From: imsand@puzzle.ch
To: "Justin P. Mattock" <justinmattock@gmail.com>
Cc: imsand@puzzle.ch, selinux@tycho.nsa.gov
Subject: Re: Enable selinux in SLES 11
Date: Wed, 25 Aug 2010 09:53:31 +0200 (CEST) [thread overview]
Message-ID: <56831.193.5.216.100.1282722811.squirrel@mail.puzzle.ch> (raw)
In-Reply-To: <4C73DAB1.7080501@gmail.com>
> On 08/24/2010 07:09 AM, imsand@puzzle.ch wrote:
>>> On 08/24/2010 12:14 AM, imsand@puzzle.ch wrote:
>>>>> On 08/23/2010 06:23 AM, imsand@puzzle.ch wrote:
>>>>>> Hello Everybody
>>>>>>
>>>>>> For quite a while I've been trying to enable selinux in SLES11, but
>>>>>> sestatus always show DISABLED.
>>>>>>
>>>>>> The following steps I've already done:
>>>>>> * installed all *selinux* packages from yast2
>>>>>> * add the following boot parameters to the kernel:
>>>>>> security=selinux
>>>>>> selinux=1 enforcing=0
>>>>>> * created /etc/selinux/config file with the that content:
>>>>>> SELINUX=enforcing
>>>>>> SELINUXTYPE=targeted
>>>>>>
>>>>>> What I've noticed is, that /selinux doesn't exit. I can't create
>>>>>> that
>>>>>> mountpoint manually because selinuxfs filesystem doesn't exist.
>>>>>>
>>>>>> Does anybody knows if that could be the reason? and if so, how do i
>>>>>> get
>>>>>> selinux work on SLES 11.
>>>>>> (As far as I know SLES 11 should be prepared to use selinux as
>>>>>> technical
>>>>>> preview).
>>>>>>
>>>>>> Thanks in advance
>>>>>> Matthias
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>> list.
>>>>>> If you no longer wish to subscribe, send mail to
>>>>>> majordomo@tycho.nsa.gov
>>>>>> with
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>
>>>>>
>>>>>
>>>>> should be working(at-least for opensuse 12),you need to mkdir
>>>>> /selinux
>>>>> then reboot(SELinux will mount it's file-system there(but cant if the
>>>>> mount-point doesn't exist)).
>>>>>
>>>>> Justin P. Mattock
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>
>>>> OpenSuse12? Do you mean opensuse 11.2?
>>>> Any other suggestions?
>>>>
>>>>
>>>
>>>
>>> yeah open suse 11.2 Oops... as for any other advice, what Stephan had
>>> posted for you is probably the right info to go through.. just dont be
>>> afraid to ask questions..
>>>
>>> Justin P. Mattock
>>>
>>> Justin P. Mattock
>>>
>> Unfortunately it doesn't work. I've done all steps described in here:
>> http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html
>> but this doesn't seems to work for sles 11.
>> Anybody out there, who was able to run selinux on sles 11?
>> I've got some other questions?
>> * what happens if the policy is not found? what would sestatus
>> report?
>> * are there some good debug options for selinux? logs? any other
>> hints?
>> (dmesg shows nothing related to selinux)
>>
>> best regards
>> Imsand
>>
>>
Thank you for your answer.
Now I'm one step further :)
SELinux will now be loaded during startup. YEAH!!!
But now it has a problem with the installed policy. I get this error:
-----
SELinux: Could not open policy file <=
/etc/selinux/refpolicy-standard/policy/policy.23: No such file or
directory
Unable to load SELinux Policy. Machine is in enforcing mode. halting now.
-----
It is looking for a version 23 policy. but the installed one is
/etc/selinux/refpolicy-standard/policy/policy.24.
Simply renaming policy.24 to policy.23 doesn't work.
----
SELinux: policydb version 24 does not match my version range 15-23
SELinux: Could not load policy file
/etc/selinux/refpolicy-standard/policy/policy.23: Invalid argument.
----
Based on this error I have some questions:
1) It seems that SELinux is looking for a binary policy. Are there only
monolithic policies allowed? Or how can I use the newer modular policies?
2) Is there a possibility to converting version 24 policies to version 23?
Or do I have to search a version 23 policy for sles 11?
3) How can I upgrade sles 11 so that is accepts version 24 policies? Which
parts or library are responsible for the version-check?
4) The policies from tresys seems to have an other format than the one
from
http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory
that I've installed. (It is not simply a binary file?!?)
Here are some more information based on your guidance:
> hmm.. well if they have the SELinux packages from sles then thats a good
> indication that theres support..
>
> some things need to be checked though:
>
> 1) if sles already has the SELinux packages then you already have
> libselinux.so, libsepol, etc... if not, then download the SELinux
> userspace package and install it(gives you all the tools and libraries
> needed to use SELinux)
installed by standard repository. This is okey!
>
> 2) is SELinux enabled in the kernel?(if not either build a vanilla and
> check "y" under security options for SELinux, or grab an already built
> rpm)
yes it is.
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
> 2) sysvinit needs to have the init_load_policy() patch added to it in
> order for the policy to be loaded at boot.(if using upstart theres a
> patch as well, or proceedured to load_policy)
seems to be.
> 3) grab the latest refpolicy from tresys and install it.
> (or use the rpm that sles has(if it has one)
>
used this:
http://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factory/noarch/selinux-policy-refpolicy-standard-2.20081210-13.1.noarch.rpm
This installs a /etc/selinux/config which points to refpolicy-standard
which was created in /etc/selinux/refpolicy-standard/policy.24
> 4) once the policy is loading at boot then create your login info so
> SELinux starts in the right context.(semanage login -a -s staff_u name)
>
> 5) use audit2allow to add allow rules for the apps you want to use.
> (audit2allow -dM amodulenameforyourallowrules)
>
> 6) sit back with a beer(in enforcement mode) and enjoy SELinux!!
>
> remember theres plenty of people here to get you up and running...
>
> Justin P. Mattock
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-08-25 7:53 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-23 13:23 Enable selinux in SLES 11 imsand
2010-08-23 15:49 ` Stephen Smalley
2010-08-23 16:54 ` Justin P. Mattock
2010-08-24 7:14 ` imsand
2010-08-24 13:30 ` Justin P. Mattock
2010-08-24 14:09 ` imsand
2010-08-24 14:44 ` Justin P. Mattock
2010-08-25 7:53 ` imsand [this message]
2010-08-25 13:41 ` Justin P. Mattock
2010-08-25 19:03 ` Stephen Smalley
2010-08-24 14:48 ` Stephen Smalley
2010-08-26 7:37 ` Thomas
2010-08-26 7:32 ` Thomas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56831.193.5.216.100.1282722811.squirrel@mail.puzzle.ch \
--to=imsand@puzzle.ch \
--cc=justinmattock@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.