[ubuntu-hardened] SELinux on Karmic?
Caleb Case
calebcase at gmail.com
Mon Sep 14 19:53:31 BST 2009
On Fri, Sep 4, 2009 at 12:52 PM, John Dong <jdong at ubuntu.com> wrote:
> Indeed security=selinux worked as expected!
>
> Our selinux-policy-ubuntu still doesn't properly support X/GDM
> sessions right? After enabling selinux I noticed post-login I was in
> some weird system_u context.
The selinux-policy-ubuntu should support X/GDM (at least it did on
Hardy). There appears to be two things conspiring to make your login
incorrect (both stemming from your system not getting relabeled
correctly). The /etc/init.d/selinux script does not recognize ext4 as
a good fs for relabeling (which is the default for karmic). Someone
already posted a fix for this in:
https://bugs.launchpad.net/bugs/371075. The other is that setfiles now
does some additional checking itself to see if the filesystem supports
relabeling. Unfortunately this checking not work if selinux is
disabled. In fact, in this case it silently will fail to relabel. You
can remedy the situation by scheduling a relabel and rebooting:
/etc/init.d/selinux relabel
reboot
This is of course non-ideal.
I have opened 2 bugs related to your report:
https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/428007
https://bugs.launchpad.net/ubuntu/+source/policycoreutils/+bug/428043
Unfortunately even after fixing these something else is wrong >.< as I
end up in xdm_t on a graphical login. I'll have to take a closer look
at the policy to find out why the proper transitions are not
happening.
Thanks!
Caleb
More information about the ubuntu-hardened
mailing list