[ubuntu-hardened] selinux on lucid

Kees Cook kees at ubuntu.com
Mon Apr 5 21:01:13 BST 2010

Hi Peter,

On Mon, Apr 05, 2010 at 12:40:12PM -0700, Peter Moody wrote:
>   1) There seems to be an issue with the refpolicy versions.  the
> poilcy selinux-ubuntu is based on an old version of the refpolicy
> (Version: 0.2.20090730).  It's also different from selinux-policy-src
> (Version: 2:0.2.20091117). selinux-policy-ubuntu is based on the newer
> refpolicy, but it seems to conflict with selinux:
>   $ apt-cache show selinux-policy-default | grep Conflicts
>   Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate
> (<< 3.7.1-1), procps (<< 1:3.1.15-1), selinux,
> selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted,
> sysvinit (<< 2.86.ds1-1.se1)
> This makes it difficult to create custom policies.

Hm, that's a packaging bug in selinux-policy-default, it needs to have
a versioned Conflict on "selinux", as we've done for some of the other

>   2) according to /proc, dev is mounted as /devtmpfs, which selinux
> doesn't know how to treat by default (it gets labeled as
> system_u:object_r:unlabeled_t). on #selinux, I found that by adding:
>   fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
> to policy/modules/kernel/filesystem.te, rebuilding and reloading
> base.pp, /dev/ is suddenly recognized and is labeled
> system_u:object_r:device_t:s0. This is true in both
> selinux-policy-default (refpolicy version 2:0.2.20091117-1) and
> selinux-policy-ubuntu (refpolicy version 0.2.20090730)
> do I open bugs on ubuntu or with tresys?

Probably both, I'm not sure what the most correct solution for /dev
should be, but I can fix the selinux-policy-default version glitch.  :)



Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list