Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

Setting filesystem labels for SELinux fails

  

 
Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


tom.petri at googlemail

Mar 17, 2012, 2:28 PM

Post #1 of 8 (472 views)
Permalink
Setting filesystem labels for SELinux fails
Hello,

After compiling the policy modules and re-compiling my core packages
(Gentoo 32bit) I wanted to relabel the filesystem (via rlpkg -a -r)
but I get these error messages:

> Relabeling filesystem types: btrfs ext2 ext3 ext4 jfs xfs /usr/sbin/setfiles set context /->system_u:object_r:root_t failed:'Operation not supported'
> /usr/sbin/setfiles set context /boot->system_u:object_r:boot_t failed:'Operation not supported'
> /usr/sbin/setfiles set context /home->system_u:object_r:home_root_t failed:'Operation not supported'
> /usr/sbin/setfiles set context /srv->system_u:object_r:var_t failed:'Operation not supported'
> /usr/sbin/setfiles set context /tmp->system_u:object_r:tmp_t failed:'Operation not supported' /usr/sbin/setfiles set context /usr->system_u:object_r:usr_t failed:'Operation not supported'
> /usr/sbin/setfiles set context /var->system_u:object_r:var_t failed:'Operation not supported'
> Scanning for shared libraries with text relocations...
> 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations...
> 0 binaries with text relocations detected.

partitions are /boot, /home, /srv, /tmp, /usr and /var - stored on
/dev/md1-7, which are formatted using ext4.

How can I fix this?

Regards


swift at gentoo

Mar 18, 2012, 1:55 AM

Post #2 of 8 (462 views)
Permalink
Re: Setting filesystem labels for SELinux fails [In reply to]
On Sat, Mar 17, 2012 at 10:28:59PM +0100, Tom Petri wrote:
> After compiling the policy modules and re-compiling my core packages
> (Gentoo 32bit) I wanted to relabel the filesystem (via rlpkg -a -r)
> but I get these error messages:
>
> > Relabeling filesystem types: btrfs ext2 ext3 ext4 jfs xfs /usr/sbin/setfiles set context /->system_u:object_r:root_t failed:'Operation not supported'
> > /usr/sbin/setfiles set context /boot->system_u:object_r:boot_t failed:'Operation not supported'
> > /usr/sbin/setfiles set context /home->system_u:object_r:home_root_t failed:'Operation not supported'
> > /usr/sbin/setfiles set context /srv->system_u:object_r:var_t failed:'Operation not supported'
> > /usr/sbin/setfiles set context /tmp->system_u:object_r:tmp_t failed:'Operation not supported' /usr/sbin/setfiles set context /usr->system_u:object_r:usr_t failed:'Operation not supported'
> > /usr/sbin/setfiles set context /var->system_u:object_r:var_t failed:'Operation not supported'
> > Scanning for shared libraries with text relocations...
> > 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations...
> > 0 binaries with text relocations detected.
>
> partitions are /boot, /home, /srv, /tmp, /usr and /var - stored on
> /dev/md1-7, which are formatted using ext4.

Do you have build in support for extended attributes in the kernel (for
these file systems)?

Wkr,
Sven Vermeulen


tom.petri at googlemail

Mar 18, 2012, 2:36 AM

Post #3 of 8 (457 views)
Permalink
Re: Setting filesystem labels for SELinux fails [In reply to]
Yes, extended attributes along with security labels are activated.

# attr -s test -V test /var && attr -r test /var
Attribute "test" set to a 4 byte value for /var: test

I should probably tell how I proceeded during the installation:
1. created the filesystems (as usual)
2. got a hardened stage3 tarball and portage
3. portage sync, re-emerge portage, created a hardened-sources kernel,
booted up.
4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux])
5. emerge -uDN world
6. reboot and tried rlpkg -a -r

Cheers

On Sun, Mar 18, 2012 at 9:55 AM, Sven Vermeulen <swift [at] gentoo> wrote:
> On Sat, Mar 17, 2012 at 10:28:59PM +0100, Tom Petri wrote:
>> After compiling the policy modules and re-compiling my core packages
>> (Gentoo 32bit) I wanted to relabel the filesystem (via rlpkg -a -r)
>> but I get these error messages:
>>
>> > Relabeling filesystem types: btrfs ext2 ext3 ext4 jfs xfs /usr/sbin/setfiles set context /->system_u:object_r:root_t failed:'Operation not supported'
>> > /usr/sbin/setfiles set context /boot->system_u:object_r:boot_t failed:'Operation not supported'
>> > /usr/sbin/setfiles set context /home->system_u:object_r:home_root_t failed:'Operation not supported'
>> > /usr/sbin/setfiles set context /srv->system_u:object_r:var_t failed:'Operation not supported'
>> > /usr/sbin/setfiles set context /tmp->system_u:object_r:tmp_t failed:'Operation not supported' /usr/sbin/setfiles set context /usr->system_u:object_r:usr_t failed:'Operation not supported'
>> > /usr/sbin/setfiles set context /var->system_u:object_r:var_t failed:'Operation not supported'
>> > Scanning for shared libraries with text relocations...
>> > 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations...
>> > 0 binaries with text relocations detected.
>>
>> partitions are /boot, /home, /srv, /tmp, /usr and /var - stored on
>> /dev/md1-7, which are formatted using ext4.
>
> Do you have build in support for extended attributes in the kernel (for
> these file systems)?
>
> Wkr,
>        Sven Vermeulen
>


swift at gentoo

Mar 18, 2012, 3:36 AM

Post #4 of 8 (453 views)
Permalink
Re: Setting filesystem labels for SELinux fails [In reply to]
On Sun, Mar 18, 2012 at 10:36:53AM +0100, Tom Petri wrote:
> Yes, extended attributes along with security labels are activated.
>
> # attr -s test -V test /var && attr -r test /var
> Attribute "test" set to a 4 byte value for /var: test
>
> I should probably tell how I proceeded during the installation:
> 1. created the filesystems (as usual)
> 2. got a hardened stage3 tarball and portage
> 3. portage sync, re-emerge portage, created a hardened-sources kernel,
> booted up.
> 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux])
> 5. emerge -uDN world
> 6. reboot and tried rlpkg -a -r

Did the setfiles commands (mentioned in the installation instructions before
the "rlpkg -a -r") succeed, or did they give the same error?

Wkr,
Sven Vermeulen


tom.petri at googlemail

Mar 18, 2012, 4:27 AM

Post #5 of 8 (459 views)
Permalink
Re: Setting filesystem labels for SELinux fails [In reply to]
On Sun, Mar 18, 2012 at 11:36 AM, Sven Vermeulen <swift [at] gentoo> wrote:
> On Sun, Mar 18, 2012 at 10:36:53AM +0100, Tom Petri wrote:
>> Yes, extended attributes along with security labels are activated.
>>
>> # attr -s test -V test /var && attr -r test /var
>> Attribute "test" set to a 4 byte value for /var: test
>>
>> I should probably tell how I proceeded during the installation:
>> 1. created the filesystems (as usual)
>> 2. got a hardened stage3 tarball and portage
>> 3. portage sync, re-emerge portage, created a hardened-sources kernel,
>> booted up.
>> 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux])
>> 5. emerge -uDN world
>> 6. reboot and tried rlpkg -a -r
>
> Did the setfiles commands (mentioned in the installation instructions before
> the "rlpkg -a -r") succeed, or did they give the same error?
>
> Wkr,
>        Sven Vermeulen
>
>
>
Yes, I got the same errors then:
# setfiles -r /mnt/gentoo
/etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev
setfiles set context /mnt/gentoo/dev->system_u:object_r:device_t
failed:'Operation not supported'
# setfiles -r /mnt/gentoo
/etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib
setfiles set context /mnt/gentoo/lib->system_u:object_r:lib_t
failed:'Operation not supported'


tom.petri at googlemail

Mar 20, 2012, 12:32 PM

Post #6 of 8 (451 views)
Permalink
Re: Setting filesystem labels for SELinux fails [In reply to]
On Sun, Mar 18, 2012 at 12:27 PM, Tom Petri <tom.petri [at] googlemail> wrote:
> On Sun, Mar 18, 2012 at 11:36 AM, Sven Vermeulen <swift [at] gentoo> wrote:
>> On Sun, Mar 18, 2012 at 10:36:53AM +0100, Tom Petri wrote:
>>> Yes, extended attributes along with security labels are activated.
>>>
>>> # attr -s test -V test /var && attr -r test /var
>>> Attribute "test" set to a 4 byte value for /var: test
>>>
>>> I should probably tell how I proceeded during the installation:
>>> 1. created the filesystems (as usual)
>>> 2. got a hardened stage3 tarball and portage
>>> 3. portage sync, re-emerge portage, created a hardened-sources kernel,
>>> booted up.
>>> 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux])
>>> 5. emerge -uDN world
>>> 6. reboot and tried rlpkg -a -r
>>
>> Did the setfiles commands (mentioned in the installation instructions before
>> the "rlpkg -a -r") succeed, or did they give the same error?
>>
>> Wkr,
>>        Sven Vermeulen
>>
>>
>>
> Yes, I got the same errors then:
> # setfiles -r /mnt/gentoo
> /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev
> setfiles set context /mnt/gentoo/dev->system_u:object_r:device_t
> failed:'Operation not supported'
> # setfiles -r /mnt/gentoo
> /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib
> setfiles set context /mnt/gentoo/lib->system_u:object_r:lib_t
> failed:'Operation not supported'
I just did a fresh gentoo install (configuration) and proceeded with
the instructions from the gentoo hardened documentation.
After compiling re-emerging world the system doesn't get up. I'm able
to ping it but udev seems to have problems as /dev/console and the
tty's aren't found:

/etc/init.d/sshd[1205]: ERROR: sshd failed to start
/etc/init.d/urandom[1219]: ERROR: urandom failed to start
init: open(/dev/console): No such file or directory
agetty[1233]: /dev/tty2: not a character device
agetty[1232]: /dev/tty1: not a character device

My mdadm RAID is recognized properly, in case it matters.

I did everything the instructions say, however I'm always getting new
errors. Is there a viable solution to this? Thanks in advance!


tom.petri at googlemail

Mar 21, 2012, 8:40 AM

Post #7 of 8 (437 views)
Permalink
Re: Setting filesystem labels for SELinux fails [In reply to]
On Tue, Mar 20, 2012 at 8:32 PM, Tom Petri <tom.petri [at] googlemail> wrote:
> On Sun, Mar 18, 2012 at 12:27 PM, Tom Petri <tom.petri [at] googlemail> wrote:
>> On Sun, Mar 18, 2012 at 11:36 AM, Sven Vermeulen <swift [at] gentoo> wrote:
>>> On Sun, Mar 18, 2012 at 10:36:53AM +0100, Tom Petri wrote:
>>>> Yes, extended attributes along with security labels are activated.
>>>>
>>>> # attr -s test -V test /var && attr -r test /var
>>>> Attribute "test" set to a 4 byte value for /var: test
>>>>
>>>> I should probably tell how I proceeded during the installation:
>>>> 1. created the filesystems (as usual)
>>>> 2. got a hardened stage3 tarball and portage
>>>> 3. portage sync, re-emerge portage, created a hardened-sources kernel,
>>>> booted up.
>>>> 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux])
>>>> 5. emerge -uDN world
>>>> 6. reboot and tried rlpkg -a -r
>>>
>>> Did the setfiles commands (mentioned in the installation instructions before
>>> the "rlpkg -a -r") succeed, or did they give the same error?
>>>
>>> Wkr,
>>>        Sven Vermeulen
>>>
>>>
>>>
>> Yes, I got the same errors then:
>> # setfiles -r /mnt/gentoo
>> /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev
>> setfiles set context /mnt/gentoo/dev->system_u:object_r:device_t
>> failed:'Operation not supported'
>> # setfiles -r /mnt/gentoo
>> /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib
>> setfiles set context /mnt/gentoo/lib->system_u:object_r:lib_t
>> failed:'Operation not supported'
> I just did a fresh gentoo install (configuration) and proceeded with
> the instructions from the gentoo hardened documentation.
> After compiling re-emerging world the system doesn't get up. I'm able
> to ping it but udev seems to have problems as /dev/console and the
> tty's aren't found:
>
> /etc/init.d/sshd[1205]: ERROR: sshd failed to start
> /etc/init.d/urandom[1219]: ERROR: urandom failed to start
> init: open(/dev/console): No such file or directory
> agetty[1233]: /dev/tty2: not a character device
> agetty[1232]: /dev/tty1: not a character device
>
> My mdadm RAID is recognized properly, in case it matters.
>
> I did everything the instructions say, however I'm always getting new
> errors. Is there a viable solution to this? Thanks in advance!
The udev from the hardened documentation seems to be the problem (udev
/dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755
0 0).

The systems boots without this entry, however `sestatus` says "disabled".


swift at gentoo

Mar 22, 2012, 8:49 AM

Post #8 of 8 (464 views)
Permalink
Re: Setting filesystem labels for SELinux fails [In reply to]
On Wed, Mar 21, 2012 at 04:40:32PM +0100, Tom Petri wrote:
> > I just did a fresh gentoo install (configuration) and proceeded with
> > the instructions from the gentoo hardened documentation.
> > After compiling re-emerging world the system doesn't get up. I'm able
> > to ping it but udev seems to have problems as /dev/console and the
> > tty's aren't found:
> >
> > /etc/init.d/sshd[1205]: ERROR: sshd failed to start
> > /etc/init.d/urandom[1219]: ERROR: urandom failed to start
> > init: open(/dev/console): No such file or directory
> > agetty[1233]: /dev/tty2: not a character device
> > agetty[1232]: /dev/tty1: not a character device
> >
> > My mdadm RAID is recognized properly, in case it matters.

You aren't by any chance using an initramfs, are you?

> The udev from the hardened documentation seems to be the problem (udev
> /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755
> 0 0).
>
> The systems boots without this entry, however `sestatus` says "disabled".

Is SELinux indeed disabled, or does it only "look" like so?

An easy way to test is when you run in strict policy (or mcs/mls without
unconfined domains) and you're in the sysadm_t domain. Then try reading
/etc/shadow:

hpl ~ # id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
context=staff_u:sysadm_r:sysadm_t

hpl ~ # cat /etc/shadow
cat: /etc/shadow: Permission denied

Wkr,
Sven Vermeulen

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.