[ubuntu-hardened] selinux on lucid
Peter Moody
ubuntu at hda3.com
Mon Apr 5 20:40:12 BST 2010
Hey folks,
I've been playing with selinux on lucid recently and I'm looking for
the right place to report two issues:
1) There seems to be an issue with the refpolicy versions. the
poilcy selinux-ubuntu is based on an old version of the refpolicy
(Version: 0.2.20090730). It's also different from selinux-policy-src
(Version: 2:0.2.20091117). selinux-policy-ubuntu is based on the newer
refpolicy, but it seems to conflict with selinux:
$ apt-cache show selinux-policy-default | grep Conflicts
Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate
(<< 3.7.1-1), procps (<< 1:3.1.15-1), selinux,
selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted,
sysvinit (<< 2.86.ds1-1.se1)
This makes it difficult to create custom policies.
2) according to /proc, dev is mounted as /devtmpfs, which selinux
doesn't know how to treat by default (it gets labeled as
system_u:object_r:unlabeled_t). on #selinux, I found that by adding:
fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
to policy/modules/kernel/filesystem.te, rebuilding and reloading
base.pp, /dev/ is suddenly recognized and is labeled
system_u:object_r:device_t:s0. This is true in both
selinux-policy-default (refpolicy version 2:0.2.20091117-1) and
selinux-policy-ubuntu (refpolicy version 0.2.20090730)
do I open bugs on ubuntu or with tresys?
Cheers,
/peter
More information about the ubuntu-hardened
mailing list