SELinux on Ubuntu Feisty with refpolicy - various teething problems
Hi All, I am trying to set up SELinux on Ubuntu Feisty. In order to get to the stage I have I have had to jump through a number of hoops. So far I have:
1) dmesg shows a number of errors looking like this: Code:
[ 1126.720000] inode_doinit_with_dentry: context_to_sid(kernel) returned 22 for dev=dm-0 ino=12587502 2) Logging in seems to take a long time via X/GDM which it didn't before. Now 5 minutes as opposed to about 15 seconds. 3) Logging in under tty[1-6] asks me for a security context (not on root) and no matter what I type, I still get an auth failure. Suspect I'm not understanding this stage... 4) The policy doesn't seem to be in permissive mode despite this output:[CODE] Code:
root@alethio:~# sestatus Thanks, Alethio |
1) The audit log / dmesg stuff that relates to rules maybe could be ironed out by running audit2allow.
2) I also noticed initial logins on FC6 taking way longer. Consecutive logins didn't take as long though. 3) I don't pretend to grok SELinux, but if IIRC an unprivileged user in the user context of his/her own account should have role "user_r". Post your error messages. 4) Bummer. If it's not in permissive mode, check if the kernel was compiled with "NSA SELinux Development support", you need that for permissive mode. If the kernel was compiled with "NSA SELinux boot parameter" you can also make running permissive mode a boot arg (enforcing=0) which comes in handy when testing (as opposed to disabling SELinux which will fsck up your systems labelling). There's lotsa docs on SELinux and there's SELinux mailinglists you could search / join. However in the case of vast subjects like SELinux IMHO nothing beats a dead tree copy like Prentice Hall's SELinux by Example. |
All times are GMT -5. The time now is 10:43 AM. |