[ubuntu-hardened] Experience of installing SELinux with default policy, and reference policy (from trunk)
Ashish Shukla आशीष शुक्ल
wahjava.ml at gmail.com
Fri Dec 14 15:16:38 GMT 2007
Two-three days back I converted my existing Gobuntu Gutsy 7.10 (AMD64)
installation to SELinux, using the instructions at  and . The
logs, and any configuration files related to this installation is
available in bzip2-ed tarball from following URL:
In following there're references to attached files, but I've not
attached them due to increase in size of this message, instead I
tarred, bzip2ed and uploaded them at above URL.
Initially I setup my box with reference policy trunk. I compiled
policy with following options passed to 'make':
MONOLITHIC=n DISTRO=debian TYPE=standard
Following are the listing of active selinux modules:
apache.pp avahi.pp consolekit.pp cups.pp cvs.pp
dbus.pp ddclient.pp ddcprobe.pp ethereal.pp gnome.pp
gpg.pp gpm.pp hal.pp inetd.pp inn.pp
java.pp kudzu.pp logwatch.pp lpd.pp netlabel.pp
netutils.pp nscd.pp ntp.pp postfix.pp ppp.pp
prelink.pp procmail.pp publicfile.pp quota.pp radvd.pp
raid.pp readahead.pp remotelogin.pp rpc.pp rsync.pp
screen.pp setrans.pp setroubleshoot.pp ssh.pp sysstat.pp
tcpd.pp telnet.pp tzdata.pp udev.pp uptime.pp
usbmodules.pp usernetctl.pp xserver.pp
The attached file "modules.conf" contains "policy/modules.conf"
After relabelling my entire filesystem, I rebooted in single-user mode
with 'selinux=1 enforcing=0' arguments passed to kernel, and I got
couple of SELinux denials. I'm attaching the selinux denials I
received with name 'denials-20071213.txt.bz2'.
In an attempt to solve those denials, I noticed that couple of them
are related to '/dev' not being labelled properly, so I simply reordered
'selinux-basics' script in '/etc/init.d/rcS' from 'S36selinux-basics'
to 'S01selinux-basics', and after this rebooted, and found that no. of
denials were reduced from 82 to 51. These selinux denials are attached
with name 'denials-200712140.txt.bz2'.
And finally I switched to 'selinux-policy-default' and relabelled my
entire filesystem, restore 'selinux-basics' script order in
'/etc/init.d/rcS' to S36selinux-basics.
While installing 'selinux-policy-default' , during post-installation I
got this error, that its not able to find '/usr/sbin/setfiles', so I
created a symlink from '/sbin/setfiles' to '/usr/sbin/setfiles'. This
time I received around 189 SELinux denials listed in the attached file
These denial files are generated using following command:
# dmesg |fgrep denied |bzip2 >$filename.txt
Since I've only single box, and which I also use for my daily
computing needs, I reinstalled 'upstart' and commented selinux lines in
PAM configuration files, and back in non-selinux mode. I'll try
SELinux again in few days when I've time.
 - http://www.cse.psu.edu/~lstclair/Howtos/selinux_on_ubuntu.html
 - http://wiki.debian.org/SELinux/Setup
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
More information about the ubuntu-hardened