> On 08/24/2010 07:09 AM, imsand@xxxxxxxxx wrote: >>> On 08/24/2010 12:14 AM, imsand@xxxxxxxxx wrote: >>>>> On 08/23/2010 06:23 AM, imsand@xxxxxxxxx wrote: >>>>>> Hello Everybody >>>>>> >>>>>> For quite a while I've been trying to enable selinux in SLES11, but >>>>>> sestatus always show DISABLED. >>>>>> >>>>>> The following steps I've already done: >>>>>> * installed all *selinux* packages from yast2 >>>>>> * add the following boot parameters to the kernel: >>>>>> security=selinux >>>>>> selinux=1 enforcing=0 >>>>>> * created /etc/selinux/config file with the that content: >>>>>> SELINUX=enforcing >>>>>> SELINUXTYPE=targeted >>>>>> >>>>>> What I've noticed is, that /selinux doesn't exit. I can't create >>>>>> that >>>>>> mountpoint manually because selinuxfs filesystem doesn't exist. >>>>>> >>>>>> Does anybody knows if that could be the reason? and if so, how do i >>>>>> get >>>>>> selinux work on SLES 11. >>>>>> (As far as I know SLES 11 should be prepared to use selinux as >>>>>> technical >>>>>> preview). >>>>>> >>>>>> Thanks in advance >>>>>> Matthias >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> This message was distributed to subscribers of the selinux mailing >>>>>> list. >>>>>> If you no longer wish to subscribe, send mail to >>>>>> majordomo@xxxxxxxxxxxxx >>>>>> with >>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>> >>>>> >>>>> >>>>> should be working(at-least for opensuse 12),you need to mkdir >>>>> /selinux >>>>> then reboot(SELinux will mount it's file-system there(but cant if the >>>>> mount-point doesn't exist)). >>>>> >>>>> Justin P. Mattock >>>>> >>>>> -- >>>>> This message was distributed to subscribers of the selinux mailing >>>>> list. >>>>> If you no longer wish to subscribe, send mail to >>>>> majordomo@xxxxxxxxxxxxx >>>>> with >>>>> the words "unsubscribe selinux" without quotes as the message. >>>>> >>>> >>>> OpenSuse12? Do you mean opensuse 11.2? >>>> Any other suggestions? >>>> >>>> >>> >>> >>> yeah open suse 11.2 Oops... as for any other advice, what Stephan had >>> posted for you is probably the right info to go through.. just dont be >>> afraid to ask questions.. >>> >>> Justin P. Mattock >>> >>> Justin P. Mattock >>> >> Unfortunately it doesn't work. I've done all steps described in here: >> http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html >> but this doesn't seems to work for sles 11. >> Anybody out there, who was able to run selinux on sles 11? >> I've got some other questions? >> * what happens if the policy is not found? what would sestatus >> report? >> * are there some good debug options for selinux? logs? any other >> hints? >> (dmesg shows nothing related to selinux) >> >> best regards >> Imsand >> >> Thank you for your answer. Now I'm one step further :) SELinux will now be loaded during startup. YEAH!!! But now it has a problem with the installed policy. I get this error: ----- SELinux: Could not open policy file <= /etc/selinux/refpolicy-standard/policy/policy.23: No such file or directory Unable to load SELinux Policy. Machine is in enforcing mode. halting now. ----- It is looking for a version 23 policy. but the installed one is /etc/selinux/refpolicy-standard/policy/policy.24. Simply renaming policy.24 to policy.23 doesn't work. ---- SELinux: policydb version 24 does not match my version range 15-23 SELinux: Could not load policy file /etc/selinux/refpolicy-standard/policy/policy.23: Invalid argument. ---- Based on this error I have some questions: 1) It seems that SELinux is looking for a binary policy. Are there only monolithic policies allowed? Or how can I use the newer modular policies? 2) Is there a possibility to converting version 24 policies to version 23? Or do I have to search a version 23 policy for sles 11? 3) How can I upgrade sles 11 so that is accepts version 24 policies? Which parts or library are responsible for the version-check? 4) The policies from tresys seems to have an other format than the one from http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory that I've installed. (It is not simply a binary file?!?) Here are some more information based on your guidance: > hmm.. well if they have the SELinux packages from sles then thats a good > indication that theres support.. > > some things need to be checked though: > > 1) if sles already has the SELinux packages then you already have > libselinux.so, libsepol, etc... if not, then download the SELinux > userspace package and install it(gives you all the tools and libraries > needed to use SELinux) installed by standard repository. This is okey! > > 2) is SELinux enabled in the kernel?(if not either build a vanilla and > check "y" under security options for SELinux, or grab an already built > rpm) yes it is. CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set > 2) sysvinit needs to have the init_load_policy() patch added to it in > order for the policy to be loaded at boot.(if using upstart theres a > patch as well, or proceedured to load_policy) seems to be. > 3) grab the latest refpolicy from tresys and install it. > (or use the rpm that sles has(if it has one) > used this: http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory/noarch/selinux-policy-refpolicy-standard-2.20081210-13.1.noarch.rpm This installs a /etc/selinux/config which points to refpolicy-standard which was created in /etc/selinux/refpolicy-standard/policy.24 > 4) once the policy is loading at boot then create your login info so > SELinux starts in the right context.(semanage login -a -s staff_u name) > > 5) use audit2allow to add allow rules for the apps you want to use. > (audit2allow -dM amodulenameforyourallowrules) > > 6) sit back with a beer(in enforcement mode) and enjoy SELinux!! > > remember theres plenty of people here to get you up and running... > > Justin P. Mattock > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
