Package: selinux-basics Version: 0.3.5+nmu1 In the spirit of the debian-installer installation reports, here is my experience in trying again to install selinux. Please clone and reassign as appropriate, then close this bug.
I started with a fresh Debian installation. cvs is not installed this time, so the problems mentioned before were not an obstacle. Following the instructions at <http://wiki.debian.org/SELinux/Setup>: [ok] Make sure you are using an SELinux capable kernel and filesystem. [ok] Get the targeted policy and a basic set of SELinux packages by running apt-get install selinux-basics selinux-policy-default. [ok] Run selinux-activate to configure GRUB and PAM and to create /.autorelabel [ok] Reboot, it will take a while to label the filesystems on boot and then it will automatically reboot a second time when that is complete. [fail] startx. [ ] Run check-selinux-installation to check that everything has been setup correctly and to catch common SELinux problems. (Note: old-style-ptys aren't serious.) Details: [ok] Make sure you are using an SELinux capable kernel and filesystem. The filesystem is ext4 with xattrs and so on turned on. The kernel was built with 'make deb-pkg' from the latest torvalds tree, plus an unrelated patch to fix the build with dash as sh. | $ grep SELINUX /boot/config-2.6.33-rc2-00251-gd19a0b8 | CONFIG_SECURITY_SELINUX=y | CONFIG_SECURITY_SELINUX_BOOTPARAM=y | CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 | # CONFIG_SECURITY_SELINUX_DISABLE is not set | CONFIG_SECURITY_SELINUX_DEVELOP=y | # CONFIG_SECURITY_SELINUX_AVC_STATS is not set | CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 | # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set | CONFIG_DEFAULT_SECURITY_SELINUX=y [ok] Get the targeted policy and a basic set of SELinux packages by running apt-get install selinux-basics selinux-policy-default. | # tac /var/log/aptitude | sed '1,/^===/ d' | sed -n '1,/^===/ p' | tac | =============================================================================== | [INSTALL, DEPENDENCIES] bwidget | [INSTALL, DEPENDENCIES] checkpolicy | [INSTALL, DEPENDENCIES] libglade2-0 | [INSTALL, DEPENDENCIES] libqpol1 | [INSTALL, DEPENDENCIES] libsemanage-common | [INSTALL, DEPENDENCIES] libsemanage1 | [INSTALL, DEPENDENCIES] libsetools-tcl | [INSTALL, DEPENDENCIES] libustr-1.0-1 | [INSTALL, DEPENDENCIES] libxss1 | [INSTALL, DEPENDENCIES] policycoreutils | [INSTALL, DEPENDENCIES] python-selinux | [INSTALL, DEPENDENCIES] python-semanage | [INSTALL, DEPENDENCIES] python-sepolgen | [INSTALL, DEPENDENCIES] selinux-utils | [INSTALL, DEPENDENCIES] tcl8.5 | [INSTALL] selinux-basics | [INSTALL] selinux-policy-default | [INSTALL] sepol-utils | [INSTALL] setools | [INSTALL] tk8.5 Configuring the policy package succeeds: | Setting up selinux-policy-default (2:0.2.20091117-1) ... | Notice: Trying to link (but not load) a default policy. | This process may fail -- you should check the results, and | you need to switch to this policy yourself anyway. | | Locating modules | Calculating dependencies between modules | Ordering modules based on dependencies | Selecting modules based on installed packages | Loaded modules dbus netutils ssh xserver consoletype devicekit rsync dhcp pythonsup | port usbmodules gpg ptchown wm vbetool tzdata consolekit ftp sudo | changed policy type to default as the "refpolicy" names are obsolete | Setting up sepol-utils (2.0.40-2) ... | Setting up setools (3.3.6.ds-6) ... [ok] Run selinux-activate to configure GRUB and PAM and to create /.autorelabel Uneventful, no unexpected messages. [ok but strange messages] Reboot, it will take a while to label the filesystems on boot and then it will automatically reboot a second time when that is complete. Rebooted manually with kexec with boot parameter selinux=1. Took a very long time to label everything. Eventually it rebooted. At this point, there were several messages indicating the policy might not be quite right. udev was not allowed to probe for drivers: | [ 7.173437] Linux agpgart interface v0.103 | [ 7.911845] type=1400 audit(1262401648.667:3): avc: denied { associate } for pid=692 comm="modprobe" name="event0" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem (so udev is not allowed to look for a driver for event0) | [ 8.890951] yenta_cardbus 0000:00:03.0: Socket status: 30000069 | [ 8.904746] type=1400 audit(1262401649.656:4): avc: denied { module_request } for pid=670 comm="modprobe" kmod="pcmcia" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system | [ 8.921346] yenta_cardbus 0000:00:03.1: CardBus bridge found [1028:00b0] (nor for pcmcia) | [ 10.515415] ath: Regpair used: 0x60 | [ 10.526237] type=1400 audit(1262401651.276:5): avc: denied { module_request } for pid=878 comm="cryptomgr_probe" kmod="ecb" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system | [ 10.569318] phy0: Selected rate control algorithm 'minstrel' (I can't pretend to understand this one.) | [ 11.568845] Adding 1461872k swap on /dev/sda5. Priority:-1 extents:1 across:1461872k | [ 11.586875] type=1400 audit(1262401652.336:6): avc: denied { setsched } for pid=942 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process | [ 11.927007] type=1400 audit(1262401652.676:7): avc: denied { write } for pid=959 comm="mount" name="mtab" dev=sda1 ino=140 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file | [ 11.928320] type=1400 audit(1262401652.676:8): avc: denied { append } for pid=959 comm="mount" name="mtab" dev=sda1 ino=140 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file | [ 12.197685] loop: module loaded mount | [ 13.847257] IBM TrackPoint firmware: 0x0b, buttons: 2/3 | [ 13.859377] type=1400 audit(1262401654.606:9): avc: denied { append } for pid=889 comm="ifup" name="ifstate" dev=sda1 ino=22 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file | [ 13.900213] type=1400 audit(1262401654.646:10): avc: denied { unlink } for pid=889 comm="ifup" name="ifstate" dev=sda1 ino=22 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file ifup | [ 14.107196] input: TPPS/2 IBM TrackPoint as /devices/platform/i8042/serio1/serio2/input/input5 | [ 14.390685] type=1400 audit(1262401655.146:11): avc: denied { create } for pid=1147 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_socket | [ 14.391169] type=1400 audit(1262401655.146:12): avc: denied { setopt } for pid=1147 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_socket | [ 14.391592] type=1400 audit(1262401655.146:13): avc: denied { bind } for pid=1147 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_socket | [ 14.392010] type=1400 audit(1262401655.146:14): avc: denied { getattr } for pid=1147 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_socket | [ 14.392551] type=1400 audit(1262401655.146:15): avc: denied { write } for pid=1147 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_socket | [ 14.393080] type=1400 audit(1262401655.146:16): avc: denied { read } for pid=1147 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_socket | [ 14.425658] type=1400 audit(1262401655.176:17): avc: denied { nlmsg_write } for pid=1147 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_route_socket | [ 14.442245] type=1400 audit(1262401655.196:18): avc: denied { create } for pid=1147 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=packet_socket | [ 14.442840] type=1400 audit(1262401655.196:19): avc: denied { module_request } for pid=1147 comm="wpa_supplicant" kmod="net-pf-17" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system | [ 14.527365] type=1400 audit(1262401655.276:20): avc: denied { ioctl } for pid=1147 comm="wpa_supplicant" path="socket:[5039]" dev=sockfs ino=5039 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=packet_socket | [ 18.670608] wlan0: direct probe to AP 00:16:b6:c7:42:de (try 1) wpa_supplicant | restorecond: Unable to watch (/etc/samba/secrets.tdb) No such file or directory | restorecond: Unable to watch (/var/run/network/ifstate) No such file or directory | restorecond: Unable to watch (/root/.ssh/*) No such file or directory Perhaps these messages should be suppressed. | 21:07:40 progeny smartd[1670]: Device: /dev/sda, type changed from 'scsi' to 'sat' | 21:07:40 progeny kernel: [ 19.691683] audit_printk_skb: 69 callbacks suppressed | 21:07:40 progeny kernel: [ 19.691746] type=1400 audit(1262401660.446:44): avc: denied { module_request } for pid=1180 comm="wpa_supplicant" kmod="aes" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system | 21:07:40 progeny wpa_supplicant[1180]: CTRL-EVENT-CONNECTED - Connection to 00:16:b6:c7:42:de completed (auth) [id=0 id_str=] ??, wpa_supplicant | 21:07:41 progeny smartd[1670]: Device: /dev/sda [SAT], 3 Currently unreadable (pending) sectors | 21:07:43 progeny kernel: [ 22.785175] type=1400 audit(1262401663.536:45): avc: denied { module_request } for pid=1888 comm="sshd" kmod="net-pf-10" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system | 21:07:44 progeny kernel: [ 23.869420] type=1400 audit(1262401664.616:46): avc: denied { read write } for pid=1989 comm="udevadm" path="socket:[6017]" dev=sockfs ino=6017 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=unix_dgram_socket So I rebooted with kexec. Most of the old messages were gone, but I got some new ones: | 21:16:29 progeny login[2082]: pam_selinux(login:session): pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 success 1 | 21:17:01 progeny kernel: [ 65.343049] type=1400 audit(1262402221.114:45): avc: denied { open } for pid=2956 comm="cron" name="shadow" dev=sda1 ino=7070 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file [fail] startx. Trying to start X to start a browser and see what to do next was not a good idea. The default session (one xterm) opened fine, but the mouse was stuck in the middle of the screen and keyboard input not accepted. Ctrl+Alt+F1 does not work. SysRq+R works but is not enough to make Alt+F1 work. Ctrl+Alt+Bksp does not work. Ctrl+Alt+Del does not work. So SysRq + S,U,B it is. | 21:17:11 progeny kernel: [ 76.061606] type=1401 audit(1262402231.834:46): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_exec_t:s0 tclass=process | 21:17:12 progeny kernel: [ 76.497027] type=1400 audit(1262402232.264:47): avc: denied { associate } for pid=2978 comm="Xorg" name="vcs7" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem | 21:17:13 progeny kernel: [ 77.778369] type=1401 audit(1262402233.544:48): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=process | 21:17:13 progeny kernel: [ 77.784967] type=1401 audit(1262402233.554:49): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=process | 21:17:13 progeny kernel: [ 78.203347] SELinux: Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 would be invalid if enforcing | 21:17:14 progeny kernel: [ 78.394525] SELinux: Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 would be invalid if enforcing | 21:17:14 progeny kernel: [ 79.024231] SELinux: Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 would be invalid if enforcing | 21:17:14 progeny kernel: [ 79.199072] type=1400 audit(1262402234.964:50): avc: denied { execute_no_trans } for pid=3005 comm="dbus-daemon" path="/usr/lib/dbus-1.0/dbus-daemon-launch-helper" dev=sda1 ino=4740 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file | 21:17:15 progeny kernel: [ 79.324740] type=1400 audit(1262402235.094:51): avc: denied { read } for pid=3006 comm="console-kit-dae" name="console" dev=sda1 ino=32817 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_console_t:s0 tclass=dir | 21:17:15 progeny kernel: [ 79.324937] type=1400 audit(1262402235.094:52): avc: denied { open } for pid=3006 comm="console-kit-dae" name="console" dev=sda1 ino=32817 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_console_t:s0 tclass=dir | 21:17:15 progeny ck-launch-session: error connecting to ConsoleKit | 21:17:15 progeny kernel: [ 79.407802] SELinux: Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 would be invalid if enforcing | 21:17:15 progeny kernel: [ 79.498406] SELinux: Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 would be invalid if enforcing | 21:17:15 progeny kernel: [ 79.556539] SELinux: Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 would be invalid if enforcing | 21:17:15 progeny kernel: [ 79.824010] SELinux: Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 would be invalid if enforcing | 21:17:15 progeny kernel: [ 79.978884] SELinux: Context unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 would be invalid if enforcing | 21:25:05 progeny kernel: [ 549.582776] type=1400 audit(1262402705.356:53): avc: denied { read } for pid=1183 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=packet_socket | 21:25:05 progeny kernel: [ 549.583454] type=1400 audit(1262402705.356:54): avc: denied { write } for pid=1183 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_socket | 21:25:05 progeny kernel: [ 549.583908] type=1400 audit(1262402705.356:55): avc: denied { read } for pid=1183 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_socket | 21:25:05 progeny kernel: [ 549.584303] type=1400 audit(1262402705.356:56): avc: denied { write } for pid=1183 comm="wpa_supplicant" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=packet_socket | 21:25:36 progeny kernel: [ 580.544181] SysRq : Emergency Sync | 21:25:36 progeny kernel: [ 580.544376] Emergency Sync complete | 21:25:39 progeny kernel: [ 583.848437] SysRq : Emergency Remount R/O | 21:26:21 progeny kernel: [ 0.000000] Linux version 2.6.33-rc2-00251-gd19a0b8 (j...@progeny) (gcc version 4.4.2 (Debian 4.4.2-8) ) #2 PREEMPT Fri Jan 1 19:47:34 UTC 2010 I'll try check-selinux-installation next. Any ideas would be welcome. Jonathan | $ dpkg -l selinux-utils policycoreutils selinux-basics selinux-policy-default | Desired=Unknown/Install/Remove/Purge/Hold | | | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend | |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) | ||/ Name Version Description | +++-===============-===============-============================================== | ii policycoreutils 2.0.77-1 SELinux core policy utilities | ii selinux-basics 0.3.5+nmu1 SELinux basic support | ii selinux-policy- 2:0.2.20091117- Strict and Targeted variants of | the SELinux po | ii selinux-utils 2.0.89-4 SELinux utility programs | $ | $ uname -a | Linux progeny 2.6.33-rc2-00251-gd19a0b8 #2 PREEMPT Fri Jan 1 19:47:34 UTC 2010 i686 GNU/Linux -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
