Mailing List Archive: Gentoo: Hardened

Re: SELinux updates

Index | Next | Previous | View Threaded

pebenito at gentoo

Sep 5, 2004, 7:16 AM

Post #1 of 3 (534 views)
Permalink

Re: SELinux updates

I have unmasked hardened-sources-2.4.27-r2,
hardened-dev-sources-2.6.7-r8, and selinux-base-policy-20040702 for the
SELinux headers update. Since my last email was a long time ago, I
copied the relevant portion at the bottom. The 20040702 policy is the
same as 20040629, except with the headers update, so if you are up to
date on policy, it should be a trivial policy update. The headers are
in the flask directory of the policy.

On Sun, 2004-06-27 at 12:07, Chris PeBenito wrote:
> * The 2.6.8 kernel will have some new SELinux classes for security
> enhanced X. The problem is that these will collide with our PaX
> support. This means that the kernel and the policy will have to be
> updated at the same time, as the kernel will not load a policy whose
> headers don't match its own. When 2.6.8 comes out, I will put out a
> policy with the new headers, and also bump all kernels that have the
> PaX SELinux hooks. Fortunately the PaX SELinux headers have been
> accepted upstream, so this won't happen again. 2.6.8 will also bring
> policy version 18, since fine-grained netlink socket support has been
> added.

If you don't reboot (with the updated kernel if relevant), you will get
this error:

security: the value of class pax changed
security: the definition of an existing class changed

The policy load will fail.

--
Chris PeBenito
<pebenito [at] gentoo>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attachments:

signature.asc (0.18 KB)

pebenito at gentoo

Sep 6, 2004, 8:53 AM

Post #2 of 3 (502 views)
Permalink

Re: SELinux updates [In reply to]

Oops, the order matters on this. You shouldn't reboot till the end:

1. merge new kernel sources (hardened-(dev-)sources users)
2. compile and install new kernel (hardened-(dev-)sources users)
3. merge selinux-base-policy-20040702 and etc-update
4. cd /etc/security/selinux/src/policy && make clean install
5. reboot

On Sun, 2004-09-05 at 10:16, Chris PeBenito wrote:
> I have unmasked hardened-sources-2.4.27-r2,
> hardened-dev-sources-2.6.7-r8, and selinux-base-policy-20040702 for the
> SELinux headers update. Since my last email was a long time ago, I
> copied the relevant portion at the bottom. The 20040702 policy is the
> same as 20040629, except with the headers update, so if you are up to
> date on policy, it should be a trivial policy update. The headers are
> in the flask directory of the policy.
>
> On Sun, 2004-06-27 at 12:07, Chris PeBenito wrote:
> > * The 2.6.8 kernel will have some new SELinux classes for security
> > enhanced X. The problem is that these will collide with our PaX
> > support. This means that the kernel and the policy will have to be
> > updated at the same time, as the kernel will not load a policy whose
> > headers don't match its own. When 2.6.8 comes out, I will put out a
> > policy with the new headers, and also bump all kernels that have the
> > PaX SELinux hooks. Fortunately the PaX SELinux headers have been
> > accepted upstream, so this won't happen again. 2.6.8 will also bring
> > policy version 18, since fine-grained netlink socket support has been
> > added.
>
> If you don't reboot (with the updated kernel if relevant), you will get
> this error:
>
> security: the value of class pax changed
> security: the definition of an existing class changed
>
> The policy load will fail.
--
Chris PeBenito
<pebenito [at] gentoo>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attachments:

signature.asc (0.18 KB)

richard.simpson at wgint

Sep 9, 2004, 7:41 PM

Post #3 of 3 (507 views)
Permalink

RE: SELinux updates [In reply to]

eeeek!!

I have had strange problems since merging the selinux-base-policy-20040702
update which seemed to be coming from labeling problems. And the
file_contexts size was now only 157 bytes!

This change seems to be the culprit in the 0702 Makefile:

@$(EINFO) "Building file_contexts"
@m4 $(FCFILES) > $@.tmp
@grep -v "^/root" $@.tmp > $@.root
-@/usr/sbin/genhomedircon $@.root > $@
+@/usr/sbin/genhomedircon . $@.root > $@

When I undo this change, the contexts compile correctly and everything gets
labeled as expected.

Richard.

--
gentoo-hardened [at] gentoo mailing list

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads