On Fri, Feb 20, 2009 at 9:51 PM, Dennis Wronka <linuxweb@xxxxxxx> wrote: > If you don't have the system-auth file and you're still able to login then > either your system is not really using PAM or login doesn't reference system- > auth. > But from what I remember system-auth is not installed by default and you have > to write it yourself. > The default login-PAM-config, from the shadow-package, does reference system- > auth, so I think login should fail if your system really uses PAM. > > When did you compile PAM? It should be compiled before shadow, so that shadow > can be compiled with PAM-support. > > Also, which getty are you using? You should install mingetty, or you'll run > into lots of problems that are caused by agetty under SELinux. > > As said, check your coreutils, notably id and ls, if they reference the > SELinux-libs. If not you'll need to compile them again. > > Plugging SELinux into LFS is a bit tricky. In order not to have to compile too > much twice you got to compile stuff in the right place during the process. > > I have attached my stage2-script for your reference. This is the order I > compile my system in. > I've got a lot of optional stuff in there, so simply disregard anything you > don't need. > > Also, just out of curiosity: You're doing LFS to learn about the internals or > do you just want to get an LFS-system with SELinux? > In the latter case maybe I could interest you in my project, which also the > attached script is taken from, EasyLFS. > > Regards, > Dennis > > On Saturday 21 February 2009 07:10:37 Justin Mattock wrote: >> On Fri, Feb 20, 2009 at 7:20 AM, Dennis Wronka <linuxweb@xxxxxxx> wrote: >> > Are the coreutils compiled with SELinux-support? >> > I just gave it a quick check and found that the -Z option is available in >> > both id and ls without coreutils having actually been built without >> > SELinux- libraries actually available. >> > >> > Could you check this: >> > ldd $(which ls) >> > >> > This should show up a reference to libselinux.so.1 >> > If this reference is missing then I'd suggest recompiling the coreutils. >> > >> > On Friday 20 February 2009 23:03:37 you wrote: >> >> On Fri, Feb 20, 2009 at 6:14 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> > wrote: >> >> > On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote: >> >> >> I've a strange issue. >> >> >> with my experimental learning machine(LFS) >> >> >> I'm able to load the policy etc.. but have no labels >> >> >> on my files.(just a question mark); >> >> >> >> >> >> >> >> >> ls -lZ shows >> >> >> >> >> >> drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin >> >> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot >> >> >> lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom >> >> >> drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev >> >> >> drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc >> >> >> drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home >> >> >> drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include >> >> >> drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib >> >> >> drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found >> >> >> drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media >> >> >> drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt >> >> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt >> >> >> dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc >> >> >> drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root >> >> >> drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin >> >> >> drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux >> >> >> drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share >> >> >> drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv >> >> >> drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys >> >> >> drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp >> >> >> drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools >> >> >> drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr >> >> >> drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var >> >> >> lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz -> >> >> >> /boot/vmlinuz-2.6.29-rc4 >> >> >> >> >> >> if I do a id -Z I get: >> >> >> id: --context (-Z) works only on an SELinux-enabled kernel >> >> >> (but it is enabled in the kernel) >> >> > >> >> > sestatus shows what? >> >> > >> >> > To be fully "enabled" as far as userspace is concerned, SELinux has to >> >> > be: >> >> > - enabled in your kernel build, >> >> > - enabled at boot, >> >> > - policy has to be loaded >> >> > >> >> > grep SELINUX .config >> >> > cat /etc/selinux/config >> >> > dmesg | grep SELinux >> >> > >> >> >> >From looking back, I enabled as much as possible in any app/lib I >> >> >> > was compiling >> >> >> >> >> >> that provided selinux support.(libc,xserver,hal,dbus, etc..); >> >> >> But could be missing an important app/lib that might make the >> >> >> security labels give the proper label. by chance if anybody had >> >> >> experienced this and/or knows what might be going on,(would be really >> >> >> appreciated). >> >> >> >> >> >> regards; >> >> > >> >> > -- >> >> > Stephen Smalley >> >> > National Security Agency >> >> >> >> Thanks for the reply. >> >> here's what /usr/sbin/sestatus -vv (says); >> >> >> >> SELinux status: enabled >> >> SELinuxfs mount: /selinux >> >> Current mode: permissive >> >> Mode from config file: permissive >> >> Policy version: 22 >> >> Policy from config file: refpolicy >> >> >> >> Process contexts: >> >> Current context: system_u:system_r:local_login_t >> >> Init context: system_u:system_r:init_t >> >> >> >> File contexts: >> >> Controlling term: system_u:object_r:devpts_t >> >> /etc/passwd system_u:object_r:etc_t >> >> /bin/bash system_u:object_r:shell_exec_t >> >> /bin/login system_u:object_r:login_exec_t >> >> /bin/sh system_u:object_r:bin_t -> >> >> system_u:object_r:shell_exec_t >> >> /sbin/agetty system_u:object_r:getty_exec_t >> >> /sbin/init system_u:object_r:init_exec_t >> >> /lib/libc.so.6 system_u:object_r:lib_t -> >> >> system_u:object_r:lib_t >> >> /lib/ld-linux.so.2 system_u:object_r:lib_t -> >> >> system_u:object_r:ld_so_t >> >> >> >> I think this is some aterm,xproto,etc.. library/app(that I forgot to >> >> install) that's responsible for displaying the security label info in >> >> the shell.(example) when I use >> >> audit2allow -d, I generate the correct security allow rules. >> >> when running make relabel in the policy source directory, reacts as it >> >> should. >> >> >> >> As for setting any options in the kernel. no >> >> left everything as I've had in the past. >> >> as for enabling everything. yes >> >> - enabled in your kernel build, >> >> - enabled at boot, >> >> - policy has to be loaded >> >> >> >> I'll try adding these rules into the policy irregardless of a >> >> broken proto/low level communications thing. >> >> didn't mean to causing any heat. >> >> >> >> regards; >> >> After looking at the situation, and looking at the >> (LFS)manual at first you setup shadow with a root >> password(to get things going); then later once you're up >> and running you move from using shadow to useing pam. >> well I've managed to do that. >> but I'm not seeing a /etc/pam.d/system-auth file >> generated by the installer(probably have to manually pick my >> session,password, account modules); >> (positive side) >> under ps aux (Ill have to attach them(before/after) as soon as I get a >> chance); I finally see: /bin/login -- >> So hopefully once I get /etc/pam.d cleaned up(hopefully) I >> should be logged into my SELinux user and have the right context. >> keep in mind "hopefully". >> regards; > > > As promised here is the attached ps auxZ as it seems I do have pam up and running, but am still (unfortunately) seeing no security labels. must have a missing protocol somewhere. regards; -- Justin P. Mattock
Attachment:
beforeafterpsauxZ
Description: Binary data
