From: justinmattock@gmail.com (Justin P. Mattock)
Date: Wed, 20 Oct 2010 22:15:49 -0700
Subject: [refpolicy] load_policy() with upstart on mint 9 fluxbox
In-Reply-To: <20101021024431.GA25516@hallyn.com>
References: <4CBE21ED.4050706@gmail.com> <20101020015409.GA19663@hallyn.com>
	<4CBF66AE.5040805@gmail.com> <20101021024431.GA25516@hallyn.com>
Message-ID: <4CBFCC85.60404@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/20/2010 07:44 PM, Serge E. Hallyn wrote:
> Quoting Justin P. Mattock (justinmattock at gmail.com):
>> o.k. finally connected the dots that I needed to create a initrd.img
>> in order for this to load(im a total newbie!!)
>>
>> Anyways the policy loads everything went in and am now in full
>> enforcement mode.. only real issue is with lxde
>> same bug here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=552885
>>
>> seems lxde is in /usr/sbin reason probably for the wrong filelabel..
>
> Cool, so does following the steps outlined in that bug make it
> work for you?
>

What I normally have is /boot/System.map-* and vmlinuz-* to load the 
kernel.. Seems sysvinit knows how to take things there and load_policy()

for upstart whatever it's doing(like what you said) needs to go through
initrd. Yesterday I though thats what I had done with:
fakeroot make-kpkg --initrd --append-to-version=-custom kernel_image 
kernel_headers

but missed one last step:
mkinitramfs -k -o initrd.img-2.6.36-rc8-custom-00022-g2b666ca
then after doing this everything loaded as is..

Note: guess this is whats being called to do all of this:
/usr/share/initramfs-tools/scripts/init-bottom/_load_selinux_policy

As for the file labels in /var/run seems most of the files in there are 
labeled with initrc_t (keep in mind I chose debian as the distro in 
build.conf, so maybe this is why)..

As for lxde, before using chcon I was getting a login context of 
name:staff_r:netutils_t:s0 then after relabeling those files:

(chcon to this context like the bug report had shown)
system_u:object_r:xdm_exec_t:s0 /usr/sbin/lxdm
system_u:object_r:xdm_exec_t:s0 /usr/sbin/lxdm-binary
system_u:object_r:xdm_var_run_t:s0 lxdm.pid

I login with the proper context that I chose:
name:staff_r:staff_t:s0

Right now I think everything is running o.k. on this operating system..
(nice,small, and functional..with a touch of SELinux on top...)

Justin P. Mattock