Nall Design Works http://www.nall.com/blog SELinux and Multilevel Security Sat, 19 Jun 2010 14:13:31 +0000 en hourly 1 http://wordpress.org/?v=3.0 VMWare Fusion port forwarding http://www.nall.com/blog/?p=106 http://www.nall.com/blog/?p=106#comments Mon, 14 Jun 2010 01:32:42 +0000 admin http://www.nall.com/blog/?p=106 I needed to forward port 2020 on my laptop to a VM for test

 sudo vi "/Library/Application Support/VMware Fusion/vmnet8/nat.conf"

Edit the [incomingtcp] stanza and add the port forward. 192.168.243.138 is the VM IP address.

[incomingtcp]
2020 = 192.168.243.138:2020

Restart VMware Fusion networking.

 sudo "/Library/Application Support/VMware Fusion/boot.sh" --restart
]]> http://www.nall.com/blog/?feed=rss2&p=106 0 MacBook Pro VMWare xorg.conf for Fedora 10 Enforcing http://www.nall.com/blog/?p=104 http://www.nall.com/blog/?p=104#comments Fri, 11 Jun 2010 15:42:59 +0000 admin http://www.nall.com/blog/?p=104

]]> http://www.nall.com/blog/?feed=rss2&p=104 0 Turning on MLS in Fedora 13 (v2) http://www.nall.com/blog/?p=96 http://www.nall.com/blog/?p=96#comments Thu, 10 Jun 2010 15:36:40 +0000 admin http://www.nall.com/blog/?p=96 Download Fedora 13 from http://fedoraproject.org/get-fedora
Boot and install a gnome desktop (I haven’t tested KDE).
Login and do the following:

 su -
 yum update
 yum install selinux-policy-mls policycoreutils-gui
 yum erase setroubleshoot-server
 sed -i -e "s/targeted/mls/" /etc/selinux/config
 touch /.autorelabel
 chkconfig mcstrans on
 reboot

Per Dan Walsh, setroubleshoot needs to be removed because sedispatch, a component of setroubleshoot-server runs at SystemHigh and can’t talk to the SystemLow system DBus, generating an endless stream of AVCs. After the reboot, login as root on a VT and

 semanage user -a -r SystemLow-SystemHigh -L SystemLow -R staff_r staff_u
 semanage login -a -s staff_u joe
 setsebool allow_execmem on
 newrole -r secadm_r
 rm -f /var/log/audit/audit.log
 reboot

Replace joe with your user name.

You can login as yourself through gdm at this point. The allow_execmem boolean allows firefox to work when run as staff_t.

]]> http://www.nall.com/blog/?feed=rss2&p=96 0 Turning on MLS in Fedora 13 http://www.nall.com/blog/?p=7 http://www.nall.com/blog/?p=7#comments Thu, 10 Jun 2010 03:13:22 +0000 admin http://www.nall.com/blog/?p=7 Download Fedora 13 from http://fedoraproject.org/get-fedora
Boot and install a gnome desktop (I haven’t tested KDE).
Login and do the following:

 su -
 yum update
 yum install selinux-policy-mls
 yum erase setroubleshoot-server
 sed -i -e "s/targeted/mls/" /etc/selinux/config
 touch /.autorelabel
 chkconfig mcstrans on
 reboot

sedispatch, a component of setroubleshoot-server generates an endless stream of AVCs (Bug 602502) that resemble

sedispatch avc


so I chose to remove it. After the reboot, login as root on a VT and

 semanage user -a -r SystemLow-SystemHigh -L SystemLow -R staff_r staff_u
 semanage login -a -s staff_u joe
 newrole -r secadm_r -l SystemHigh
 rm -f /var/log/audit/audit.log
 reboot

Replace joe with your user name.

You can login as yourself through gdm at this point. I tried to start firefox, but it died with a segmentation violation (Bug 602518).

Firefox dies

I’m pretty impressed that something so out of the mainstream works so well on a first try.

]]> http://www.nall.com/blog/?feed=rss2&p=7 0