selinux on lucid

Hey folks,

I've been playing with selinux on lucid recently and I'm looking for
the right place to report two issues:

  1) There seems to be an issue with the refpolicy versions.  the
poilcy selinux-ubuntu is based on an old version of the refpolicy
(Version: 0.2.20090730).  It's also different from selinux-policy-src
(Version: 2:0.2.20091117). selinux-policy-ubuntu is based on the newer
refpolicy, but it seems to conflict with selinux:

  $ apt-cache show selinux-policy-default | grep Conflicts
  Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate
(<< 3.7.1-1), procps (<< 1:3.1.15-1), selinux,
selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted,
sysvinit (<< 2.86.ds1-1.se1)

This makes it difficult to create custom policies.

  2) according to /proc, dev is mounted as /devtmpfs, which selinux
doesn't know how to treat by default (it gets labeled as
system_u:object_r:unlabeled_t). on #selinux, I found that by adding:

  fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);

to policy/modules/kernel/filesystem.te, rebuilding and reloading
base.pp, /dev/ is suddenly recognized and is labeled
system_u:object_r:device_t:s0. This is true in both
selinux-policy-default (refpolicy version 2:0.2.20091117-1) and
selinux-policy-ubuntu (refpolicy version 0.2.20090730)

do I open bugs on ubuntu or with tresys?

Cheers,
/peter

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

Hi Peter,

On Mon, Apr 05, 2010 at 12:40:12PM -0700, Peter Moody wrote:
Hm, that's a packaging bug in selinux-policy-default, it needs to have
a versioned Conflict on "selinux", as we've done for some of the other
packages.

Probably both, I'm not sure what the most correct solution for /dev
should be, but I can fix the selinux-policy-default version glitch.  :)

Thanks!

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

On Mon, Apr 5, 2010 at 1:01 PM, Kees Cook <[hidden email]> wrote:
https://bugs.launchpad.net/ubuntu/+source/selinux-policy-default/+bug/556697

So the suggestion from #selinux, to add the line:

  fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);

to kernel/filesystem.te and rebuilding/reinstalling base.pp works.
did you want me to file another bug on launchpad for this (I'm going
to separately try to get tresys to fix it in the refpolicy)

>
> Thanks!
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

Hi Peter,

On Tue, Apr 06, 2010 at 10:58:32AM -0700, Peter Moody wrote:
> https://bugs.launchpad.net/ubuntu/+source/selinux-policy-default/+bug/556697

Cool; I uploaded a fix for this yesterday; hopefully it is sufficient.

Yeah, if you could open a bug, that'd be nice.  Sounds like both refpolicy
and refpolicy-ubuntu packages need to be adjusted for this.

Caleb, do you have any other changes to go into refpolicy-ubuntu for
the Lucid cycle?

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

Peter Moody wrote:
> On Mon, Apr 5, 2010 at 1:01 PM, Kees Cook<[hidden email]>  wrote:
<snip>

Tresys is aware of the change needed for refpolicy (and the maintainer
is CC'd on this email).


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

On Tue, Apr 6, 2010 at 11:18 AM, Joshua Brindle <[hidden email]> wrote:
Ok cool, so I'll open another bug on launchpad but leave the tresys
bug report alone.

Cheers,
/peter

> --
> ubuntu-hardened mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened