[ubuntu-hardened] selinux on lucid
Kees Cook
kees at ubuntu.com
Mon Apr 5 21:01:13 BST 2010
Hi Peter,
On Mon, Apr 05, 2010 at 12:40:12PM -0700, Peter Moody wrote:
> 1) There seems to be an issue with the refpolicy versions. the
> poilcy selinux-ubuntu is based on an old version of the refpolicy
> (Version: 0.2.20090730). It's also different from selinux-policy-src
> (Version: 2:0.2.20091117). selinux-policy-ubuntu is based on the newer
> refpolicy, but it seems to conflict with selinux:
>
> $ apt-cache show selinux-policy-default | grep Conflicts
> Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate
> (<< 3.7.1-1), procps (<< 1:3.1.15-1), selinux,
> selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted,
> sysvinit (<< 2.86.ds1-1.se1)
>
> This makes it difficult to create custom policies.
Hm, that's a packaging bug in selinux-policy-default, it needs to have
a versioned Conflict on "selinux", as we've done for some of the other
packages.
> 2) according to /proc, dev is mounted as /devtmpfs, which selinux
> doesn't know how to treat by default (it gets labeled as
> system_u:object_r:unlabeled_t). on #selinux, I found that by adding:
>
> fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
>
> to policy/modules/kernel/filesystem.te, rebuilding and reloading
> base.pp, /dev/ is suddenly recognized and is labeled
> system_u:object_r:device_t:s0. This is true in both
> selinux-policy-default (refpolicy version 2:0.2.20091117-1) and
> selinux-policy-ubuntu (refpolicy version 0.2.20090730)
>
> do I open bugs on ubuntu or with tresys?
Probably both, I'm not sure what the most correct solution for /dev
should be, but I can fix the selinux-policy-default version glitch. :)
Thanks!
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-hardened
mailing list