Tycho,
I am having an issue with SELinux. We have servers currently deployed with Red Hat Enterprise Linux on them and they required enhanced access controls. I have already recommended that we use SELinux to increase the security of our access controls for users
and files. I am attempting to work through a book on SELinux in order to make recommendations about how it can be leveraged on these systems. The book exercises lead me to an example where I am running "chcat -l -- +Salaries myuser".
RHEL 6.7 is unable to create the security context. I am in mls mode. I grabbed a source version of the most recent build of SELinux so that I could build libsepol and semanage from source and see if that made a difference. I found that RedHat had a bug report where semanage is faulty within their distribution and that a patch had been issued and everything but it looks like the patch is for Fedora. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1048524
The latest version of SELinux requires a compiler in excess of what ships with RHEL 6.7. I upgraded to the 6.1 version of gcc and installed all the dependencies and crossed my fingers and ran make. Unfortunately libsepol cannot compile because: """ util.c:127: error: 'low_bit' may be used uninitialized in this function """ I can't get any of it to compile even when I set the LIBDIR to lib64 and run make with --disable-multilib.
Forgive me, I'm a beginner, I've never written a driver or kernel module, and I don't know what that means. The RedHat guide for SELinux provides a gist for MLS. I can work through that and will. I am concerned that there will be no way to get this running given the OS and the documentation and a clean source build.
In order to get e more current version of SELinux and gcc I will have to go to RHEL7. RHEL7 features grub2 and I still have to figure out how to audit that at boot time and additionally there is a use after free vulnerability that has me worried about access control credentials getting snooped. I can't let that happen and RedHat says the vulnerability does not affect RHEL 6.7. That I believe, is a separate issue.
There are a lot of appliances affected by this, I will need help writing configuration scripts to get them all into MLS mode and enforcing.
Please forgive me if this isn't proper forum for this.
My system is unable to create the MLS context when I run the chcat -l command using the RedHat supplied packages """ libsepol.mls_from_string: invalid MLS context s0-s0:Salaries (No such file or directory) """
The contents of my /etc/selinux/mls/setrans.conf is as follows: # Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
# SystemLow
# SystemHigh
# Unclassified
# Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
s0:c102=Contracts
s0:c103=Salaries
s0-s0:c1.c127=FinanceData
# Unclassified level
s1=Unclassified
# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B
# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh
# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
sincerely, Jesse Bacon
|
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.