>
>> 2)  When the restrictions no longer took effect, I decided to upgrade 
>> the policy, so I replaced the SELinux source with the source that is 
>> currently being used for "testing."  When I compile this source, with 
>> the same changes to the base module, all of the user directories are 
>> labeled "user_u ...", and when I attempt to log in, The following 
>> message appears: "Would you like to enter a security context?"  When I 
>> attempt to enter the appropriate context, I receive a message 
>> declaring that the context is invalid.  In an attempt to resolve this, 
>> I copied my original pam login file to pam.d, with no effect.  I am 
>> not sure what to look at next with regard to the login.
>>
>> 3)  My users names show up in the per-user context file when I compile 
>> the policy, however none of the labeling rules from the related .fc 
>> file  (compiled as a loadable module after the base module) appear in 
>> this file.
>>
>> I have spent a great deal of time working on my policy, and I would 
>> really like to get it working on the new Debian.  If anyone has 
>> suggestions that may help me to troubleshoot the problems I am having, 
>> I would really appreciate it.
>>
>> -Ken-
>>
>>
>> _______________________________________________
>> Selinux-user mailing list
>> Selinux-user at lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/selinux-user
>>
> 
> 
> _______________________________________________
> Selinux-user mailing list
> Selinux-user at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/selinux-user
> 

If anyone is interested:  The kernel permission checks have changed, and 
the solution is "to use secmark or to use the newer ingress/egress 
checks, but note that using either requires additional configuration 
(iptables for secmark, labeled networking for ingress/egress)." (Stephen 
Smalley, National Security Agency)

-Ken-

More information about the Selinux-user mailing list