SELinux on Karmic?

> Hi,
>
> On Thu, Sep 03, 2009 at 11:15:00AM -0400, John Dong wrote:
>> SELinux only relies on GRUB for passing in selinux=1 /
>> apparmor.enabled=0, correct?
>>
>> This system is actually upgraded from a stock Jaunty install so it's
>> currently running GRUB1. I see selinux=1 passed into the kernel but  
>> the
>> userland doesn't seem to react; sestatus reports itself as disabled,
>> nothing is mounted at /selinux, etc, which would lead me to suspect
>> something in addition to grub2 being the culprit?
>
> Actually, in addition to the grub2 stuff, the kernel changed how it  
> does
> LSM selection.  I think it needs to be security=selinux instead of
> selinux=1, but I haven't tested it myself.
>
> -Kees

> Hi,
>
> On Thu, Sep 03, 2009 at 11:15:00AM -0400, John Dong wrote:
>> SELinux only relies on GRUB for passing in selinux=1 /
>> apparmor.enabled=0, correct?
>>
>> This system is actually upgraded from a stock Jaunty install so it's
>> currently running GRUB1. I see selinux=1 passed into the kernel but  
>> the
>> userland doesn't seem to react; sestatus reports itself as disabled,
>> nothing is mounted at /selinux, etc, which would lead me to suspect
>> something in addition to grub2 being the culprit?
>
> Actually, in addition to the grub2 stuff, the kernel changed how it  
> does
> LSM selection.  I think it needs to be security=selinux instead of
> selinux=1, but I haven't tested it myself.
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
> --
> ubuntu-hardened mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

> On Fri, Sep 4, 2009 at 12:52 PM, John Dong <[hidden email]> wrote:
>> Indeed security=selinux worked as expected!
>>
>> Our selinux-policy-ubuntu still doesn't properly support X/GDM
>> sessions right? After enabling selinux I noticed post-login I was in
>> some weird system_u context.
>
> The selinux-policy-ubuntu should support X/GDM (at least it did on
> Hardy). There appears to be two things conspiring to make your login
> incorrect (both stemming from your system not getting relabeled
> correctly). The /etc/init.d/selinux script does not recognize ext4 as
> a good fs for relabeling (which is the default for karmic). Someone
> already posted a fix for this in:
> https://bugs.launchpad.net/bugs/371075. The other is that setfiles now
> does some additional checking itself to see if the filesystem supports
> relabeling. Unfortunately this checking not work if selinux is
> disabled. In fact, in this case it silently will fail to relabel. You
> can remedy the situation by scheduling a relabel and rebooting:
>
> /etc/init.d/selinux relabel
> reboot
>
> This is of course non-ideal.
>
> I have opened 2 bugs related to your report:
>
> https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/428007
> https://bugs.launchpad.net/ubuntu/+source/policycoreutils/+bug/428043
>
> Unfortunately even after fixing these something else is wrong >.< as I
> end up in xdm_t on a graphical login. I'll have to take a closer look
> at the policy to find out why the proper transitions are not
> happening.
>
> Thanks!
>
> Caleb
>
> --
> ubuntu-hardened mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

> Hi Caleb,
>
> On Mon, Sep 14, 2009 at 02:53:31PM -0400, Caleb Case wrote:
>> I have opened 2 bugs related to your report:
>>
>> https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/428007
>> https://bugs.launchpad.net/ubuntu/+source/policycoreutils/+bug/428043
>
> Thanks for the patches!  When you've got debdiffs that need to be uploaded,
> please subscribe ubuntu-security and set their status to "In Progress", and
> we'll see them more quickly.  I'm getting these built and uploaded now.

>
> Thanks!
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
> --
> ubuntu-hardened mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>

>
>
>
> On Sep 14, 2009, at 2:53 PM, Caleb Case wrote:
>
>> On Fri, Sep 4, 2009 at 12:52 PM, John Dong <[hidden email]> wrote:
>>> Indeed security=selinux worked as expected!
>>>
>>> Our selinux-policy-ubuntu still doesn't properly support X/GDM
>>> sessions right? After enabling selinux I noticed post-login I was in
>>> some weird system_u context.
>>
>> The selinux-policy-ubuntu should support X/GDM (at least it did on
>> Hardy). There appears to be two things conspiring to make your login
>> incorrect (both stemming from your system not getting relabeled
>> correctly). The /etc/init.d/selinux script does not recognize ext4 as
>> a good fs for relabeling (which is the default for karmic). Someone
>> already posted a fix for this in:
>> https://bugs.launchpad.net/bugs/371075. The other is that setfiles now
>> does some additional checking itself to see if the filesystem supports
>> relabeling. Unfortunately this checking not work if selinux is
>> disabled. In fact, in this case it silently will fail to relabel. You
>> can remedy the situation by scheduling a relabel and rebooting:
>>
>> /etc/init.d/selinux relabel
>> reboot
>>
>> This is of course non-ideal.
>>
>> I have opened 2 bugs related to your report:
>>
>> https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/428007
>> https://bugs.launchpad.net/ubuntu/+source/policycoreutils/+bug/428043
>>
>> Unfortunately even after fixing these something else is wrong >.< as I
>> end up in xdm_t on a graphical login. I'll have to take a closer look
>> at the policy to find out why the proper transitions are not
>> happening.
>>
>> Thanks!
>>
>> Caleb
>>
>> --
>> ubuntu-hardened mailing list
>> [hidden email]
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
>
> --
> ubuntu-hardened mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>

> On Mon, Sep 14, 2009 at 2:56 PM, John Dong <[hidden email]> wrote:
>> Thanks for your insight, Caleb!
>>
>> I've gotten to the point where I can reproduce ending up as xdm_t;  
>> I'm
>> glad to know that it's not just me going crazy :)
>
> Heh :o)
>
> Alright it appears that others have run into this before:
>
> http://marc.info/?l=selinux&m=125250111327104&w=2
>
> If I change the /etc/pam.d/gdm to:
>
> #%PAM-1.0
> auth    [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_sepermit.so close
> auth    requisite       pam_nologin.so
> auth    required        pam_env.so readenv=1
> auth    required        pam_env.so readenv=1 envfile=/etc/default/
> locale
> @include common-auth
> auth    optional        pam_gnome_keyring.so
> @include common-account
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> session required        pam_limits.so
> @include common-session
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
> session optional        pam_gnome_keyring.so auto_start
> @include common-password
>
> My login is unconfined_t (as it should be). The same kinds of changes
> would need to also happen to /etc/pam.d/gdm-autologin.
>
> I've opened this bug for it: https://bugs.launchpad.net/bugs/430205