Re: [qubes-users] Re: Has anyone tried to activate SELINUX in Fedora 25?
On Thursday, September 28, 2017 at 5:59:09 PM UTC+2, steve.coleman wrote: > On 09/26/2017 05:35 AM, pels wrote: > > On Sunday, September 24, 2017 at 6:19:15 PM UTC+2, cooloutac wrote: > >> On Sunday, September 24, 2017 at 12:17:33 PM UTC-4, cooloutac wrote: > >>> On Sunday, September 24, 2017 at 12:16:34 PM UTC-4, cooloutac wrote: > >>>> On Thursday, September 21, 2017 at 4:40:42 AM UTC-4, pels wrote: > >>>>> On Wednesday, September 20, 2017 at 2:54:31 PM UTC+2, cooloutac wrote: > >>>>>> On Wednesday, September 20, 2017 at 4:41:58 AM UTC-4, pels wrote: > >>>>>>> I'd like to activate SELINUX(enforcing) in VMs (f25 and f25-minimal), > >>>>>>> but fails: > >>>>>>> > >>>>>>> [1.510532] audit: type=1404 audit(1505894636.317:2): enforcing=1 > >>>>>>> old_enforcing=0 auid=4294967295 ses=4294967295 > >>>>>>> [1.601491] audit: type=1403 audit(1505894636.408:3): policy > >>>>>>> loaded auid=4294967295 ses=4294967295 > >>>>>>> [1.605815] systemd[1]: Successfully loaded SELinux policy in > >>>>>>> 95.611ms. > >>>>>>> [1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission > >>>>>>> denied > >>>>>>> [.[0;1;31m!!.[0m] Failed to mount API filesystems, freezing. > >>>>>>> [1.621206] systemd[1]: Freezing execution. > >>>>>>> > >>>>>>> I had it enabled in fedora 24 but after upgrading failed > >>>>>>> I create a new template (f25 and f25-minimal) with same effect. > >>>>>>> > >>>>>>> I have tried to reset SELinux to its initial state: > >>>>>>> yum remove selinux-policy > >>>>>>> rm -rf /etc/selinux > >>>>>>> yum install selinux-policy-targeted > >>>>>>> fixfiles -f -F relabel > >>>>>>> reboot > >>>>>>> > >>>>>>> Any ideas? > >>>>>>> > >>>>>>> Thank you very much > >>>>>>> > >>>>>>> Best Regards > >>>>>> > >>>>>>Is this a vm, if so do we really care if systemd is running in it? > >>>>>> You sure thats selinux? what does sestatus say? > >>>>>> > >>>>>> When googling this error seems people have same issue when running > >>>>>> docker. And you have to set seccomp to unconfined. > >>>>> > >>>>> Thank you cooloutac > >>>>> > >>>>> -Is this a vm > >>>>> It happens in Templates and VMs. > >>>>> > >>>>> -Is this a vm, if so do we really care if systemd is running in it? > >>>>> The problem is when i enable SELINUX VMs/templates doesn't "boot" or > >>>>> fail to start. > >>>>> If I disable SELINUX, the templates/VMs start whithout problems and > >>>>> systemd is activated. > >>>>> > >>>>> -You sure thats selinux? > >>>>> Yes i'm pretty sure, it's exactly the same config that i had in > >>>>> fedora24. > >>>>> In dom0 > >>>>> qvm-prefs -s fedora-25 kernelopts "nopat security=selinux selinux=1" > >>>>> and in VMs/Templats > >>>>> /etc/selinux/config > >>>>> > >>>>> SELINUX=enforcing > >>>>> SELINUXTYPE=targeted > >>>>> > >>>>> Default selinux config > >>>>> > >>>>> -what does sestatus say? > >>>>> I can't execute anything in template/VMs > >>>>> in dom0: > >>>>> qvm-run fedora-25 --nogui -pass-io -u root "sestatus" > >>>>> Error(fedora-25): Domain 'fedora-25':qreexec not connected > >>>>> > >>>>> -When googling this error seems people have same issue when running > >>>>> docker. And you have to set seccomp to unconfined > >>>>> > >>>>> Yes, i've read it, but i don't know how disable seccomp and the > >>>>> consequences... > >>>>> > >>>>> > >>>>> Could you make me
[qubes-users] Re: Has anyone tried to activate SELINUX in Fedora 25?
On Sunday, September 24, 2017 at 6:19:15 PM UTC+2, cooloutac wrote: > On Sunday, September 24, 2017 at 12:17:33 PM UTC-4, cooloutac wrote: > > On Sunday, September 24, 2017 at 12:16:34 PM UTC-4, cooloutac wrote: > > > On Thursday, September 21, 2017 at 4:40:42 AM UTC-4, pels wrote: > > > > On Wednesday, September 20, 2017 at 2:54:31 PM UTC+2, cooloutac wrote: > > > > > On Wednesday, September 20, 2017 at 4:41:58 AM UTC-4, pels wrote: > > > > > > I'd like to activate SELINUX(enforcing) in VMs (f25 and > > > > > > f25-minimal), but fails: > > > > > > > > > > > > [1.510532] audit: type=1404 audit(1505894636.317:2): > > > > > > enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 > > > > > > [1.601491] audit: type=1403 audit(1505894636.408:3): policy > > > > > > loaded auid=4294967295 ses=4294967295 > > > > > > [1.605815] systemd[1]: Successfully loaded SELinux policy in > > > > > > 95.611ms. > > > > > > [1.617897] systemd[1]: Failed to mount tmpfs at /run: > > > > > > Permission denied > > > > > > [.[0;1;31m!!.[0m] Failed to mount API filesystems, freezing. > > > > > > [1.621206] systemd[1]: Freezing execution. > > > > > > > > > > > > I had it enabled in fedora 24 but after upgrading failed > > > > > > I create a new template (f25 and f25-minimal) with same effect. > > > > > > > > > > > > I have tried to reset SELinux to its initial state: > > > > > > yum remove selinux-policy > > > > > > rm -rf /etc/selinux > > > > > > yum install selinux-policy-targeted > > > > > > fixfiles -f -F relabel > > > > > > reboot > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > Thank you very much > > > > > > > > > > > > Best Regards > > > > > > > > > > Is this a vm, if so do we really care if systemd is running in it? > > > > > You sure thats selinux? what does sestatus say? > > > > > > > > > > When googling this error seems people have same issue when running > > > > > docker. And you have to set seccomp to unconfined. > > > > > > > > Thank you cooloutac > > > > > > > > -Is this a vm > > > > It happens in Templates and VMs. > > > > > > > > -Is this a vm, if so do we really care if systemd is running in it? > > > > The problem is when i enable SELINUX VMs/templates doesn't "boot" or > > > > fail to start. > > > > If I disable SELINUX, the templates/VMs start whithout problems and > > > > systemd is activated. > > > > > > > > -You sure thats selinux? > > > > Yes i'm pretty sure, it's exactly the same config that i had in > > > > fedora24. > > > > In dom0 > > > > qvm-prefs -s fedora-25 kernelopts "nopat security=selinux selinux=1" > > > > and in VMs/Templats > > > > /etc/selinux/config > > > > > > > > SELINUX=enforcing > > > > SELINUXTYPE=targeted > > > > > > > > Default selinux config > > > > > > > > -what does sestatus say? > > > > I can't execute anything in template/VMs > > > > in dom0: > > > > qvm-run fedora-25 --nogui -pass-io -u root "sestatus" > > > > Error(fedora-25): Domain 'fedora-25':qreexec not connected > > > > > > > > -When googling this error seems people have same issue when running > > > > docker. And you have to set seccomp to unconfined > > > > > > > > Yes, i've read it, but i don't know how disable seccomp and the > > > > consequences... > > > > > > > > > > > > Could you make me a big favour and try to activate SELINUX? > > > > > > > > Thank you very much > > > > > > > > Best regards > > > > > > Probably only useful in the template vm. But still not sure how > > > beneficial it would be was my point though. Its probably not compatible > > > with qubes, sounds like it breaks qrexec, maybe not worth the headache > > > man. > > > > If they exploiting xen already I don't think it really matters at that > > point. But i'm far from an expert. > > I'm sorry for spam, but wanted to add an alternative option is use multiple > template vms for installing diff untrusted software, of course this requires > more resources, but Qubes in general requires more resources and specific > capable hardware for best compatibility. Thank you cooloutac. Probably not a big deal, i'm not going to spent a lot of time, but i'd like to know why works in fedora 24 and not in fedora 25. If I find the solution i'll posted. Probaly i can't find the solution, because my knowledge is limited. Thank you again. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cf88ea14-d0bd-4d74-88bd-4ef60c05200b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Has anyone tried to activate SELINUX in Fedora 25?
On Thursday, September 21, 2017 at 3:48:45 PM UTC+2, jkitt wrote: > On Wednesday, 20 September 2017 09:41:58 UTC+1, pels wrote: > > [1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied > > [.[0;1;31m!!.[0m] Failed to mount API filesystems, freezing. > > [1.621206] systemd[1]: Freezing execution. > > Looks like a tmpfs cannot be mounted at boot. In actual fact: these default > policies are never in a "ready to deploy" state. You have to run the policy > in permissive mode - throughout the normal boot process, and typical use of > the confined binaries. Once you have built a log of fired rules then you have > to go back and tweak the policy. There are, shockingly, no good tools to > parse selinux audit logs outwith a couple of hard to get tools - distributed > in the redhat repos. I think there is a Gentoo overlay that you can reverse > engineer, or maybe you can find a working tool. But once you have ironed out > all the policy violations,and you can boot without firing anything of > concern, then you are ready for enforcing mode. > > Here are some good primers on the subject. The first video, in particular, > shows how to effectively parse audit logs - with the aforementioned redhat > tool: > > https://www.youtube.com/watch?v=MxjenQ31b70 > > https://www.youtube.com/watch?v=q_y30qZ_plQ Thank you jkitt for the videos, i'm going to investigate. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16122d95-d884-4e41-bcfb-22c7d673f844%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Has anyone tried to activate SELINUX in Fedora 25?
On Wednesday, September 20, 2017 at 2:54:31 PM UTC+2, cooloutac wrote: > On Wednesday, September 20, 2017 at 4:41:58 AM UTC-4, pels wrote: > > I'd like to activate SELINUX(enforcing) in VMs (f25 and f25-minimal), but > > fails: > > > > [1.510532] audit: type=1404 audit(1505894636.317:2): enforcing=1 > > old_enforcing=0 auid=4294967295 ses=4294967295 > > [1.601491] audit: type=1403 audit(1505894636.408:3): policy loaded > > auid=4294967295 ses=4294967295 > > [1.605815] systemd[1]: Successfully loaded SELinux policy in 95.611ms. > > [1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied > > [.[0;1;31m!!.[0m] Failed to mount API filesystems, freezing. > > [1.621206] systemd[1]: Freezing execution. > > > > I had it enabled in fedora 24 but after upgrading failed > > I create a new template (f25 and f25-minimal) with same effect. > > > > I have tried to reset SELinux to its initial state: > > yum remove selinux-policy > > rm -rf /etc/selinux > > yum install selinux-policy-targeted > > fixfiles -f -F relabel > > reboot > > > > Any ideas? > > > > Thank you very much > > > > Best Regards > > Is this a vm, if so do we really care if systemd is running in it? You > sure thats selinux? what does sestatus say? > > When googling this error seems people have same issue when running docker. > And you have to set seccomp to unconfined. Thank you cooloutac -Is this a vm It happens in Templates and VMs. -Is this a vm, if so do we really care if systemd is running in it? The problem is when i enable SELINUX VMs/templates doesn't "boot" or fail to start. If I disable SELINUX, the templates/VMs start whithout problems and systemd is activated. -You sure thats selinux? Yes i'm pretty sure, it's exactly the same config that i had in fedora24. In dom0 qvm-prefs -s fedora-25 kernelopts "nopat security=selinux selinux=1" and in VMs/Templats /etc/selinux/config SELINUX=enforcing SELINUXTYPE=targeted Default selinux config -what does sestatus say? I can't execute anything in template/VMs in dom0: qvm-run fedora-25 --nogui -pass-io -u root "sestatus" Error(fedora-25): Domain 'fedora-25':qreexec not connected -When googling this error seems people have same issue when running docker. And you have to set seccomp to unconfined Yes, i've read it, but i don't know how disable seccomp and the consequences... Could you make me a big favour and try to activate SELINUX? Thank you very much Best regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/acdebd73-c631-456c-97a7-77ae399fc9b3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Has anyone tried to activate SELINUX in Fedora 25?
I'd like to activate SELINUX(enforcing) in VMs (f25 and f25-minimal), but fails: [1.510532] audit: type=1404 audit(1505894636.317:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 [1.601491] audit: type=1403 audit(1505894636.408:3): policy loaded auid=4294967295 ses=4294967295 [1.605815] systemd[1]: Successfully loaded SELinux policy in 95.611ms. [1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied [.[0;1;31m!!.[0m] Failed to mount API filesystems, freezing. [1.621206] systemd[1]: Freezing execution. I had it enabled in fedora 24 but after upgrading failed I create a new template (f25 and f25-minimal) with same effect. I have tried to reset SELinux to its initial state: yum remove selinux-policy rm -rf /etc/selinux yum install selinux-policy-targeted fixfiles -f -F relabel reboot Any ideas? Thank you very much Best Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f0f7596a-ef1a-479d-9f2a-94f6c15ec711%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.