gdsm at tgfslp.dalmany.co.uk
Tue Aug 12 16:40:00 BST 2008
Sorry it has taken so long to get back to you.
On Thu, August 7, 2008 1:45 pm, Chad Sellers wrote:
> On 8/5/08 6:30 PM, "GDS Marshall" <gdsm at tgfslp.dalmany.co.uk> wrote:
>> On Tue, August 5, 2008 4:59 am, Chad Sellers wrote:
>>> On 8/4/08 8:08 PM, GDS Marshall
>>> What does your
>>> /etc/selinux/config file look like?
> I'd suggest changing that to permissive until you get things working, but
> that's probably not your problem.
>>>>> What settings did you set in your refpolicy build.conf?
>>>> OUTPUT_POLICY = 18
>>> Why are you outputting version 18 policy?
>> It is what is compiled by default irrespective of what is in the
> Not sure I understand your comment. Are you saying you are building a
> version 22 policy even though this is set to 18?
I found the problem. irrespective of what value I put, it would always
produce a version 18 policy. At some stage, I had made a kernel with
version 18, and forgot to recompile the kernel with version 22. Hence it
always went to version 18.
>>> That's a really old version of
>>> policy that will likely have problems on your system. You should
>>> leave this commented out (as I believe it is by default), or set it to
>>> version Ubuntu is using (22 I believe).
>> checkpolicy -V
>> gives the output
>> 22 (compatibility range 22-15)
> That means checkpolicy generates 22 if nothing is specified and is capable
> of generating policies between versions 15 and 22. That doesn't mean the
> policy build when you type make will be 22, as the Makefile uses the
> OUTPUT_POLICY setting to determine what to build.
>>> If you're going to build a custom policy for the box, you should
>>> going through the modules.conf and enable/disable the modules you need.
>>> the very least it will speed up any semodule/semanage operations you
>>> considerably, as well as reduce the kernel memory you're using.
>> I was thinking of making a generic policy for Ubuntu as no one seems to
>> working on one.
> OK. Sounds like a great goal. Sorry for questioning you motives. I'm used
Its okay, I understand where you are coming from.
> getting questions from people who think they can type make install and
> a functioning enforcing system despite the fact that no one has done the
> work you're talking about doing.
> Regardless, none of this seems to be a problem. I assume when you ls -alZ
> you see that / is default_t, but nothing else is? What happens when you
Not now, it is root_t.
/cdrom has default_t but nothing else.
> to run:
> restorecon -v / ; ls -alZ /
More information about the ubuntu-hardened