From: alan.rouse@ericsson.com (Alan Rouse)
Date: Tue, 23 Feb 2010 09:49:17 -0500
Subject: [refpolicy] Reference policy and OpenSuse 11.2
Message-ID: <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF963@EUSAACMS0703.eamcs.ericsson.se>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I'm trying to get selinux working under opensuse 11.2.  I think I'm at the point where I'm running into labeling issues with the latest refpolicy.  Attached is the audit.log generated from a clean boot of opensuse (with selinux enabled and in permissive mode).  It appears to me that some things are not being labeled correctly, resulting in AVC "denied" messages (including lots of cases where getty is denied...)  Any assistance would be greatly appreciated!

Following are the steps I've taken to build and configure the system. (Note, there are a few workarounds identified below for opensuse issues that are being reported to the opensuse bugzilla site)

1.  Default install of OpenSuse 11.2 (used Gnome desktop)
2.  Boot normally to desktop, open terminal, su -
3.  Install packages for selinux:

zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy make m4 gcc git

4. Enable selinux in grub menu:

vi /boot/grub/menu.lst 
 -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0"

5.  reboot to runlevel 3; log in as root and get the latest refpolicy:

cd /root
git clone http://oss.tresys.com/git/refpolicy.git
cd refpolicy
vi build.conf; set "DIST = suse" and "MONOLITHIC = n"
make conf; make install-src
vi /etc/selinux/config
 -- set DISTRO =refpolicy
 -- put SETLOCALDEFS = 0 

#### to avoid an error message with "make load" ####
usermod -s /sbin/nologin nobody  

cd /etc/selinux/refpolicy/src/policy
make; make install; make load

#### workaround for bug in opensuse ####
vi /etc/init.d/boot 
-- place "restorecon -R /dev" ahead of first mount
reboot to runlevel 3

6.  Reboot to runlevel 3, Log in as root and relabel the system

setsebool -P init_upstart=1
#### to work around a current bug in opensuse ####
ln -s /etc/selinux/refpolicy /etc/selinux/targeted 
fixfiles relabel
reboot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit.zip
Type: application/x-zip-compressed
Size: 10149 bytes
Desc: audit.zip
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100223/a48d83a3/attachment.bin