From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 23 Feb 2010 14:39:16 -0500
Subject: [refpolicy] Reference policy and OpenSuse 11.2
In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF963@EUSAACMS0703.eamcs.ericsson.se>
References: <5A5E55DF96F73844AF7DFB0F48721F0F52E41FF963@EUSAACMS0703.eamcs.ericsson.se>
Message-ID: <1266953956.9127.53.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2010-02-23 at 09:49 -0500, Alan Rouse wrote:
> I'm trying to get selinux working under opensuse 11.2.  I think I'm at
> the point where I'm running into labeling issues with the latest
> refpolicy.  Attached is the audit.log generated from a clean boot of
> opensuse (with selinux enabled and in permissive mode).  It appears to
> me that some things are not being labeled correctly, resulting in AVC
> "denied" messages (including lots of cases where getty is denied...)
> Any assistance would be greatly appreciated!

Most of it looks like processes running in the wrong context.  Looks
like packagekit, devicekit, policykit, and rtkit are getting started out
of dbus, but not getting to the right domain (not all of them have
policies either).  Most of these fixes are probably in the avalanche of
Fedora patches that are in the queue.

But there are still others that still require more investigation.  It
looks like mount is being run from dbus, which needs some explanation.  

The getty denials are most disconcerting.  It looks like its doing the
equivalent of something 'ps -A'.  I don't know why it would be doing
that, I don't see that behavior on my systems.  Does SuSE patch
mingetty?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150