On Wed, 2012-02-08 at 08:24 -0500, Stephen Smalley wrote: > On Tue, 2012-02-07 at 13:05 -0800, C.J. Adams-Collier wrote: > > cjac@foxtrot:~$ sudo which seinfo > > cjac@foxtrot:~$ apt-file search seinfo | grep bin | wc -l > > 0 > > seinfo is part of the setools package. $ apt-cache search -n setools erlang-parsetools - Erlang/OTP parsing tools Hmm. Would it be safe to build seinfo from source and use it along with the distro-installed tools? If so, what's the git repo I should clone from? > > Sounds reasonable. Do I get policy from my distribution, or should I > > generate one myself? > > Normally from your distribution, assuming the selinux packages for > Debian are still being maintained. I believe they are. I exchanged email with Russell about it not long ago. But then, gtkglarea is still officially maintained and I made the first update in nearly a year 36 hours ago. Perhaps the package needs 1 or more co-maintainers to improve coverage. > IIRC, the Debian selinux policy package tries to minimize the set of > installed policy modules based on the set of installed packages, but > that isn't an exact mapping and might be leaving you without a complete > policy. Whereas Fedora installs all policy modules unconditionally. If the overhead is not too great, perhaps this can be duplicated in Debian. I do hate paying for things I don't use, though. Especially when the cost is substantial. The same is probably true of many other Debian users. > If the .pp files are on your filesystem and just not installed into the > policy store, you can manually add them by running semodule -i on them. > Try listing the files installed from your policy packages and see if > xserver.pp is among them. $ locate xserver.pp /usr/share/selinux/default/xserver.pp I'll run semodule -i after this morning's reboot. I installed mutt yesterday, so I'll work from the console until you folks sign off for the evening. > > cjac@foxtrot:~$ dpkg -l | grep selinux-policy > > ii selinux-policy-default 2:2.20110726-3 Strict and Targeted variants of the SELinux policy > > ii selinux-policy-dev 2:2.20110726-3 Headers from the SELinux reference policy for building modules > > ii selinux-policy-doc 2:2.20110726-3 Documentation for the SELinux reference policy > > > > cjac@foxtrot:~$ apt-cache search selinux-policy > > selinux-policy-default - Strict and Targeted variants of the SELinux policy > > selinux-policy-dev - Headers from the SELinux reference policy for building modules > > selinux-policy-doc - Documentation for the SELinux reference policy > > selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy > > selinux-policy-src - Source of the SELinux reference policy for customization > > > > If I'm going to generate one myself, I need to understand them a bit > > better. I would like anything I generate to be useable by the rest of > > the Debian world. There seem to be some examples I ran review in the > > selinux-policy-doc and selinux-policy-mls packages. > > > > Regarding re-labeling, every time I boot without the selinux arguments > > to my kernel and then boot with them, the filesystem seems to get > > re-labeled. Is there a better way to do this? > > On Fedora, you could touch /.autorelabel or pass "autorelabel" on the > kernel command line to force a relabel at boot. You can also run > fixfiles relabel as a command after booting. No need to disable SELinux > and then re-enable it. Great. I do have a copy of fixfiles.
Attachment:
signature.asc
Description: This is a digitally signed message part
