[ubuntu-hardened] refpolicy

GDS Marshall gdsm at tgfslp.dalmany.co.uk
Tue Aug 12 16:40:00 BST 2008

Sorry it has taken so long to get back to you.

On Thu, August 7, 2008 1:45 pm, Chad Sellers wrote:
> On 8/5/08 6:30 PM, "GDS Marshall" <gdsm at tgfslp.dalmany.co.uk> wrote:
>> On Tue, August 5, 2008 4:59 am, Chad Sellers wrote:
>>> On 8/4/08 8:08 PM, GDS Marshall
>>> wrote:
> <snip>
>>> What does your
>>> /etc/selinux/config file look like?
>> SELINUX=enforcing
>> SELINUXTYPE=refpolicy-strict
> I'd suggest changing that to permissive until you get things working, but
> that's probably not your problem.
> <snip>
>>>>> What settings did you set in your refpolicy build.conf?
>>> Why are you outputting version 18 policy?
>> It is what is compiled by default irrespective of what is in the
>> build.conf
> Not sure I understand your comment. Are you saying you are building a
> version 22 policy even though this is set to 18?
I found the problem.  irrespective of what value I put, it would always
produce a version 18 policy.  At some stage, I had made a kernel with
version 18, and forgot to recompile the kernel with version 22.  Hence it
always went to version 18.

>>> That's a really old version of
>>> policy that will likely have problems on your system. You should
>>> probably
>>> leave this commented out (as I believe it is by default), or set it to
>>> the
>>> version Ubuntu is using (22 I believe).
>> checkpolicy -V
>> gives the output
>> 22 (compatibility range 22-15)
> That means checkpolicy generates 22 if nothing is specified and is capable
> of generating policies between versions 15 and 22. That doesn't mean the
> policy build when you type make will be 22, as the Makefile uses the
> OUTPUT_POLICY setting to determine what to build.
> <snip>
>>> If you're going to build a custom policy for the box, you should
>>> consider
>>> going through the modules.conf and enable/disable the modules you need.
>>> At
>>> the very least it will speed up any semodule/semanage operations you
>>> may
>>> do
>>> considerably, as well as reduce the kernel memory you're using.
>> I was thinking of making a generic policy for Ubuntu as no one seems to
>> be
>> working on one.
> OK. Sounds like a great goal. Sorry for questioning you motives. I'm used
> to
Its okay, I understand where you are coming from.

> getting questions from people who think they can type make install and
> have
> a functioning enforcing system despite the fact that no one has done the
> work you're talking about doing.
> Regardless, none of this seems to be a problem. I assume when you ls -alZ
> /
> you see that / is default_t, but nothing else is? What happens when you
Not now, it is root_t.

/cdrom has default_t but nothing else.

> try
> to run:
> restorecon -v / ; ls -alZ /
> ?

Thank you,


More information about the ubuntu-hardened mailing list