As I’m currently attempting to set up SElinux, I have just encountered some problems.
When I’m running SElinux in permissive mode, everything runs just fine.
When I’m switching to enforcing mode, some services immediately go haywire.
syslog shows some issues (but nevertheless starts up)
restorecond fails to start
Network displays problems with firing up -> No DNS connections possible, although everything else works
libvirtd fails to start
sshd fails to start
Some systemd plugins (journal recovery, udev-restorecon) fail to run
ALSA won’t be properly set up
atd fails to start
Especially the network issues make it impossible to establish any network connection, but when I switch to Permissive, restart the network and then return to Enforcing, network behavior returns to normal. Furthermore, when attempting to reboot or invoke a system halt, that is denied as well when on Enforcing.
Unfortunately audit.log doesn’t give any clues to what could have gone wrong in the first place, and when I attempt to generate a policy from whatever I got, I cannot install it afterwards, and everytime I try to do so, semodule first takes ages to complete and also aborts with the following error message: libsemanage.dbase_llist_query: could not query record value (No such file or directory)
I have already relabeled the file systems upon first initialization of SElinux and also recently did a restorecon on all partitions - but unfortunately the problem persists.
Right now, I’m about to attempt to relabel the entire file system once again from scratch in order to find out whether that helps - but if not, I’m currently out of options…
Anyone who has any experience with setting up SElinux? And no, disabling it is not an option…
I’m running openSuSE 12.3 in conjunction with kernel 3.9.4-1.g51bf0ff-xen (64-bit).
If distro hopping is an option, SELinux “just works” in Fedora and is enabled by default. You probably won’t have any problems there. If you do, the Red Hat devs are constantly updating the default policy; only advanced users should ever need to touch it. I’ve been running with SELinux for half a year and have never had to think about it. (A consequence of that is that I know nothing about it, unfortunately.)
I get the impression that nobody really cares for SELinux on openSUSE, and you’re going to be kind of on your own here. openSUSE used to support AppArmor instead, but it seems even that has fallen by the wayside.
> I get the impression that nobody really cares for SELinux on openSUSE,
> and you’re going to be kind of on your own here.
True.
There is a package, but the configuration is totally up to the sysadmin.
> openSUSE used to
> support AppArmor instead, but it seems even that has fallen by the
> wayside.
No, not exactly. The AA yast module needs some care, but AA is indeed
supported, and their people answer the bugzillas within the week, when
other “supported” modules never get an answer.
AA was originated by Novell as a project. However, for some unexplained
reason, the developer team was fired years ago. The project is hosted by
Ubuntu now, and you can see people there with openSUSE and Novell addresses.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-06-10 05:24, Jim Henderson wrote:
> On Sun, 09 Jun 2013 18:48:06 +0000, Carlos E. R. wrote:
>
>> AA was originated by Novell as a project.
>
> No, AppArmor was an acquisition - Immunix, IIRC.
Ah.
Anyway, they put a lot of effort and publicity on it at the time.
Surely it was named “Novell Apparmor” for a reason.
> And no, I’ve no idea why they let the development team go. That was a
> bad decision, IMHO.
Yes, I have not seen the history told anywhere. For a year or two after
the went away the Novell site remained with the AA obsolete info, which
lead nowhere as they were hosted by Ubuntu, not Novell.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-06-10 18:05, Jim Henderson wrote:
> On Mon, 10 Jun 2013 13:53:06 +0000, Carlos E. R. wrote:
>
>> Anyway, they put a lot of effort and publicity on it at the time. Surely
>> it was named “Novell Apparmor” for a reason.
>
> Well, yes, it was an acquired product, and an acquired product
> generally is going to be rebranded at some point.
Yes, I know, but I mean that they pushed it hard, announced it
everywhere, asked betatesters to try it… a lot of effort, which makes
it very strange that they would suddenly abandon it later.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On Mon, 10 Jun 2013 16:53:10 +0000, Carlos E. R. wrote:
> On 2013-06-10 18:05, Jim Henderson wrote:
>> On Mon, 10 Jun 2013 13:53:06 +0000, Carlos E. R. wrote:
>>
>>> Anyway, they put a lot of effort and publicity on it at the time.
>>> Surely it was named “Novell Apparmor” for a reason.
>>
>> Well, yes, it was an acquired product, and an acquired product
>> generally is going to be rebranded at some point.
>
> Yes, I know, but I mean that they pushed it hard, announced it
> everywhere, asked betatesters to try it… a lot of effort, which makes
> it very strange that they would suddenly abandon it later.
On 2013-06-10 19:26, Jim Henderson wrote:
> On Mon, 10 Jun 2013 16:53:10 +0000, Carlos E. R. wrote:
>> On 2013-06-10 18:05, Jim Henderson wrote:
>>> On Mon, 10 Jun 2013 13:53:06 +0000, Carlos E. R. wrote:
>>>
>>>> Anyway, they put a lot of effort and publicity on it at the time.
>>>> Surely it was named “Novell Apparmor” for a reason.
>>>
>>> Well, yes, it was an acquired product, and an acquired product
>>> generally is going to be rebranded at some point.
>>
>> Yes, I know, but I mean that they pushed it hard, announced it
>> everywhere, asked betatesters to try it… a lot of effort, which makes
>> it very strange that they would suddenly abandon it later.
>
> I don’t disagree.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I did. I also abided by it, but that gave me some probs, though.
For some reason the SElinux PAM module won’t be correctly installed, either. Whenever I boot up my machine and invoke selinux-ready it tells me that some kernel parameters are missing (I have definitely provided them, though) and that the PAM module isn’t installed.
I don’t know why it is losing things, but something definitely is amiss here.
