[ubuntu-hardened] selinux on lucid
Peter Moody
ubuntu at hda3.com
Tue Apr 6 18:58:32 BST 2010
On Mon, Apr 5, 2010 at 1:01 PM, Kees Cook <kees at ubuntu.com> wrote:
> Hi Peter,
>
> On Mon, Apr 05, 2010 at 12:40:12PM -0700, Peter Moody wrote:
>> 1) There seems to be an issue with the refpolicy versions. the
>> poilcy selinux-ubuntu is based on an old version of the refpolicy
>> (Version: 0.2.20090730). It's also different from selinux-policy-src
>> (Version: 2:0.2.20091117). selinux-policy-ubuntu is based on the newer
>> refpolicy, but it seems to conflict with selinux:
>>
>> $ apt-cache show selinux-policy-default | grep Conflicts
>> Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate
>> (<< 3.7.1-1), procps (<< 1:3.1.15-1), selinux,
>> selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted,
>> sysvinit (<< 2.86.ds1-1.se1)
>>
>> This makes it difficult to create custom policies.
>
> Hm, that's a packaging bug in selinux-policy-default, it needs to have
> a versioned Conflict on "selinux", as we've done for some of the other
> packages.
https://bugs.launchpad.net/ubuntu/+source/selinux-policy-default/+bug/556697
>
>> 2) according to /proc, dev is mounted as /devtmpfs, which selinux
>> doesn't know how to treat by default (it gets labeled as
>> system_u:object_r:unlabeled_t). on #selinux, I found that by adding:
>>
>> fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
>>
>> to policy/modules/kernel/filesystem.te, rebuilding and reloading
>> base.pp, /dev/ is suddenly recognized and is labeled
>> system_u:object_r:device_t:s0. This is true in both
>> selinux-policy-default (refpolicy version 2:0.2.20091117-1) and
>> selinux-policy-ubuntu (refpolicy version 0.2.20090730)
>>
>> do I open bugs on ubuntu or with tresys?
>
> Probably both, I'm not sure what the most correct solution for /dev
> should be, but I can fix the selinux-policy-default version glitch. :)
So the suggestion from #selinux, to add the line:
fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
to kernel/filesystem.te and rebuilding/reinstalling base.pp works.
did you want me to file another bug on launchpad for this (I'm going
to separately try to get tresys to fix it in the refpolicy)
>
> Thanks!
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
More information about the ubuntu-hardened
mailing list