Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is selinux usable?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
mr-simon
Guru
Guru


Joined: 22 Nov 2002
Posts: 326
Location: Leamington Spa, Warks, UK

PostPosted: Fri May 02, 2003 6:26 pm    Post subject: Is selinux usable? Reply with quote

I'm building a new firewall and gateway box (what better way to spend a bank holiday weekend?) and decided to have a go at selinux. So far, I've been trying to follow the HOWTO at http://www.lurking-grue.org/selinux/gettingstarted.html - it's seemingly written for debian, and I'm having a bit of trouble following it... If someone's written a "getting-started-with-selinux for gentoo" that I can't find, it's probably best to just skip the rest of this post, and just post a link... ;)

Here's what I've done so far:
Built a gentoo-system from scratch with 'selinux' in my USE variables, and using selinux-sources (with freeswan-2.00 manually applied)
Switched on all the non-experimental selinux options in the kernel
Booted my system with my selinux-enabled kernel
Emerged coreutils (it's masked!) because there seems to be patches for the basic tools ('ls' etc.) that aren't in the ebuilds that usually install them.

So far so good... I can now run 'ls --context /proc' and see output of sorts.

Here come the questions...
First up, when I run 'id' as root (I haven't added any users yet) as the HOWTO suggests, I see "context=kernel", not "context=root:user_r:user_t" as the HOWTO suggests. Is this 'normal' for gentoo, or have I missed something?
Second, when I'm logged on as root, I've tried running "newrole -r user_t" I got 'segmentation fault' the first time (oops) and 'couldn't get default type' all subsequent times.
Third, so far whenever I ls --context /somewhere, all files are listed as "unlabeled" - is this normal for this stage during the install?

Sorry... This is all newbie stuff. It looks like an incompatibility with the Gentoo way of doing things, and the HOWTO I'm reading... Does anyone have any tips, sources of more gentoo-centric documentation, etc... That would help me get started with this?

Edit: Okay, helps if I post accurate info. Here's what actually happens when I do 'newrole' - If I say "newrole -r sysadm_r" or "newrole -r user_r" - newrole segfaults. If I do what I typed above (which is wrong) I get the second error I listed above. I'm actually beginning to think I've missed a step in the installation.
also: sorry for the duplicate posts a monent ago. I'm pulling my hair out trying to navigate this board in lynx!!
_________________
"Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey."
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16142
Location: Colorado

PostPosted: Fri May 02, 2003 8:00 pm    Post subject: Reply with quote

Moved from Networking & Security.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
mr-simon
Guru
Guru


Joined: 22 Nov 2002
Posts: 326
Location: Leamington Spa, Warks, UK

PostPosted: Fri May 02, 2003 8:50 pm    Post subject: Reply with quote

pjp wrote:
Moved from Networking & Security.


Any reason? It seems there's a gentoo ebuild for 'selinux-sources', and a USE variable for 'selinux'??

What *doesn't* this have to do with security? Or Gentoo?
_________________
"Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey."
Back to top
View user's profile Send private message
lousyd
Apprentice
Apprentice


Joined: 15 Mar 2003
Posts: 166
Location: Des Moines

PostPosted: Wed May 14, 2003 6:31 pm    Post subject: Moving from Networking & Security to Off the Wall Reply with quote

There appears to be no reason for this post to have been moved here. 'pjp' was temporarily confused, perhaps?
Back to top
View user's profile Send private message
Red Nalie
Guru
Guru


Joined: 24 Mar 2003
Posts: 484
Location: Den Helder - The Netherlands - Europe - Earth - Milky Way - Universe

PostPosted: Wed May 14, 2003 9:33 pm    Post subject: Re: Moving from Networking & Security to Off the Wall Reply with quote

lousyd wrote:
There appears to be no reason for this post to have been moved here. 'pjp' was temporarily confused, perhaps?


Or as we Dutch say:

"een beetje in-de-war" :lol:
_________________
Many people call me Linux-freak, I just see me as a freak who uses Linux :)

i'm a little n00bie short and stout, here is my nickname here is my SHOUT!!!1 when i get all flamed up hear me SHOUT!!1 ban me forever, kick me out
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Wed May 14, 2003 10:56 pm    Post subject: Re: Moving from Networking & Security to Off the Wall Reply with quote

lousyd wrote:
There appears to be no reason for this post to have been moved here. 'pjp' was temporarily confused, perhaps?


Maybe because its not actually a support request...?

Puggy
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
mr-simon
Guru
Guru


Joined: 22 Nov 2002
Posts: 326
Location: Leamington Spa, Warks, UK

PostPosted: Wed May 14, 2003 11:21 pm    Post subject: Reply with quote

Hmm... Grey area. I was asking for "support", with regards to someone pointing me in the right direction of some answers to my problems...

Anyway, I gave up in the end. The whole system seemed messed up. I guess *someone* must have got it working, or selinux-sources wouldn't be unmasked. It all seemed pretty mangled to me, but none of the documentation I could find was very good, so... I dunno. *shrug*
_________________
"Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey."
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Wed May 14, 2003 11:27 pm    Post subject: Reply with quote

mr-simon wrote:
Hmm... Grey area. I was asking for "support", with regards to someone pointing me in the right direction of some answers to my problems...

Anyway, I gave up in the end. The whole system seemed messed up. I guess *someone* must have got it working, or selinux-sources wouldn't be unmasked. It all seemed pretty mangled to me, but none of the documentation I could find was very good, so... I dunno. *shrug*


selinux screwed me over as well. I'm not letting it near my computer again. :-D
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
atac
Apprentice
Apprentice


Joined: 04 Jan 2003
Posts: 234
Location: haninge, swe

PostPosted: Wed Jun 25, 2003 5:03 am    Post subject: Reply with quote

http://www.gentoo.org/proj/en/hardened/selinux-quickstart.xml
_________________
1 + 1 + 1 = 11
Back to top
View user's profile Send private message
idl
Retired Dev
Retired Dev


Joined: 24 Dec 2002
Posts: 1728
Location: Nottingham, UK

PostPosted: Wed Jun 25, 2003 1:37 pm    Post subject: Reply with quote

I'm going to take the plunge :? I can't decide if I should start fom scratch and create seperate /usr /var /tmp partitions or just convert my current installation.
_________________
a.k.a port001
Found a bug? Please report it: Gentoo Bugzilla
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Wed Jun 25, 2003 1:39 pm    Post subject: Reply with quote

port001 wrote:
I'm going to take the plunge :? I can't decide if I should start fom scratch and create seperate /usr /var /tmp partitions or just convert my current installation.


I'd go for seperate partitions as selinux screwed my system, it would be better if you could recover if it goes horribly wrong I suppose. :-)

Puggy
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
idl
Retired Dev
Retired Dev


Joined: 24 Dec 2002
Posts: 1728
Location: Nottingham, UK

PostPosted: Wed Jun 25, 2003 1:43 pm    Post subject: Reply with quote

puggy wrote:
port001 wrote:
I'm going to take the plunge :? I can't decide if I should start fom scratch and create seperate /usr /var /tmp partitions or just convert my current installation.


I'd go for seperate partitions as selinux screwed my system, it would be better if you could recover if it goes horribly wrong I suppose. :-)

Puggy


There is that, but from past experiences I allways run out of room on one partition and have loads left on another one. I won't have the option of mounting /tmp noexec and the such like, but atleast I wont run out of space. I only recently installed Gentoo on my server, so theres not much to loose.

I'll let you know how it goes
_________________
a.k.a port001
Found a bug? Please report it: Gentoo Bugzilla
Back to top
View user's profile Send private message
puggy
Bodhisattva
Bodhisattva


Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK

PostPosted: Wed Jun 25, 2003 1:47 pm    Post subject: Reply with quote

port001 wrote:
puggy wrote:
port001 wrote:
I'm going to take the plunge :? I can't decide if I should start fom scratch and create seperate /usr /var /tmp partitions or just convert my current installation.


I'd go for seperate partitions as selinux screwed my system, it would be better if you could recover if it goes horribly wrong I suppose. :-)

Puggy


There is that, but from past experiences I allways run out of room on one partition and have loads left on another one. I won't have the option of mounting /tmp noexec and the such like, but atleast I wont run out of space. I only recently installed Gentoo on my server, so theres not much to loose.

I'll let you know how it goes


Cool. Thinking about it. selinux only screwed me because I installed it to experiment and then tried to remove it. It took a while to track down a few config and script files it was still trying to use after the selinux itself was disabled and removed (properly). Maybe I shouldn't be bashing it so much. It didn't screw me that badly. :-D
_________________
Where there's open source , there's a way.
Back to top
View user's profile Send private message
idl
Retired Dev
Retired Dev


Joined: 24 Dec 2002
Posts: 1728
Location: Nottingham, UK

PostPosted: Wed Jun 25, 2003 11:05 pm    Post subject: Reply with quote

Well, its up and running. I'm getting lots of violations on boot, one of them was devfs which was talked about in the guide, but i'm have no idea how to fix the others - time to read :)

Once everything is up and running, I may rewrite the guide as its a little incorrect in places.
_________________
a.k.a port001
Found a bug? Please report it: Gentoo Bugzilla
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum