[ubuntu-hardened] selinux on lucid

Peter Moody ubuntu at hda3.com
Mon Apr 5 20:40:12 BST 2010

Hey folks,

I've been playing with selinux on lucid recently and I'm looking for
the right place to report two issues:

  1) There seems to be an issue with the refpolicy versions.  the
poilcy selinux-ubuntu is based on an old version of the refpolicy
(Version: 0.2.20090730).  It's also different from selinux-policy-src
(Version: 2:0.2.20091117). selinux-policy-ubuntu is based on the newer
refpolicy, but it seems to conflict with selinux:

  $ apt-cache show selinux-policy-default | grep Conflicts
  Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate
(<< 3.7.1-1), procps (<< 1:3.1.15-1), selinux,
selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted,
sysvinit (<< 2.86.ds1-1.se1)

This makes it difficult to create custom policies.

  2) according to /proc, dev is mounted as /devtmpfs, which selinux
doesn't know how to treat by default (it gets labeled as
system_u:object_r:unlabeled_t). on #selinux, I found that by adding:

  fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);

to policy/modules/kernel/filesystem.te, rebuilding and reloading
base.pp, /dev/ is suddenly recognized and is labeled
system_u:object_r:device_t:s0. This is true in both
selinux-policy-default (refpolicy version 2:0.2.20091117-1) and
selinux-policy-ubuntu (refpolicy version 0.2.20090730)

do I open bugs on ubuntu or with tresys?


More information about the ubuntu-hardened mailing list