Is SELinux available for Ubuntu ?
Bruno Costacurta
pubmb01 at skynet.be
Thu Feb 15 12:05:49 UTC 2007
On Wednesday 14 February 2007 10:27:04 Bruno Costacurta wrote:
> On Tuesday 13 February 2007 21:27:52 Joel Bryan Juliano wrote:
> > On 2/13/07, Bruno Costacurta <pubmb01 at skynet.be> wrote:
> > > On Tuesday 13 February 2007 04:23:25 Joel Bryan Juliano wrote:
> > > > On 2/13/07, Bruno <pubmb02 at skynet.be> wrote:
> > > > > On Monday 12 February 2007 18:13:17 Bruno Costacurta wrote:
> > > > > > On Monday 12 February 2007 16:20, Joel Bryan Juliano wrote:
> > > > > > > On 2/12/07, Bruno Costacurta <pubmb01 at skynet.be> wrote:
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > is SELinux available for Ubuntu ?
> > > > > > > > Are there some packages ? Which ?
> > > > > > > >
> > > > > > > > Apparently package 'selinux-policy-default' is broken...
> > > > > > >
> > > > > > > Yes, it's available in Ubuntu, but currently the targeted
> > > > > > > policy only works well on "permissive" mode. I think enforcing
> > > > > > > policy will work if there's a custom policy, specifically for
> > > > > > > Ubuntu.
> > > > > > >
> > > > > > > you would have to install the specific policy, since
> > > > > > > selinux-policy-default is a metapackage of selinux-basics and
> > > > > > > selinux-policy-targeted.
> > > > > > >
> > > > > > > Then relabel the system (i.e $ relabel /, or touch
> > > > > > > /.autorelabel and reboot)
> > > > > > >
> > > > > > > BTW, some say permissive mode does not do something on the
> > > > > > > system. I tried installing beagle with permissive mode, and it
> > > > > > > failed, since chage is disallowed to change user priorities.
> > > > > > >
> > > > > > > Another is try running X on a chroot environment, (LiveCD with
> > > > > > > $ cd dev && MAKEDEV generic), and the themes doesn't apply.
> > > > > > >
> > > > > > > I think permissive mode does have effects.
> > > > > > >
> > > > > > > > .
> > > > > > > > sudo apt-get install selinux-policy-default
> > > > > > > > Reading package lists... Done
> > > > > > > > Building dependency tree
> > > > > > > > Reading state information... Done
> > > > > > > > The following NEW packages will be installed:
> > > > > > > > selinux-policy-default
> > > > > > > > ...etc...
> > > > > > > > /usr/sbin/load_policy: Can't load policy: No such file or
> > > > > > > > directory make: *** [tmp/load] Error 2
> > > > > > > > .
> > > > > > > >
> > > > > > > > Many thanks for any clue.
> > > > > > > > Bye,
> > > > > > > > Bruno
> > > > > > > >
> > > > > > > > --
> > > > > > > > ubuntu-users mailing list
> > > > > > > > ubuntu-users at lists.ubuntu.com
> > > > > > > > Modify settings or unsubscribe at:
> > > > > > > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> > > > > > >
> > > > > > > --
> > > > > > > Carpe Diem
> > > > > >
> > > > > > I installed package 'selinux-basics', make relabel and add
> > > > > > selinux=1 as a kernel parameter in the grub boot and reboot.
> > > > > > However getenforce allways return disabled.
> > > > > > How to enabled SElinux in permissive mode ?
> > > > > >
> > > > > > Note : I have the feeling that SELinux is not started : touch
> > > > > > /.autorelabel is not working as file strangely remains in place
> > > > > > after reboot.
> > > > > >
> > > > > > Thanks,
> > > > > > Bruno
> > > > >
> > > > > It seems that SELinux is in fact started as showed in
> > > > > /var/log/messages : ...
> > > > > Kernel command line: root=UUID=29479c95-3dbf-490f-b943-be016b9db02a
> > > > > ro quiet splash selinux=1
> > > > > SELinux: Initializing.
> > > > > SELinux: Starting in permissive mode
> > > > > SELinux: Registering netfilter hooks
> > > > > selinux_register_security: Registering secondary module capability
> > > > > ...
> > > > > but getenforce return disabled which tends to show that SELinux
> > > > > start does'nt complete.
> > > > >
> > > > >
> > > > > Bye,
> > > > > Bruno
> > > >
> > > > Make sure you have policycoreutils and checkpolicy installed,
> > > >
> > > > I have the similar problem before on Selinux, I solved it by
> > > >
> > > > 1. --purging the entire selinux installation
> > > > 2. Install policycoreutils, selinux-refpolicy-targeted, and lastly
> > > > install selinux-policy-basic. Then relabel.
> > > >
> > > > I'm also trying to make a policy that would work on enforcing mode.
> > > > Currently, the selinux-policy-targeted can work with enforcing mode
> > > > if some daemons is to be turned off (syslogd), and must boot the
> > > > kernel in read-write, I also set the fsck to autofix=yes.
> > > >
> > > > I hope this helps,
> > > > Joel
> > > >
> > > > > --
> > > > > ubuntu-users mailing list
> > > > > ubuntu-users at lists.ubuntu.com
> > > > > Modify settings or unsubscribe at:
> > > > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> > > >
> > > > --
> > > > Carpe Diem
> > >
> > > Hi Joel,
> > >
> > > could you confirm or detail package 'selinux-refpolicy-targeted' please
> > > ? I cannot find it...
> > > Many thanks.
> > >
> > > Bye,
> > > Bruno
> >
> > I'm sorry, it's selinux-policy-refpolicy-targeted. :-)
>
> Sorry but cannot find this one either.
> I'm using Ubuntu Edgy 6.10 and have repos restricted / universe /
> multiverse .
>
> Bye,
> Bruno
Many thanks for your help and attention.
However I decided to switch to Fedora where SELinux seems to be better
implemented (regarding SELinux core, tools and policies). My main PC runs now
Fedora with SELinux policy targeted in enforcing mode.
Note: I do not want to start any flame here between Linux distros. Ubuntu is
a great distro and I continue to use it on my laptop. I just give my personal
experience and feeling about SELinux implementations.
Bye,
Bruno
More information about the ubuntu-users
mailing list