On 02/19/2010 07:58 AM, Alan Rouse wrote:
First let me say that I appreciate all the help on this list very much!!!!!
Justin wrote:
While running the one that they provide I noticed the system is running as
system_u:system_r:system_t (or whatever it is) I'm sure you can use this, but for me I
like to either run in staff_r, sysadm_r or user_r(roles).
Makes sense... I think you're saying this is not the underlying problem for the gdm / desktop / boot issues, right? If so I'd like to get to a clean selinux boot before addressing this type of thing.
I couldn't find the source from suse(although I'm sure its there), so I just grabbed a
copy from tresys...while building the source from tresys I sometimes will hit a syntex
error(this time I did) with checkpolicy and/or checkmodule
with checkpolicy/checkmodule this syntex error is random i.g. I hit this
sometimes, and then sometimes never appears(building
those with an older version of flex seems to fix this,
finding the issue is possible with probably doing a bisect,
if the git repository goes back that far).
I'm now able to build policy from the source obtained from the OpenSuse 11.2 repository. Do I need a different version of checkpolicy or checkmodule? Or can I skip this?
then after being able to build and install the policy then I focused in on the
booleans, I set(although am not sure if they fixed the errors with avahi)where these:
allow_polyinstantiation=on
I don't need polyinstantiation right now so I'll skip that unless you think it's pertinent to my main problem.
no pam_namespace is always something I like to turn on, but as stephen
pointed out if you have multiple people using the system.
init_upstart=on(although I think they use sysvinit(notsure))
Yes, OpenSuse 11.2 seems to be using sysvinit
so the upstart boolean probably does nothing.
xdm_sysadm_login=on(this is for sysadm_r role(if I wanted the main context as name:sysadm_r:sysadm_t))
xserver_object_manager=on (although I dont see the SELinux extension in Xorg.0.log)
I've been unable to make persistent changes to policy, booleans etc. Hopefully Stephen will spot the problem causing that, based on the info I sent out a few minutes ago.
keep in mind I don't think these booleans fixed the errors I think after I had
relabeled then the errors were fixed(but could be wrong).
I could boot cleanly to a desktop before relabeling (with everything as file_t). Once I relabeled with fixfiles, runlevel 5 would fail and I'd be dropped back to a console at runlevel 3.
yeah I noticed this as well i.g. after doing fixfiles relabel the system
really crashed and burned.
then once I was able to get a clean boot(even with the "targeted" dbus
issue)
If I can get to that point I think I'll be in business.
Thanks
Alan
o.k. suse just finished installing, I'll go and re-du what I did
to get things more cleaner.
(changing out systems is easy).
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
