From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 23 Feb 2010 14:39:16 -0500 Subject: [refpolicy] Reference policy and OpenSuse 11.2 In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF963@EUSAACMS0703.eamcs.ericsson.se> References: <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF963@EUSAACMS0703.eamcs.ericsson.se> Message-ID: <1266953956.9127.53.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-02-23 at 09:49 -0500, Alan Rouse wrote: > I'm trying to get selinux working under opensuse 11.2. I think I'm at > the point where I'm running into labeling issues with the latest > refpolicy. Attached is the audit.log generated from a clean boot of > opensuse (with selinux enabled and in permissive mode). It appears to > me that some things are not being labeled correctly, resulting in AVC > "denied" messages (including lots of cases where getty is denied...) > Any assistance would be greatly appreciated! Most of it looks like processes running in the wrong context. Looks like packagekit, devicekit, policykit, and rtkit are getting started out of dbus, but not getting to the right domain (not all of them have policies either). Most of these fixes are probably in the avalanche of Fedora patches that are in the queue. But there are still others that still require more investigation. It looks like mount is being run from dbus, which needs some explanation. The getty denials are most disconcerting. It looks like its doing the equivalent of something 'ps -A'. I don't know why it would be doing that, I don't see that behavior on my systems. Does SuSE patch mingetty? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150