On Fri, 2010-02-19 at 16:08 -0500, Alan Rouse wrote: > Ok, in case this might be useful to someone else, here's my recipe for an OpenSuse 11.2 system booting to the desktop using SELinux in permissive mode. (Next step for me is to fix a few pages of AVC denied messages...) > > 1. Default install of OpenSuse 11.2 (used Gnome desktop) > 2. Boot normally to desktop, open terminal, su - > 3. Do this: > > zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy setools-console make m4 gcc findutils-locate git > > vi /boot/grub/menu.lst > -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0" > > cd /etc/selinux > cp -R refpolicy-standard targeted > usermod -s /sbin/nologin nobody > reboot <should boot to desktop> > =============== > Get policy src: > =============== > -- launch firefox, go to http://software.opensuse.org/search/ > -- search for selinux-policy, download src > -- install src rpm > cp /usr/src/packages/SOURCES/refpolicy-2.20081210.tar.bz2 /tmp > cd /tmp > bunzip2 refpolicy-2.20081210.tar.bz2 > tar xvf refpolicy-2.20081210.tar > cd refpolicy > vi build.conf (set NAME = refpolicy-standard; set DISTRO = suse; set MONOLITHIC = n) > make clean; make conf; make; make install; make load; make install-src > cd /etc/selinux/refpolicy-standard/src/policy > make clean; make conf; make; make install; make load > cd /etc/selinux > rsync -avz refpolicy-standard/ targeted Why is it necessary to download and rebuild the source policy? Did they build it as a monolithic policy? > reboot > ============================= > End of getting policy source: > ============================= > setsebool -P init_upstart=on > setsebool -P xdm_sysadm_login=on > setsebool -P xserver_object_manager=on I think you only need the first boolean setting. And we should likely introduce an ifdef for suse in refpolicy that always disables that transition so that you don't have to artificially turn on that boolean. > fixfiles relabel > -- put SETLOCALDEFS=0 in /etc/selinux/config > reboot > > And we're now in the desktop with a relabeled system and selinux in permissive mode. > ================================================================================ > > Here's what "audit2allow -al" shows now... > > #============= avahi_t ============== > allow avahi_t tmpfs_t:dir search; > allow avahi_t tmpfs_t:sock_file write; It would be useful to see the raw audit message with what directory/file is being accessed. tmpfs_t indicates a tmpfs mount, which might mean you have a mislabeled tmpfs mount (e.g. /dev is a tmpfs mount that should be relabeled by rc.sysinit via restorecon -R /dev). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
