I'm trying to get selinux working under opensuse 11.2. I think I'm at the point where I'm running into labeling issues with the latest refpolicy. Attached is the audit.log generated from a clean boot of opensuse (with selinux enabled and in permissive mode). It appears to me that some things are not being labeled correctly, resulting in AVC "denied" messages (including lots of cases where getty is denied...) Any assistance would be greatly appreciated!
Following are the steps I've taken to build and configure the system. (Note, there are a few workarounds identified below for opensuse issues that are being reported to the opensuse bugzilla site)
1. Default install of OpenSuse 11.2 (used Gnome desktop)
2. Boot normally to desktop, open terminal, su -
3. Install packages for selinux:
zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy make m4 gcc git
4. Enable selinux in grub menu:
vi /boot/grub/menu.lst
-- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0"
5. reboot to runlevel 3; log in as root and get the latest refpolicy:
cd /root
git clone http://oss.tresys.com/git/refpolicy.git
cd refpolicy
vi build.conf; set "DIST = suse" and "MONOLITHIC = n"
make conf; make install-src
vi /etc/selinux/config
-- set DISTRO =refpolicy
-- put SETLOCALDEFS = 0
#### to avoid an error message with "make load" ####
usermod -s /sbin/nologin nobody
cd /etc/selinux/refpolicy/src/policy
make; make install; make load
#### workaround for bug in opensuse ####
vi /etc/init.d/boot
-- place "restorecon -R /dev" ahead of first mount
reboot to runlevel 3
6. Reboot to runlevel 3, Log in as root and relabel the system
setsebool -P init_upstart=1
#### to work around a current bug in opensuse ####
ln -s /etc/selinux/refpolicy /etc/selinux/targeted
fixfiles relabel
reboot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit.zip
Type: application/x-zip-compressed
Size: 10149 bytes
Desc: audit.zip
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100223/a48d83a3/attachment.bin
On Tue, 2010-02-23 at 09:49 -0500, Alan Rouse wrote:
> I'm trying to get selinux working under opensuse 11.2. I think I'm at
> the point where I'm running into labeling issues with the latest
> refpolicy. Attached is the audit.log generated from a clean boot of
> opensuse (with selinux enabled and in permissive mode). It appears to
> me that some things are not being labeled correctly, resulting in AVC
> "denied" messages (including lots of cases where getty is denied...)
> Any assistance would be greatly appreciated!
Most of it looks like processes running in the wrong context. Looks
like packagekit, devicekit, policykit, and rtkit are getting started out
of dbus, but not getting to the right domain (not all of them have
policies either). Most of these fixes are probably in the avalanche of
Fedora patches that are in the queue.
But there are still others that still require more investigation. It
looks like mount is being run from dbus, which needs some explanation.
The getty denials are most disconcerting. It looks like its doing the
equivalent of something 'ps -A'. I don't know why it would be doing
that, I don't see that behavior on my systems. Does SuSE patch
mingetty?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
Christopher PeBenito wrote:
> But there are still others that still require more investigation. It looks like mount is being run from dbus,
> which needs some explanation.
>
> The getty denials are most disconcerting. It looks like its doing the equivalent of something 'ps -A'. I
> don't know why it would be doing that, I don't see that behavior on my systems. Does SuSE patch mingetty?
The avc messages related to getty and mount seem to be (mostly) related to the fact that OpenSuse does parallel execution of init scripts during startup. Disabling that feature in /etc/sysconfig/boot eliminates the mount denied message and most of the getty messages. Once booted up, mingetty is running in system_u:system_r:getty_t.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
I wrote:
> The avc messages related to getty and mount seem to be (mostly)
> related to the fact that OpenSuse does parallel execution of
> init scripts during startup. Disabling that feature in
> /etc/sysconfig/boot eliminates the mount denied message and
> most of the getty messages.
Unfortunately that result doesn't seem to be repeatable. Sorry.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy