I had been trying various things in this image. So, just to be sure I have a repeatable state, I've rebuilt my system from scratch as follows: 1. standard OpenSuse 11.2 install (using Gnome); boot; start terminal; su - 2. install packages: selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy make m4 gcc findutils-locate git 3. add "3 security=selinux selinux=1 enforcing=0" to the grub boot line (boot to runlevel 3 with selinux in permissive mode) and reboot. 4. git clone http://oss.tresys.com/git/refpolicy.git 5. change build.conf: "DIST = suse" and "MONOLITHIC = n" 6. make clean; make conf; make; make install-src; 7. change /etc/refpolicy to point to the just-built policy version, and reboot 8. restorecon -R /; reboot sestatus -v gives: SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: refpolicy Process contexts: Current context: system_u:system_r:sysadm_t Init context: system_u:system_r:init_t /sbin/mingetty system_u:system_r:sysadm_t File contexts: Controlling term: system_u:object_r:tty_device_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t pstree- Z gives: init(`system_u:system_r:init_t') |-acpid(`system_u:system_r:sysadm_t') |-auditd(`system_u:system_r:sysadm_t') | |-audispd(`system_u:system_r:sysadm_t') | | `-{audispd}(`system_u:system_r:sysadm_t') | `-{auditd}(`system_u:system_r:sysadm_t') |-cron(`system_u:system_r:sysadm_t') |-cupsd(`system_u:system_r:sysadm_t') |-dbus-daemon(`system_u:system_r:sysadm_dbusd_t') | `-{dbus-daemon}(`system_u:system_r:sysadm_dbusd_t') |-dhcpcd(`system_u:system_r:dhcpc_t') |-login(`system_u:system_r:sysadm_t') | `-bash(`system_u:system_r:sysadm_t') | `-pstree(`system_u:system_r:sysadm_t') |-master(`system_u:system_r:sysadm_t') | |-pickup(`system_u:system_r:sysadm_t') | `-qmgr(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-mingetty(`system_u:system_r:sysadm_t') |-nscd(`system_u:system_r:sysadm_t') |-rpcbind(`system_u:system_r:sysadm_t') |-rsyslogd(`system_u:system_r:sysadm_t') | |-{rsyslogd}(`system_u:system_r:sysadm_t') | |-{rsyslogd}(`system_u:system_r:sysadm_t') | |-{rsyslogd}(`system_u:system_r:sysadm_t') | `-{rsyslogd}(`system_u:system_r:sysadm_t') |-startpar(`system_u:system_r:sysadm_t') |-udevd(`system_u:system_r:sysadm_t') | |-udevd(`system_u:system_r:sysadm_t') | `-udevd(`system_u:system_r:sysadm_t') `-vmtoolsd(`system_u:system_r:sysadm_t') Now, I tried setsebool -P init_upstart=1. It gives an error message: ---------------- Libsemanage.get_home_dirs: nobody homedir /var/lib/nobody or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 1000 or its log in shell is /sbin/nologin. ---------------- So I did "usermod -s /sbin/nologin nobody" and repeated the setsebool (no error message returned, and "getsebool init_upstart" reports that it was on. But after reboot it is off again... -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Tuesday, February 16, 2010 2:39 PM To: Alan Rouse Cc: 'selinux@xxxxxxxxxxxxx' Subject: RE: SELinux Policy in OpenSUSE 11.2 On Tue, 2010-02-16 at 14:19 -0500, Alan Rouse wrote: > "sestatus -v" reports the following: > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy > > Process contexts: > Current context: system_u:system_r:sysadm_t > Init context: system_u:system_r:init_t > /sbin/mingetty system_u:system_r:sysadm_t Ok, so init is in the right security context, but getty is not. refpolicy has a rule that says if init runs a shell, transition to sysadm_t - that is for single-user mode. But that gets disabled if using upstart since upstart runs everything via a shell. Try: setsebool -P init_upstart=1 reboot pstree -Z output might also be interesting. -- Stephen Smalley National Security Agency
1. Default install of OpenSuse 11.2 (used Gnome desktop) 2. Boot normally to desktop, open terminal, su - 3. Do this: zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy make m4 gcc findutils-locate git vi /boot/grub/menu.lst -- and add to the Desktop kernel boot line: "3 security=selinux selinux=1 enforcing=0" 4. Reboot and log in as root 5. Do this: git clone http://oss.tresys.com/git/refpolicy.git cd refpolicy edit build.conf; set "DIST = suse" and "MONOLITHIC = n" make clean; make conf; make; make install-src vi /etc/selinux/conf -- set =refpolicy reboot 6. restorecon -R /; reboot 7. setsebool -P init_upstart=1; reboot
