[ubuntu-hardened] refpolicy
gdsm at tgfslp.dalmany.co.uk
gdsm at tgfslp.dalmany.co.uk
Tue Aug 5 01:08:40 BST 2008
Thank you for replying, I have answered inline
> On 8/4/08 4:59 PM, GDS Marshall
> wrote:
>
>>
>> Hello,
>>
>> I have been looking at using the refpolicy from tresys.com as Ubuntu
>> only
>> has a policy for cups. I am not sure if their is anyone on the list who
>> can help.
>>
>> Ubuntu hardy
>> linux 2.6.25.10 from www.kernel.org with SELinux enabled.
>>
>> At bootup, I get the following
>> Aug 3 22:19:07 hp-laptop kernel: [ 8.035418] type=1400
>> audit(1217798318.515:
>> 3): avc: denied { search } for pid=869 comm="hotplug" name="/"
>> dev=hda1
>> ino=2
>> scontext=system_u:system_r:hotplug_t
>> tcontext=system_u:object_r:default_t
>> tclass=dir
>>
> / should not be labeled default_t, it should be root_t. Did you relabel
> your
> filesystem after switching over to upstream refpolicy?
Yes, I did, (twice, once with make relabel, the second with a touch
/.autorelabel)
> What filesystem are
> you using?
ext3 with attr set
> What settings did you set in your refpolicy build.conf?
OUTPUT_POLICY = 18
TYPE = standard
NAME = refpolicy-strict
DISTRO = debian
UNK_PERMS = reject
DIRECT_INITRC = n
MONOLITHIC = n
MLS_SENS = 16
MLS_CATS = 256
MCS_CATS = 256
QUIET = n
> Did you
> first install the Ubuntu selinux package to make sure you got all the
> appropriate tools?
I installed, selinux-basics, selinux, setools, selinux-utils,sepol-utils,
selinux-policy-refpolicy, selinux-policy-refpolicy-unconfined, (and for
autoloading, sysvinit.) have I missed any?
> How did you install refpolicy?
Downloaded the refpolicy
(http://oss.tresys.com/files/refpolicy/refpolicy-20080702.tar.bz2),
untared it, (followed the INSTALL, i.e. make install-src, make conf, make
policy, make install, make load, make relabel)
rebooted and went through the logs to see what needed fixing (audit2allow
-i /var/log/syslog)
>
>> I know this is only hotplug, but I get quite a few with
>> name="/"
>> and
>> tcontext=system_u:object_r:default_t
>> obviously my / is labelled system_u:object_r:default_t as shown below
>>
>> ls -Za /
>> system_u:object_r:default_t .
>> system_u:object_r:default_t ..
>> <snip>
>>
>> Another example is syslog
>> Aug 3 22:38:30 hp-laptop kernel: [ 1201.056587] type=1400
>> audit(1217799510.147:457): avc: denied { search } for pid=3821
>> comm="klogd" name="/" dev=hda1 ino=2 scontext=system_u:system_r:klogd_t
>> tcontext=system_u:object_r:default_t tclass=dir
>> Aug 3 22:38:30 hp-laptop kernel: [ 1201.056672] type=1400
>> audit(1217799510.147:458): avc: denied { search } for pid=3756
>> comm="syslogd" name="/" dev=hda1 ino=2
>> scontext=system_u:system_r:syslogd_t
>> tcontext=system_u:object_r:default_t
>> tclass=dir
>>
>>
>> This means when I enforce, nothing is logged.
>>
> You're a long way from going into enforcing.
Yes, I know.
> You first need to get the
> policy installed properly, then you'll likely need to do a good bit of
> policy development (depending on how many and which modules you selected
I expected that, the refpolicy was just somewhere to start.
> to
> be installed in your modules.conf) before the system will run in
> enforcing.
modules.conf
corecommands = base
corenetwork = base
devices = base
domain = base
files = base
filesystem = base
kernel = base
mcs = base
mls = base
selinux = base
terminal = base
and then 248 modules (the default, I have not modified the modules.conf file)
>
>
>> I am presuming I do not have / labelled correctly.
>>
>> What should the correct label be please?
>>
>> If you need any other information, please ask.
>>
Many thanks,
Spencer
More information about the ubuntu-hardened
mailing list