Thanks for your explanation Stephen.
I am not sure if the following problem is general for SELinux or specific for refpolicy:
Now I am trying to compile the current refpolicy. After compilation and restart ubuntu doesn't boot.
I used "apt-get source refpolicy" to get the policy source. Then I did "make policy", "make load", "make restorelabels", and restarted the machine.
=8<=========================================
I am not sure if the following problem is general for SELinux or specific for refpolicy:
Now I am trying to compile the current refpolicy. After compilation and restart ubuntu doesn't boot.
I used "apt-get source refpolicy" to get the policy source. Then I did "make policy", "make load", "make restorelabels", and restarted the machine.
=8<=========================================
Starting up ...
Loading, please wait...
[ 14.623245] sd 0:0:0:0: [sda] Assuming drive cache: write through
[ 14.623882] sd 0:0:0:0: [sda] Assuming drive cache: write through
kinit: name_to_dev_t(/dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63def) = s
da5(8,5)
kinit: trying to resume from /dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63
def
kinit: No resume image, doing normal boot...
exec: 7: /etc/init.d/rcS: Permission denied
init: rcS main process (2326) terminated with status 2
init: rc-default main process (2328) terminated with status 1
=8<=========================================
I used ubuntu live CD and found nothing in /var/log/message. (there is no single entry since last boot) And if I disable SELinux by turning off the kernel option, it can boot.
Is there any clue how to solve this problem?
Hong
Loading, please wait...
[ 14.623245] sd 0:0:0:0: [sda] Assuming drive cache: write through
[ 14.623882] sd 0:0:0:0: [sda] Assuming drive cache: write through
kinit: name_to_dev_t(/dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63def) = s
da5(8,5)
kinit: trying to resume from /dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63
def
kinit: No resume image, doing normal boot...
exec: 7: /etc/init.d/rcS: Permission denied
init: rcS main process (2326) terminated with status 2
init: rc-default main process (2328) terminated with status 1
=8<=========================================
I used ubuntu live CD and found nothing in /var/log/message. (there is no single entry since last boot) And if I disable SELinux by turning off the kernel option, it can boot.
Is there any clue how to solve this problem?
Hong
On Fri, Aug 29, 2008 at 9:06 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
As I understand it, they only shipped a minimal policy and a cupsd
On Thu, 2008-08-28 at 15:44 -0400, Hong wrote:
> I am trying to use SELinux in Ubuntu 8.04. Looks like refpolicy is
> the only supported policy in the repository.
> I downloaded policy.22 (refpolicy). The size of the binary policy is
> about 360K(accurate size is 360296), much smaller than targeted policy
> in Fedora8. (about 3.5M).
>
> Then I use dispol tool in checkpolicy to display the policy, seems
> there are no many useful domains in the policy. There is no htttpd
> domain, no ftpd domain...
policy module as a starting point, to match the original configuration
of AppArmor. I'm not sure what progress has been made since then. You
can of course try building and using the upstream refpolicy with a more
complete configuration.
I'd guess that insmod_t is an unconfined domain in that policy (typical
> And the access vector really confuses me. For example, I think the
> domain insmod_t should be entered through insmod, rmmod, ...
> But from the policy, domain insmod_t has the entrypoint privilege
> over a lot of types: hplip_etc_t, lpd_tmp_t, proc_afs_t,
> pam_tmp_t, ... (there are more than 300 of them).
>
> Did I do anything wrong? And if I am getting the correct binary
> policy, why the entrypoint privilege is configure this way?
for a targeted-style policy), and thus is unrestricted.
--
Stephen Smalley
National Security Agency
