From: alan.rouse@ericsson.com (Alan Rouse) Date: Tue, 23 Feb 2010 09:49:17 -0500 Subject: [refpolicy] Reference policy and OpenSuse 11.2 Message-ID: <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF963@EUSAACMS0703.eamcs.ericsson.se> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I'm trying to get selinux working under opensuse 11.2. I think I'm at the point where I'm running into labeling issues with the latest refpolicy. Attached is the audit.log generated from a clean boot of opensuse (with selinux enabled and in permissive mode). It appears to me that some things are not being labeled correctly, resulting in AVC "denied" messages (including lots of cases where getty is denied...) Any assistance would be greatly appreciated! Following are the steps I've taken to build and configure the system. (Note, there are a few workarounds identified below for opensuse issues that are being reported to the opensuse bugzilla site) 1. Default install of OpenSuse 11.2 (used Gnome desktop) 2. Boot normally to desktop, open terminal, su - 3. Install packages for selinux: zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy make m4 gcc git 4. Enable selinux in grub menu: vi /boot/grub/menu.lst -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0" 5. reboot to runlevel 3; log in as root and get the latest refpolicy: cd /root git clone http://oss.tresys.com/git/refpolicy.git cd refpolicy vi build.conf; set "DIST = suse" and "MONOLITHIC = n" make conf; make install-src vi /etc/selinux/config -- set DISTRO =refpolicy -- put SETLOCALDEFS = 0 #### to avoid an error message with "make load" #### usermod -s /sbin/nologin nobody cd /etc/selinux/refpolicy/src/policy make; make install; make load #### workaround for bug in opensuse #### vi /etc/init.d/boot -- place "restorecon -R /dev" ahead of first mount reboot to runlevel 3 6. Reboot to runlevel 3, Log in as root and relabel the system setsebool -P init_upstart=1 #### to work around a current bug in opensuse #### ln -s /etc/selinux/refpolicy /etc/selinux/targeted fixfiles relabel reboot -------------- next part -------------- A non-text attachment was scrubbed... Name: audit.zip Type: application/x-zip-compressed Size: 10149 bytes Desc: audit.zip Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100223/a48d83a3/attachment.bin