On Tue, Feb 07, 2012 at 03:08:25PM -0500, Stephen Smalley wrote: > On Tue, 2012-02-07 at 12:02 -0800, C.J. Adams-Collier wrote: > > ~/selinux/semodule_-l_20120207T110759.log: > > apache 2.3.0 > > dbus 1.15.0 > > devicekit 1.1.0 > > dmidecode 1.4.0 > > exim 1.5.0 > > ftp 1.13.0 > > git 1.0 > > gpg 2.4.0 > > lda 1.9.0 > > lvm 1.13.0 > > netutils 1.11.0 > > openvpn 1.10.0 > > ptchown 1.1.0 > > pythonsupport 0.0.1 > > remotelogin 1.7.0 > > rpc 1.13.0 > > rpcbind 1.5.0 > > rsync 1.11.0 > > ssh 2.2.0 > > sudo 1.8.0 > > tcpd 1.4.0 > > telnet 1.10.0 > > tzdata 1.4.0 > > unconfined 3.3.0 > > So no xserver module, unless it happens to be part of your base module. > seinfo -txserver_t cjac@foxtrot:~$ sudo which seinfo cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l 0 Any idea where I can get the xserver module? Russell? > > > ~/selinux/sestatus_-v_20120207T110759.log: > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: permissive > > Mode from config file: permissive > > Policy version: 26 > > Policy from config file: default > > > > Process contexts: > > Current context: unconfined_u:system_r:insmod_t:SystemLow-SystemHigh > > Init context: system_u:system_r:kernel_t:SystemLow > > /usr/sbin/sshd system_u:system_r:kernel_t:SystemLow > > > > File contexts: > > Controlling term: unconfined_u:object_r:tty_device_t:SystemLow > > /etc/passwd unconfined_u:object_r:user_home_t:SystemLow > > /etc/shadow unconfined_u:object_r:user_home_t:SystemLow > > /bin/bash unconfined_u:object_r:user_home_t:SystemLow > > /bin/login unconfined_u:object_r:user_home_t:SystemLow > > /bin/sh unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow > > /sbin/agetty unconfined_u:object_r:user_home_t:SystemLow > > /sbin/init unconfined_u:object_r:user_home_t:SystemLow > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:SystemLow > > /lib/ld-linux.so.2 unconfined_u:object_r:user_home_t:SystemLow -> unconfined_u:object_r:user_home_t:SystemLow > > So everything except for /usr/sbin/sshd has the wrong file context, and > all of your processes are still running in the kernel's domain. > > I think you need a new policy, and then you need to relabel your > filesystems. Sounds reasonable. Do I get policy from my distribution, or should I generate one myself? cjac@foxtrot:~$ dpkg -l | grep selinux-policy ii selinux-policy-default 2:2.20110726-3 Strict and Targeted variants of the SELinux policy ii selinux-policy-dev 2:2.20110726-3 Headers from the SELinux reference policy for building modules ii selinux-policy-doc 2:2.20110726-3 Documentation for the SELinux reference policy cjac@foxtrot:~$ apt-cache search selinux-policy selinux-policy-default - Strict and Targeted variants of the SELinux policy selinux-policy-dev - Headers from the SELinux reference policy for building modules selinux-policy-doc - Documentation for the SELinux reference policy selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy selinux-policy-src - Source of the SELinux reference policy for customization If I'm going to generate one myself, I need to understand them a bit better. I would like anything I generate to be useable by the rest of the Debian world. There seem to be some examples I ran review in the selinux-policy-doc and selinux-policy-mls packages. Regarding re-labeling, every time I boot without the selinux arguments to my kernel and then boot with them, the filesystem seems to get re-labeled. Is there a better way to do this? Thanks for helping me cope with my ignorance. C.J.
Attachment:
signature.asc
Description: Digital signature
