[DSE-User] Upgrade difficulties
Mantaray
mantaray_1 at cox.net
Mon Jan 11 21:15:08 UTC 2010
Mantaray wrote:
> Update:
>
> I am beginning to wonder if this list has any active members, but in
> case it does (and anyone is interested), I have made some progress with
> my problem.
>
> First, #2 and #3 (below) resulted from labeling differences in the new
> policy. I have resolved these difficulties and the new policy is
> working fine.
>
> Secondly, I have made some progress towards understanding #1. My web
> browser now accesses the internet more indirectly, using tcp_socket and
> udp_socket permissions, so it is not constrained by node or netif
> constraints. It seems, however, that these constraints should still
> have stopped whatever process was attempting to use the netif and node
> permissions; and I am wondering why this is not the case. If anyone is
> knowledgeable enough to help me to understand this, and has the time, I
> would still appreciate a reply. So far the best public information I
> have been able to find regarding object classes and permissions has come
> from the book "SELinux by Example" (written by Frank Mayer, Karl
> MacMillan, and David Caplan) and the SELinux Project Wiki
> (http://selinuxproject.org/page/ObjectClassesPerms). As stated on the
> wiki: "The permission descriptions are only for providing a general idea
> of the purposes of the permissions; a permission may mediate many
> operations." Since I am not a 'Linux-guru', it would be a major
> undertaking for me if I needed to wade through the source of the policy
> compiler and/or the Linux Kernel to get the information, and I would
> like to understand how this works and why/how the constraints can be
> bypassed.
>
> -Ken-
>
>
> Mantaray wrote:
>> Hello,
>>
>> I have been using Debian since the Etch release, and I have been using
>> a 2007 SELinux policy with some adaptations (I compile my own policy)
>> from December 2007 to the present. I am getting ready to use Debian
>> 6, so I have a copy running on my test drive. My policy is broken on
>> Debian 6.
>>
>> Explanation of "broken":
>> 1) I have node-based restrictions on internet access for two of my
>> user accounts (I have defined my own users with their own role and
>> type). One of these is for an rdc connection to a company server
>> (used on a "work" user account), which is restricted to one ip
>> address; and another is for my young son, to keep him limited to his
>> "pbs kids" site. This has been accomplished by defining nodes, and
>> using constraints relating to the node names and the user role. These
>> have consistently worked with every upgrade until now. When I compile
>> my policy with the current "testing" distribution, these restrictions
>> no longer take effect, and the web browser can access any site from
>> any account.
>>
>> 2) When the restrictions no longer took effect, I decided to upgrade
>> the policy, so I replaced the SELinux source with the source that is
>> currently being used for "testing." When I compile this source, with
>> the same changes to the base module, all of the user directories are
>> labeled "user_u ...", and when I attempt to log in, The following
>> message appears: "Would you like to enter a security context?" When I
>> attempt to enter the appropriate context, I receive a message
>> declaring that the context is invalid. In an attempt to resolve this,
>> I copied my original pam login file to pam.d, with no effect. I am
>> not sure what to look at next with regard to the login.
>>
>> 3) My users names show up in the per-user context file when I compile
>> the policy, however none of the labeling rules from the related .fc
>> file (compiled as a loadable module after the base module) appear in
>> this file.
>>
>> I have spent a great deal of time working on my policy, and I would
>> really like to get it working on the new Debian. If anyone has
>> suggestions that may help me to troubleshoot the problems I am having,
>> I would really appreciate it.
>>
>> -Ken-
>>
>>
>> _______________________________________________
>> Selinux-user mailing list
>> Selinux-user at lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/selinux-user
>>
>
>
> _______________________________________________
> Selinux-user mailing list
> Selinux-user at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/selinux-user
>
If anyone is interested: The kernel permission checks have changed, and
the solution is "to use secmark or to use the newer ingress/egress
checks, but note that using either requires additional configuration
(iptables for secmark, labeled networking for ingress/egress)." (Stephen
Smalley, National Security Agency)
-Ken-
More information about the Selinux-user
mailing list