SELinux

z01111010 · July 16, 2009, 11:08pm

I am running v 11.1 x86. I am using this thread to install SELinux: SELinux - openSUSE. I get to the part where it says “file /etc/selinux/config should have the following content:”. I open the file in nano, and there is no text whatsoever. So far as I know, I have done everything correct up to that point, but I am at a loss as what to do.

I put the text in /etc/selinux/config that is supposed to be there, but that seems to make no difference.

Any ideas?

user · July 17, 2009, 11:37am

> Any ideas?

are you saying that after you put the content config (exactly as in
the instructions), and rebooted to the GUI (i only assume that you are
running KDE or Gnome) as a normal user…and, THEN logged into a
terminal as root and run setstatus…then what came back to the
terminal was not as expected (from the instructions on the cite page
you gave)…is that what you mean by “that seems to make no difference.”

if that is true, then why not go ahead and copy paste exactly the
output of setstatus back to this thread…

–
brassy

z01111010 · July 17, 2009, 6:42pm

>“are you saying that after you put the content config (exactly as in
>the instructions), and rebooted to the GUI (i only assume that you are
>running KDE or Gnome) as a normal user…and, THEN logged into a
>terminal as root and run setstatus…”

Yes, I did all of that in the correct order as per the instructions.

The odd thing here is what setstatus returns: “bash: setstatus: command not found”

user · July 17, 2009, 8:48pm

> The odd thing here is what setstatus returns: “bash: setstatus: command
> not found”

the instructions say:

“reboot the machine, login as root and run setstatus command, the
output should be:”

so you rebooted the machine and it automatically booted to KDE or
Gnome (which?) right??

then you opened a terminal, typed ‘setstatus’, pressed enter and it
said “command not found” right?

if so you only missed becoming root prior to issuing the command, so
do this:


su -

don’t miss the one space following the u, and then the dash -

it will then ask for your root password, type it in (you will not see
what you type) press enter, and your command prompt will (depending on
WHICH version of openSUSE you are using) turn red (meaning CAREFUL)
and add this symbol #…NOW you are logged into the terminal as root,
do this:


setstatus

what is the output now? how does it compare to that in the instructions?

if it remains ‘command not found’, do this:


which setstatus

–
brassy

z01111010 · July 17, 2009, 9:34pm

>so you rebooted the machine and it automatically booted to KDE or
>Gnome (which?) right??

Yes, logged into GNOME.

And I have been doing the ‘su -’ when typing ‘setstatus.’

‘setstatus’ remains unfound. ‘which setstatus’ returns: ‘which: no setstatus in (/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/games:/opt/kde3/bin:/usr/lib/jvm/jre/bin:/usr/lib/mit/bin:/usr/lib/mit/sbin)’

stakanov · July 17, 2009, 10:09pm

I was curious, so I followed the howto and got to the end.
Setstatus:
linux-pc3:~ # setstatus
-bash: setstatus: command not found

linux-pc3:~ # which setstatus
which: no setstatus in (/sbin:/usr/sbin:/usr/local/sbin:/opt/kde3/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/games:/opt/kde3/bin:/usr/lib/jvm/jre/bin:/usr/lib/mit/bin:/usr/lib/mit/sbin)
linux-pc3:~ #

running KDE 3.5

So yes, there is something missing.

z01111010 · July 17, 2009, 10:12pm

I really don’t know enough about it, but I am guessing that there must be something wrong with the packages that the howto calls for…

stakanov · July 17, 2009, 10:19pm

Why do you think so? The only thing happened to me was a “vendor change” for two packages (since it is buildservice).

I rather observed a permission problem. In the terminal the OS complained that a permission was wrongly set (if I recall 7500) and was substituted.

A permission problem could be for me a candidate.
The package source itself installed fine and did not miss any dependencies…

But I am like you…just curious to try…but really quite clueless.

z01111010 · July 17, 2009, 10:28pm

The only reason I would guess that a package was off would be because I didn’t get any text at all when the howto told me to open /etc/selinux/config. In fact, when I opened it in nano, nano said that it was a new file when the howto said there would be text there.

That in combination with my problem of setstatus not being a recognized command makes me wonder if there is a problem with a package.

PURE speculation as I have almost NO idea how openSUSE does this sort of thing, ‘under the hood’ as it were.

I guess the worst thing that would happen is not being able to config SELinux. Not really that big of a problem as I was just messing with it…

stakanov · July 17, 2009, 10:29pm

This seems to be a typo in the howto. Try:
sestatus and NOT setstatus

This gives me:
linux-pc3:~ # sestatus
SELinux status: disabled
linux-pc3:~ # which sestatus
/usr/sbin/sestatus

Ok at least I know that it is still disabled. I guess your’s too.
Now we can find out why…

z01111010 · July 17, 2009, 10:36pm

AHA! Yes, ‘sestatus’ gave me the same thing.

stakanov · July 17, 2009, 10:41pm

lol!lol!lol! Sorry but I simply LOVED the Aha thing…

z01111010 · July 17, 2009, 10:44pm

rofl…thanks lol!

stakanov · July 17, 2009, 11:00pm

Looked at the whole log messages but see no hint to the start or fail of SE linux. Anybody knows if SElinux is compatible with the PAE kernel?
If yes, where can I see (log files) when SElinux should be loaded?

**/bin/mount /root/proc **
What am I telling in boot-sh exactly?
I am “moving a device node”. But what does this actually mean in this context?
Thanks for sharing your knowledge.

and actually at the end I do
cd /root
umount /proc

So why do I first mount and then umount /root/proc???

z01111010 · July 17, 2009, 11:18pm

idk if this helps at all, but through the power of Google I found an interesting tidbit from the changelog of the 2.6.29.5 kernel (http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.29.5):

" SELinux: BUG in SELinux compat_net code

This patch is not applicable to Linus's tree as the code in question has
been removed for 2.6.30.  I'm sending in case any of the stable
maintainers would like to push to their branches (which I think anything
pre 2.6.30 would like to do).

Ubuntu users were experiencing a kernel panic when they enabled SELinux
due to an old bug in our handling of the compatibility mode network
controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
Most distros have not used the compat_net code since the new code was
introduced and so noone has hit this problem before.  Ubuntu is the only
distro I know that enabled that legacy cruft by default.  But, I was ask
to look at it and found that the above patch changed a call to
avc_has_perm from if(send_perm) to if(!send_perm) in
selinux_ip_postroute_iptables_compat().  The result is that users who
turn on SELinux and have compat_net set can (and oftern will) BUG() in
avc_has_perm_noaudit since they are requesting 0 permissions."

I’m using kernel 2.6.27, so this patch wouldn’t affect (or would it?) openSUSE 11.1 (what I’m using).

stakanov · July 18, 2009, 10:19am

Noop. As it says: “Ubuntu is the only
distro I know that enabled that legacy cruft by default.”

I do not think this is the issue. Maybe the config step (when we just paste what should be the content) is the problem. Maybe config “should” be already ok and no copy and paste should be necessary?

In all cases, seen the low participation I would think that people openSUSE user have no big interest in security, or if they have, like us, only little preparation. I tried now for 6 month to make the howto for encrypted root work for my notebook (with /boot on usb-key). Not possible, not even a bit. And the participation to the thread was nil. 30000 very (in)active members…I would say.

ken_yap · July 18, 2009, 12:23pm

SELinux is quite a difficult subsystem to configure, even on distros where it’s native, like Fedora and RHEL. It’s useful for increasing security for servers, but it does little for desktop users. Desktop users would spend their time better making sure their packages are up-to-date, particularly for Mozilla products, and acroread. And of course, not much can be done in software about PEBKAC.

stakanov · July 18, 2009, 1:25pm

You are correct, it IS difficult to configure. Guess what, that is why I am here. Surprised? I would rather write IMHO when you make such statements. And then, I am a desktopuser. So if we want our desktopuser to acquire the skills to get their sever one day (in safety) maybe we do better not think in this “classy” way, right? It’s all about knowledge and the will of sharing IMHO. Am I wrong?

I guess you do speak here about yourself?

ken_yap · July 18, 2009, 1:45pm

I’m only pointing out that most of the users here are desktop users which is why there is little interest in SELinux or Apparmor for that matter. People here are more likely to ask questions about getting wireless or sound or media playing working.

If you want to learn to configure a server with SELinux, there are forums for that. Since SELinux is a feature of the kernel, it doesn’t matter what distro you are using. So look further afield for the information you need, there is even a SELinux mailing list I’m sure. And of course nothing is stopping you from experimenting with your own machine.

Sorry, but if you are frustrated that you don’t know how to find the information you need, no need to be rude, don’t take it out on me.

mutex1 · July 18, 2009, 2:53pm

You will need to enable SELinux in kernel & recompile it since SUSE kernels, IIRC, have SELinux disabled