you do not have write permission to create packages in

[Smooey]

Not sure what's going on this time, but before it all worked great. This time after cloning the repository as regular user with "sudo git clone https://github.com/archlinuxhardened/selinux" then cd selinux, then ran ./recv_gpg_keys.sh, it worked. But doing: ./build_and_install_all.sh gives error aborting "You don't have write permissions to create packages in /selinux/libsepol. Aborting..." message.

[fishilico]

Hello, I did not understand why you used sudo with your git clone command. Is the regular user you are using able to create files in the cloned repository?

[Smooey]

Cloning as regular user didn't work, so I sudo'd to clone it... but then didn't sudo for running your two scripts. And I CTRL+D twice to get out of root user and logged in as regular user and couldn't find the location of the cloned "selinux" directory again.. So I tried recloning as regular user, it didn't work, then sudo'd to do it, and then didn't sudo to run the two scripts while in selinux cloned repository. When I did all this before the other day it all worked and finished as I got a blinking cursor at prompt.

[xavloose]

in arch you can't even build packages as root. Honestly you shouldn't even be using sudo that often. Where is your working directory? what are the permissions on your directory?

[Smooey]

Yeah I know about not being able to use root to build packages and not sudo'ing often, I was doing all of this while still in terminal only after installing base and base-devel and so forth. I didn't even install a DE or nothing yet, cause in wiki it don't mention to install selinux AFTER a DE and programs have been installed. So I just do selinux after unmount'ing partitions after the base / base-devel has been done, and all that. And I have no idea where the working directory is at after it's cloned, cause I can't just search for it easily, and I'm not sure what the permissions are either... Lol. I just git clone it, and when it's done cloning, cd selinux, and run the two scripts. But it didn't let me "git clone" it as regular user, so I had to sudo to do it... then ran the first script for keys as regular user, and tried installing etc with the second script as regular and got that message.. The other day when I did this as regular user it all worked fine.

[xavloose]

Hmmm. I wouldn't recommend doing selinux then. fishilico can correct me if I am wrong but as far as I know and from my experience the archlinuxhardened project isn't ready by any means. It lacks an selinux policy which makes it virtually useless. I believe the project is intended to allow people a place to start to help contribute to the project. Honestly I suggest you start here... https://wiki.archlinux.org/index.php/security In my personal experience I really liked implementing grsecurity + pax. virtually a drop and go system that adds a huge level of security to the system (https://wiki.archlinux.org/index.php/grsecurity). You'll also be able to find significantly more support in the community. Not to undermine your work, fishilico and others. I would love to play with selinux one day but I personally don't have the time to help.

[Smooey]

Thanks for reply and your suggestion... I was thinking of using grsecurity the other day, but didn't take the leap yet. I'm assuming it's basically easy to install like other kernels.. "pacman -S linux-grsecurity" .. run mkinitcpio -p linux-grsecurity" and grub edits etc?

Weird, I just did fresh installation again and did "git clone" as regular user and it worked, and ran the two scripts too after cloning was done and those worked, no errors.. LOL It's still running / building / installing...

Oh, I thought/assumed this selinux has a policy in it while it installs and builds it... hmm. I guess I'll start over then and go the route you suggested then.. grsecurity + pax.

[Smooey]

Well, this might make difference, times before and this time when it worked fine was using Grub for bootloader.. but last time when it didn't install /work right, I was using syslinux for bootloader.. Of course at the time I didn't configure it for selinux because it wasn't installed yet... But that's only difference really from why it worked this time and previous past times.. is when I used Grub as bootloader. I did also install (to get familiar with it both ways) MBR route and GPT routes.. but doubt that is reason for issue this last time.

Edit: oh wait, it was running /installing /building fine, then it gave error "Failure while downloading http://www.and.org/ustr/1.0.4/ustr-1.0.4.tar.bz2 ... Aborting..." .. and I'm at terminal/command prompt blinking cursor... Ah well, I'll start over and try grsecurity and pax then... I gave it a shot, lmao

[fishilico]

@xavloose Even though there is no really official policy for Arch Linux yet (only a refpolicy fork with some patches which are slowly getting merged into upstream, like https://github.com/TresysTechnology/refpolicy/commit/85d678bd2f8c6f7ed60671a9b4bf747a7fa12633), the SELinux tools all work fine now, and I am actively maintaining them. So users can write their own SELinux policies for their systems running Arch Linux and this should work.

@Smooey Your first error message, "You don't have write permissions to create packages in /selinux/libsepol. Aborting...", suggests you are cloning selinux into the root directory of your system (/). By doing so with sudo, a regular user does not have the rights to create files: you need to change the owner of the cloned files using chown. Moreover if you are not able to use this repository, the AUR packages should build fine (if you use an AUR helper, it will take care of cloning correctly the AUR git repositories).

[Smooey]

Thanks for reply fishilico, like I said in last reply I had started on clean slate/fresh installation and attempted the install of selinux again by cloning your repo, and it was going well until trying to download that package and it aborted... Not sure why that happened, but I cleared the installation and started over and installed linux-grsec kernel lol. I haven't done a DE in it yet nor do anything else with it... Kind of experimenting around now...

Is there a "fix" for these types of issues? "Failure while downloading http://www.and.org/ustr/1.0.4/ustr-1.0.4.tar.bz2 ... Aborting..." Or just keep re-trying to install and build all until it completes.. I'd hate to have a half borked system/half installed selinux system...

[fishilico]

http://www.and.org/ , the upstream for ustr package (https://www.archlinux.org/packages/community/x86_64/ustr/) seems to be down right now. If the site does not come back in a few days, I will backport some patches I have sent upstream in order to drop this dependency (https://github.com/SELinuxProject/selinux/commit/a228bb3736c5957d41ad9e01eb1283fc6883a6e5, https://github.com/SELinuxProject/selinux/commit/57a3b1b4b0a50a1d14f825d2933339063ced4fec, https://github.com/SELinuxProject/selinux/commit/300b8ad4235688171f2a91e7aeb14d0ee3561c13 and https://github.com/SELinuxProject/selinux/commit/920ee9ee18024c7714f1121e91854f38fa1eef73).

[xavloose]

Fedora has a copy of the pkg tarball. I was able to download and build the package successfully. Same checksums and everything http://pkgs.fedoraproject.org/repo/pkgs/ustr/ustr-1.0.4.tar.bz2/93147d9f0c9765d4cd0f04f7e44bdfce/ustr-1.0.4.tar.bz2

[Smooey]

Oh okay, but how can you restart the install, build/all downloading from the package that failed and only onward through installation to finish it, after being dropped from the installation process to terminal /command prompt though? I did rerun the install_build_all script before when it failed though and it seemed to work but not sure if that's good practice lol.

[xavloose]

It's a helpful script but personally I like go through building each individual package manually and in order because when you get to systemd you will have to go through it by hand because you build systemd twice. It's really not that bad to do by hand because systemd takes the longest. Just make sure you have MAKEOPTS'"-j<2*your number of processors>" and it will go significantly faster

I personally have makepkg configured in a special way that doesn't play nicely with the script. Also when you finish I would tone down that -j flag for regular use. don't forget you can chain a long series of commands together. ie "cd libsepol && makepkg -sci --force && cd ../libselinux ..." the force flag will force it to rebuild the package if it has already been built

Also if you are on a grsecurity kernel you'll run into problems so it's best to switch to a non grsec kernel. It is almost always because of a package check or test and I believe you can have them ignore those but I wouldn't recommend doing that. Expensive tests are usually disabled by default anyway soooo it isn't that bad

[Smooey]

When I attempted it manually before in the beginning, I had yaourt installed and did the packages through yaourt until I got to systemd bit, then was stuck because I never tried/learned about the making packages and building them. Lol. (Guilty I know...) I'll have to learn that stuff, I'm learning all this actually as I'm going... I love arch of course because I can choose what I want and build it from ground up, just sometimes the wiki sucks cause because there's so much info there that it's confusing and or missing bits here and there (not updated) or doesn't say when to stop doing something and go back to do other things (when in certain pages). So I google, search forum, and so forth finding information about things. All trial and error, and learning at same time. ;) I'm not one to have to be hand-held through things for most part, but sometimes there's just things I do need help with...

I did get linux-grsec up and running though, and made it so it's booting as default kernel... But I did mine as LVM on LUKS and had hook for resume, and had the resume line in grub.cfg and it gave error after entering passphrase to unlock the LVM/encryption about resume not supported. I didn't notice that it didn't support resume until afterwards and seen it on wiki.. Lol. I removed that bit in grub.cfg and the hook "resume" from mkinitcpio and reran it and it stopped giving error at boot.

I'm wondering if it even likes having a swap partition (which I do usually create), or just forget it.. I have 8GB ram, Intel Core 2 Quad processor, 1tb hdd in the Dell Optiplex755.. I was debating on installing all the packages from base and base-devel except vanilla linux kernel and have linux-grsec as the only kernel.. but not sure if that will be wise..

[fishilico]

I have updated ustr-selinux package to use Fedora tarball (https://github.com/archlinuxhardened/selinux/commit/990b3432866baf7128fa471c928e3fff6795bdb8), thanks @xavloose!

The script build_and_install_all.sh is designed to build and install SELinux packages which are not installed or which are installed with a version which is different from the git repository (it is designed to be idempotent). It also takes care of the circular build dependency between systemd and util-linux source packages and of restoring /etc/sudoers when sudo-selinux replaces sudo. I use this script with a Vagrant virtual machine (available in _vagrant directory) so it should work on a basic system.

As for using a grsec kernel, actually I am running a self-compiled grsec+SELinux kernel on my systems, which I build by enabling SELinux-related options in linux-grsec package (cf. https://github.com/fishilico/shared/blob/master/archlinux-seckernel/arch-linux-grsec-selinux for the precise implementation). Anyway I agree that if you are running a grsec kernel it is likely that you'll run into problems with programs such as clang and gcc address sanitizers or other programs which expects the kernel to allow things that grsecurity forbids.

[xavloose]

Grsecurity doesn't cause any problems like 99% of the time. In fact the vast majority the issues I have experienced are proprietary, i.e. nvidia drivers so I could do some cuda stuff for school. I have a custom config for that purpose along with disabling stuff my systems don't need anymore. I do keep the vanilla kernel around for a couple special cases for a packages that have an odd test or there is a proprietary thing I can't get around.

@fishilico Do you have any good places to start if I wanted to start working on some selinux policy stuff? (Preferably outside of just going through gentoo's and fedora's policies) I am going to have some free time starting up and my development skills are significantly better than the last time I was working on this stuff.

[fishilico]

@xavloose If you have never used SELinux, a good place would be to install a policy in permissive mode and read Gentoo's wiki (it is really well written) and other resources. When I started working on SELinux I wrote down a list of useful websites on https://fishilico.github.io/generic-config/sysadmin/selinux.html#some-notes-about-my-selinux-installation . To contribute to the policy, the best way would be to make the "Reference Policy" (https://github.com/TresysTechnology/refpolicy , used by Gentoo, Debian and RHEL) compatible with Arch Linux. In order to do this you can install it (in permissive mode) and starts collecting and analyzing logs in /var/log/audit/audit.log.

[xavloose]

Thanks! I'll play around a little bit with vagrant machine and see what I can do... Also maybe archlinux should be changed to terrywang/archlinux... It took me awhile to figure that out. Or add something to the readme pertaining to downloading it or making that change. It took me longer to figure that out than I'll admit

[fishilico]

I use archlinux and not terrywang/archlinux on purpose: a few weeks ago this image was broken on vagrant-libvirt (I am not using VirtualBox) and I started using packer-arch (https://github.com/elasticdog/packer-arch). I documented the install steps in comments in the Vagrantfile (https://github.com/archlinuxhardened/selinux/blob/6fb2b44c1b3fb55388d38a04e07a466e1f3a18bd/_vagrant/Vagrantfile#L12-L22) but I agree this should also be written in the readme. Thanks!

[xavloose]

I personally am not a fan of virtualbox. It's also a pain for me since I have my kernel config forcing module signing. That isn't something I typically do but I am playing with some new things. Thanks for the link! Does Virtualbox even work with grsec? I remember last time I couldn't even get it to work with a custom kernel

[Smooey]

This is off-topic a bit, but which DE's do you guys prefer to use and like best? Cause I tried Gnome, Mate, and Cinnamon so far.. I like having a dock or plank, but the plank seems kind of buggy and the settings/config one to go with it. But dock seems more stable, but kinda big and bulky etc. I was debating on KDE this time around but like Budgie though too... I had tried Budgie-Remix distro before, but had flickering going on and diagonal page tearing while scrolling in pages (must been mutter). Just sucks, cause I didn't see a tutorial on how to make Budgie the same way as Budgie-Remix styling, icons, etc.. Just plain vanilla Budgie desktop for arch. I still haven't installed a DE yet, still debating.. lol

[xavloose]

I won't use anything that doesn't support wayland as it's default protocol anymore because I despise Xorg. I loved xfce but it had some nuisances. My current configuration is gnome with several extensions. I love the workspaces to dock tweak which is kinda like plank on steroids. There is also Dash to dock. If I am going to be doing heavy workloads and want something more lightweight I use my sway environment which is an i3 compatible wm that supports wayland. Gnome is just has a bunch of extra features and doesn't scare people who ask to use my pc. I also use adapta-gtk-theme with paper-icons because I love the look of android's material design and switched all the fonts to ttf-hack. I also have fallen in love with atom for text editing

[xavloose]

I can't get libvirt to work with vagrant. I followed the wiki and tried several things. I'll try to get it working tomorrow but I can't promise anything. I may try using docker instead

[Smooey]

@xavloose Yeah, I was just thinking over past few hours to just go with Gnome again... It's nicer, easier to tweak, still have a dock with extensions, can theme it easier and just works. Thanks for helping me decide which I'll go with.

I've even been thinking about just going with a straight up normal install of Arch with Gnome, rather than doing LVM on LUKs, SELinux, and GRSEC kernel... I just rather keep it simple, boot the damn thing and do what I need to do, especially since it's my main tower that's been a testing ground for past month... Constantly reformatting drive, or dban'ing it, reinstalling constantly, trying new stuff. I can't keep doing all my "work" on another tower with Windows 7 Home Premium beside me here. I need to get something up and running to just start using the main desktop pc again. Lol.

I had tweaked mine previously to be like Korora Cinnamon, which I liked.. Arc theme, numix circle icons or whatever.. and bunch of gnome extensions. But now might go with theme and icons you mentioned in your previous comment. That theme and icons look nice! :D The only file manager I like is basically Nemo or whatever, cause I can right click, and create new document, or move /copy files, etc.. Nautilus don't seem friendly for that, unless tweaking things. I just want something that basically covers this stuff out of box.. lmao

Edit: well wait, I've decided to put windows 7 home premium back on main tower 1TB hard drive, and will use another smaller spare drive for the other tower to do arch and linux testing on... Cause I need something reliable for now on main tower to get stuff down and not have to hunt down fixes, and so forth all the time. I've used too much time already (like a month or more) doing arch installs, and trying other distros..

[fishilico]

@xavloose On my system, vagrant-libvirt was not compiled with the right ruby version (it used the system-provided ruby program instead of the one embedded into vagrant), which caused issues which are described on https://wiki.archlinux.org/index.php/Vagrant#vagrant-libvirt . I "fixed" these issue by installing AUR vagrant-libvirt package, running an ugly sed command, sudo sed 's/libruby\.so\.2\.4/libruby.so.2.2/' -i /opt/vagrant/embedded/gems/extensions/x86_64-linux/2.2.0/ruby-libvirt-0.7.0/_libvirt.so, and finally running vagrant plugin install vagrant-libvirt. There has to exist a simple word-around, but I have not yet taken time to investigate this bug so far.

I am using libvirt mainly because VirtualBox drivers are not compatible with some security features of grsecurity (like PAX_USERCOPY). But the answer of "Does Virtualbox even work with grsec?" is yes, if you build with GRKERNSEC_CONFIG_VIRT_HOST and GRKERNSEC_CONFIG_VIRT_VIRTUALBOX configs (https://github.com/linux-scraping/linux-grsecurity/blob/8ee54f5356c9478d4abaa20189e691b11437216d/security/Kconfig#L163).

For the DE, I have been using XFCE for many years, with lightdm, and even though it used X11 and sometimes behave in weird ways, it works for my need.

[xavloose]

@fishilico Your method worked unlike the one described in the ArchWiki... Maybe you should bring something up on it's discussion page so other users can enjoy it. I am sure somebody will derive a simple workaround if there is one...

I actually tried that maybe a year or two ago and I couldn't seem to get it to work. I probably could now but it isn't something I personally care to experiment with. I've switched to containers for that kind of stuff but this is a project not meant for a container.

Thanks so much! I am glad I don't have to resort to docker because personally I am not a fan of it. The current docerfile is missing gpg on the debian side. Now I can use vagrant so that probably made my whole next week

[xavloose]

@fishilico I just wanted you to know I have a workspace setup to hopefully contribute something to archlinux hardened. I created a repository workspace for myself and forked a couple repositories( https://github.com/xavloose/arch-selinux-workspace <- This will be my workspace -- currently empty) I don't know how long it will be before it has something useful but I thought I would let you know in case you wanted to follow what I was working on. This will mostly be a weekend project and I plan to try to do a couple hours as many sats and suns as I can.

[fishilico]

@fishilico Your method worked unlike the one described in the ArchWiki... Maybe you should bring something up on it's discussion page so other users can enjoy it. I am sure somebody will derive a simple workaround if there is one...

I investigated more deeply about what is going on in vagrant-libvirt and why my ugly "sudo sed" command is needed. I found that the ruby native extension (from ruby-libvirt) adds -L/usr/lib before -L/opt/vagrant/embedded/lib when CONFIGURE_ARGS contains with-libvirt-lib=/usr/lib. I reported these findings in a comment on https://aur.archlinux.org/packages/vagrant-libvirt/ and started trying to build a compatible libvirt.so directly into /opt/vagrant/embedded, which lead me to a packaging issue (https://bugs.archlinux.org/task/52851). If you have some experience about compiling & linking issues, you might want to take a look too.

The current docerfile is missing gpg on the debian side

Indeed. I fixed a while ago this issue on an other project I have (https://github.com/fishilico/shared/commit/e1223fc4d4c6e715e4b9bb26efcaf843a634c31a) but forgot the Dockerfile here. This is now fixed (commit fd119dd0dda4dbc4047fd6b8fde63222f0a03a2f).

I just wanted you to know I have a workspace setup to hopefully contribute something to archlinux hardened.

All right. I do not know what a "workspace" means here. Anyway I am currently working alone so your help will be appreciated :) In the last months I have focused my work on the packaging, on providing an easy way to have an SELinux environment for newcomers who fear to break their system with the packages (thus the Vagrant config file) and on improving the reliability of the tools (I unleashed AFL fuzzer and gcc Address Sanitizer on policy compilers and found a lot of bugs). Right now I feel like the only thing which is missing on Arch Linux is a good base policy, for people who do not want to write their own. The Reference Policy (https://github.com/TresysTechnology/refpolicy) seems to have become more active lately, but its systemd support is still missing some key pieces. By the way, I have not looked much on other policies such as DefenSec's DSSP (https://github.com/DefenSec) but they may be better for a systemd-only system.

[Smooey]

I dunno why but I feel like I "cheated" on my "girlfriend"-Arch Linux, or just gave up on my "relationship" with my "girlfriend"-Arch Linux... by going to Windows 7 on the main tower... Like I took easy route out of it, instead of sticking by her side through thick and thin.. I just feel like I betrayed her and I should "get back with her" again and apologize until I have a sore throat lmao.

But it is easy on Windows 7, but I think it's too easy and I feel guilty about taking easy route. Of course if I don't use it, I lose it... Meaning, if I don't keep using Arch Linux daily and learning it, I'll lose it /knowledge and have to relearn all over again down road if I want to use it again. I love the idea of having SELinux there, but learning that is a whole other beast in itself, and for me, I'm still learning Arch Linux itself..

When I had tried/used Fedora or Korora before I hadn't really used the SELinux nor fiddled with it, I just assumed it was installed, there and working and didn't bother with it. I just assumed it was added security built-in and it wasn't something to mess with unless I really had to. Guess really the only thing that bugs the hell out of me and I never tried getting it working is the fact the USB is "Read Only". Most other distros the USB works fine in it, I can move, copy, and save files to it and visa versa.

Guess I hate the fact of having to post in the forums, hence not bother trying to get it working. But if I keep throwing in towel, I'll never learn. I really hope you guys can get the SELinux functioning and working good though, like Fedora/Korora has it implemented.. would be awesome to have for Arch. I just don't think it's something I should be tinkering with now, especially considering I can't even get the USB to work properly for my needs. I need to take baby steps lol. I've been rushing and diving into more complex things over past few weeks and it's asking for trouble LOL.

Edit: Fuck it, I'll dban the main tower drive again and do arch linux on it... I probably will just avoid sYslinux, and LVM on LUKS though this time around.. no point really to make things too security cautious for what I do on here anyway.

[Siosm]

Please stay on topics in issues. Locking