[ubuntu-hardened] Experience of installing SELinux with default policy, and reference policy (from trunk)

Ashish Shukla आशीष शुक्ल wahjava.ml at gmail.com
Fri Dec 14 15:16:38 GMT 2007 

Hi list,

Two-three days back I converted my existing Gobuntu Gutsy 7.10 (AMD64)
installation to SELinux, using the instructions at [1] and [2]. The
logs, and any configuration files related to this installation is
available in bzip2-ed tarball from following URL:

http://wahjava.googlepages.com/gobuntu-selinux-13122007-14122007.ta.bz2

In following there're references to attached files, but I've not
attached them due to increase in size of this message, instead I
tarred, bzip2ed and uploaded them at above URL.

Initially I setup my box with reference policy trunk. I compiled
policy with following options passed to 'make':

MONOLITHIC=n DISTRO=debian TYPE=standard

Following are the listing of active selinux modules:

----8<----8<----
apache.pp      avahi.pp       consolekit.pp      cups.pp      cvs.pp
dbus.pp        ddclient.pp    ddcprobe.pp        ethereal.pp  gnome.pp
gpg.pp         gpm.pp         hal.pp             inetd.pp     inn.pp
java.pp        kudzu.pp       logwatch.pp        lpd.pp       netlabel.pp
netutils.pp    nscd.pp        ntp.pp             postfix.pp   ppp.pp
prelink.pp     procmail.pp    publicfile.pp      quota.pp     radvd.pp
raid.pp        readahead.pp   remotelogin.pp     rpc.pp       rsync.pp
screen.pp      setrans.pp     setroubleshoot.pp  ssh.pp       sysstat.pp
tcpd.pp        telnet.pp      tzdata.pp          udev.pp      uptime.pp
usbmodules.pp  usernetctl.pp  xserver.pp
---->8---->8----

The attached file "modules.conf" contains "policy/modules.conf"

After relabelling my entire filesystem, I rebooted in single-user mode
with 'selinux=1 enforcing=0' arguments passed to kernel, and I got
couple of SELinux denials. I'm attaching the selinux denials I
received with name 'denials-20071213.txt.bz2'.

In an attempt to solve those denials, I noticed that couple of them
are related to '/dev' not being labelled properly, so I simply reordered
'selinux-basics' script in '/etc/init.d/rcS' from 'S36selinux-basics'
to 'S01selinux-basics', and after this rebooted, and found that no. of
denials were reduced from 82 to 51. These selinux denials are attached
with name 'denials-200712140.txt.bz2'.

And finally I switched to 'selinux-policy-default' and relabelled my
entire filesystem, restore 'selinux-basics' script order in
'/etc/init.d/rcS' to S36selinux-basics.

While installing 'selinux-policy-default' , during post-installation I
got this error, that its not able to find '/usr/sbin/setfiles', so I
created a symlink from '/sbin/setfiles' to '/usr/sbin/setfiles'. This
time I received around 189 SELinux denials listed in the attached file
'denials-200712141.txt.bz2' .

These denial files are generated using following command:

# dmesg |fgrep denied |bzip2 >$filename.txt

Since I've only single box, and which I also use for my daily
computing needs, I reinstalled 'upstart' and commented selinux lines in
PAM configuration files, and back in non-selinux mode. I'll try
SELinux again in few days when I've time.

References:

[1] - http://www.cse.psu.edu/~lstclair/Howtos/selinux_on_ubuntu.html
[2] - http://wiki.debian.org/SELinux/Setup

Thanks
-- 
Ashish Shukla आशीष शुक्ल                      http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --

More information about the ubuntu-hardened mailing list