RE: SELinux Policy in OpenSUSE 11.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen wrote:
> What does this file contain?  It shouldn't exist at all with modular/managed policy; 
> it was the legacy way of providing distribution-shipped custom boolean definitions 
> with monolithic policy. Delete it or put SETLOCALDEFS=0 in your /etc/selinux/config to ignore it.

Excellent!!!   I put SETLOCALDEFS=0 in /etc/selinux/config and now I'm able to boot into the desktop with selinux enabled, in permissive mode.  (BTW, setsebool does create / update the /etc/selinux/refpolicy-standard/modules/active/booleans.local file.)

Outstanding issues:
1) Several pages of AVC messages: getty_t, sysadm_dbsud_t, system_dbusd_t, various others.

2) Error messages during the "fixfiles relabel" (running as root, in permissive mode):

linux-f8dr:/etc/selinux # fixfiles relabel

    Files in the /tmp directory may be labeled incorrectly, this command 
    can remove all files in /tmp.  If you choose to remove files from /tmp, 
    a reboot will be required after completion.
    
    Do you wish to clean out the /tmp directory [N]? n
/sbin/setfiles:  unable to stat file /home/alan/.gvfs: Permission denied
/sbin/setfiles:  error while labeling /home:  Permission denied
find: unknown predicate `-context'
find: unknown predicate `-context'


-----Original Message-----
From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] 
Sent: Friday, February 19, 2010 12:46 PM
To: Alan Rouse
Cc: 'selinux@xxxxxxxxxxxxx'
Subject: RE: SELinux Policy in OpenSUSE 11.2

On Fri, 2010-02-19 at 10:29 -0500, Alan Rouse wrote:
> > ls -lR /etc/selinux/$SELINUXTYPE
> > strace load_policy
> 
> ======================================================================
> =
> . /etc/selinux/config
> ls -lR /etc/selinux/$SELINUXTYPE
> ======================================================================
> =
> /etc/selinux/refpolicy-standard:
> total 28
> -rw-r--r--. 1 root root 2029 Oct 19 17:09 booleans

What does this file contain?  It shouldn't exist at all with modular/managed policy; it was the legacy way of providing distribution-shipped custom boolean definitions with monolithic policy.
Delete it or put SETLOCALDEFS=0 in your /etc/selinux/config to ignore it.

> /etc/selinux/refpolicy-standard/modules/active:
> total 3936
> -rw-r--r--. 1 root root   20377 Feb 18 16:36 base.pp
> -rw-------. 1 root root      32 Feb 18 16:36 commit_num
> -rw-------. 1 root root  139886 Feb 18 16:36 file_contexts
> -rw-r--r--. 1 root root    2663 Feb 18 16:36 file_contexts.homedirs
> -rw-------. 1 root root  142369 Feb 18 16:36 file_contexts.template
> -rw-------. 1 root root    2483 Feb 18 16:36 homedir_template
> drwx------. 2 root root   12288 Feb 18 16:36 modules
> -rw-------. 1 root root       0 Feb 18 16:36 netfilter_contexts
> -rw-r--r--. 1 root root 3687284 Feb 18 16:36 policy.kern
> -rw-------. 1 root root      47 Feb 18 16:36 seusers.final
> -rw-------. 1 root root     143 Feb 18 16:36 users_extra

Instead you should have a booleans.local file in this subdirectory if you have run setsebool -P on any boolean.  Try running setsebool -P
init_upstart=1 again for me and check whether a booleans.local file was created under modules/active, please?  If not, strace the setsebool command for me.  That might be large, so make it an attachment.

--
Stephen Smalley
National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux