On 08/25/2010 12:53 AM, imsand@xxxxxxxxx wrote:
On 08/24/2010 07:09 AM, imsand@xxxxxxxxx wrote:
On 08/24/2010 12:14 AM, imsand@xxxxxxxxx wrote:
On 08/23/2010 06:23 AM, imsand@xxxxxxxxx wrote:
Hello Everybody
For quite a while I've been trying to enable selinux in SLES11, but
sestatus always show DISABLED.
The following steps I've already done:
* installed all *selinux* packages from yast2
* add the following boot parameters to the kernel:
security=selinux
selinux=1 enforcing=0
* created /etc/selinux/config file with the that content:
SELINUX=enforcing
SELINUXTYPE=targeted
What I've noticed is, that /selinux doesn't exit. I can't create
that
mountpoint manually because selinuxfs filesystem doesn't exist.
Does anybody knows if that could be the reason? and if so, how do i
get
selinux work on SLES 11.
(As far as I know SLES 11 should be prepared to use selinux as
technical
preview).
Thanks in advance
Matthias
--
This message was distributed to subscribers of the selinux mailing
list.
If you no longer wish to subscribe, send mail to
majordomo@xxxxxxxxxxxxx
with
the words "unsubscribe selinux" without quotes as the message.
should be working(at-least for opensuse 12),you need to mkdir
/selinux
then reboot(SELinux will mount it's file-system there(but cant if the
mount-point doesn't exist)).
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing
list.
If you no longer wish to subscribe, send mail to
majordomo@xxxxxxxxxxxxx
with
the words "unsubscribe selinux" without quotes as the message.
OpenSuse12? Do you mean opensuse 11.2?
Any other suggestions?
yeah open suse 11.2 Oops... as for any other advice, what Stephan had
posted for you is probably the right info to go through.. just dont be
afraid to ask questions..
Justin P. Mattock
Justin P. Mattock
Unfortunately it doesn't work. I've done all steps described in here:
http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html
but this doesn't seems to work for sles 11.
Anybody out there, who was able to run selinux on sles 11?
I've got some other questions?
* what happens if the policy is not found? what would sestatus
report?
* are there some good debug options for selinux? logs? any other
hints?
(dmesg shows nothing related to selinux)
best regards
Imsand
Thank you for your answer.
Now I'm one step further :)
SELinux will now be loaded during startup. YEAH!!!
But now it has a problem with the installed policy. I get this error:
hey alright!!!
-----
SELinux: Could not open policy file<=
/etc/selinux/refpolicy-standard/policy/policy.23: No such file or
directory
Unable to load SELinux Policy. Machine is in enforcing mode. halting now.
theres a policy version you can give to the policy in the
policy(build.conf)and in the kernel you can disable this in the kernel
then rebuild refpolicy to not use this(or set the kernel at 23/23 etc..
and set it in the policy.
-----
It is looking for a version 23 policy. but the installed one is
/etc/selinux/refpolicy-standard/policy/policy.24.
Simply renaming policy.24 to policy.23 doesn't work.
----
SELinux: policydb version 24 does not match my version range 15-23
SELinux: Could not load policy file
/etc/selinux/refpolicy-standard/policy/policy.23: Invalid argument.
----
Based on this error I have some questions:
1) It seems that SELinux is looking for a binary policy. Are there only
monolithic policies allowed? Or how can I use the newer modular policies?
either or.. binary is easier to deal with(I think)
2) Is there a possibility to converting version 24 policies to version 23?
Or do I have to search a version 23 policy for sles 11?
if sles built the kernel with 23 then just rebuilt the policy with 23
(depending on the policy, it's located at /usr/share/selinux/*
3) How can I upgrade sles 11 so that is accepts version 24 policies? Which
parts or library are responsible for the version-check?
4) The policies from tresys seems to have an other format than the one
from
http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory
that I've installed. (It is not simply a binary file?!?)
Here are some more information based on your guidance:
hmm.. well if they have the SELinux packages from sles then thats a good
indication that theres support..
some things need to be checked though:
1) if sles already has the SELinux packages then you already have
libselinux.so, libsepol, etc... if not, then download the SELinux
userspace package and install it(gives you all the tools and libraries
needed to use SELinux)
installed by standard repository. This is okey!
main thing is making sure you build the arch i.e. opensuse x86_64 uses
"multilib" x86_32 libs(-m32) and x86_64(-m64) libs /lib /lib64 so
getting that you need to tweak a bit. if standard i686 everything just
goes into /lib /usr/lib
2) is SELinux enabled in the kernel?(if not either build a vanilla and
check "y" under security options for SELinux, or grab an already built
rpm)
yes it is.
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
so they didnt set this to a policy version, but they built the policy
with 23
2) sysvinit needs to have the init_load_policy() patch added to it in
order for the policy to be loaded at boot.(if using upstart theres a
patch as well, or proceedured to load_policy)
seems to be.
if it's loading early, then yeah they patched sysvinit
3) grab the latest refpolicy from tresys and install it.
(or use the rpm that sles has(if it has one)
used this:
http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory/noarch/selinux-policy-refpolicy-standard-2.20081210-13.1.noarch.rpm
This installs a /etc/selinux/config which points to refpolicy-standard
which was created in /etc/selinux/refpolicy-standard/policy.24
theres a bug with opensuse to where /etc/selinux/config had the wrong
permissions (check and make sure: chmod 644 /etc/selinux/config
also add SETLOCALDEFS=0) heres the bug report for pam.d so you can have
the right context:
https://bugzilla.novell.com/show_bug.cgi?id=582366
(simple fix)
also /etc/initscript messes things up so set the boolean
init_upstart to on(/usr/sbin/setesebool -P init_upstart on
or vim /etc/selinux/policytype/booleans*)
keep in mind these where things with opensuse so things might be
different with sles
cool glad your working this!!
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
