[ubuntu-hardened] refpolicy

Chad Sellers csellers at tresys.com
Thu Aug 7 13:45:47 BST 2008


On 8/5/08 6:30 PM, "GDS Marshall" <gdsm at tgfslp.dalmany.co.uk> wrote:

> On Tue, August 5, 2008 4:59 am, Chad Sellers wrote:
>> On 8/4/08 8:08 PM, GDS Marshall
>> wrote:
<snip> 
>> What does your
>> /etc/selinux/config file look like?
> SELINUX=enforcing
> SELINUXTYPE=refpolicy-strict
> SETLOCALDEFS=0
> 
I'd suggest changing that to permissive until you get things working, but
that's probably not your problem.

<snip> 
>>>> What settings did you set in your refpolicy build.conf?
>>> OUTPUT_POLICY = 18
>> 
>> Why are you outputting version 18 policy?
> It is what is compiled by default irrespective of what is in the build.conf
> 
Not sure I understand your comment. Are you saying you are building a
version 22 policy even though this is set to 18?

>> That's a really old version of
>> policy that will likely have problems on your system. You should probably
>> leave this commented out (as I believe it is by default), or set it to the
>> version Ubuntu is using (22 I believe).
> checkpolicy -V
> gives the output
> 22 (compatibility range 22-15)
> 
That means checkpolicy generates 22 if nothing is specified and is capable
of generating policies between versions 15 and 22. That doesn't mean the
policy build when you type make will be 22, as the Makefile uses the
OUTPUT_POLICY setting to determine what to build.

<snip> 
>> If you're going to build a custom policy for the box, you should consider
>> going through the modules.conf and enable/disable the modules you need. At
>> the very least it will speed up any semodule/semanage operations you may
>> do
>> considerably, as well as reduce the kernel memory you're using.
> I was thinking of making a generic policy for Ubuntu as no one seems to be
> working on one.
> 
OK. Sounds like a great goal. Sorry for questioning you motives. I'm used to
getting questions from people who think they can type make install and have
a functioning enforcing system despite the fact that no one has done the
work you're talking about doing.

Regardless, none of this seems to be a problem. I assume when you ls -alZ /
you see that / is default_t, but nothing else is? What happens when you try
to run:
restorecon -v / ; ls -alZ /
?

Chad
>> 
>> Hope that helps,
> Thank you,
> 
> Spencer
> 




More information about the ubuntu-hardened mailing list