SELinux on Ubuntu Feisty with refpolicy

alethio · 05-19-2007, 03:09 PM

Hi All,

I am trying to set up SELinux on Ubuntu Feisty. In order to get to the stage I have I have had to jump through a number of hoops. So far I have:

Rebuild kernel to start SELinux by default
Removed Upstart, added System V Init from freshmeat /w patch to ensure policy is loaded on boot.
Added the appropriate lines to /etc/pam.d/ files (login, ssh).
Added myself to the users file [root already there].
Am using selinux-refpolicy-targeted (Debian Package Name) as advised because this is under thorough development by the FC team.
Labelled file system etc...

I am however having a number of problems, which in no particular order are:
1) dmesg shows a number of errors looking like this:

Code:

[ 1126.720000] inode_doinit_with_dentry:  context_to_sid(kernel) returned 22 for dev=dm-0 ino=12587502

which are noticable on boot.
2) Logging in seems to take a long time via X/GDM which it didn't before. Now 5 minutes as opposed to about 15 seconds.
3) Logging in under tty[1-6] asks me for a security context (not on root) and no matter what I type, I still get an auth failure. Suspect I'm not understanding this stage...
4) The policy doesn't seem to be in permissive mode despite this output:[CODE]

Code:

root@alethio:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        .

If anyone could point me in the right direction I'd be grateful - I understand SELinux isn't supported on Ubuntu but I'm still determined to get it working,

Thanks,

Alethio

unSpawn · 05-20-2007, 04:17 AM

1) The audit log / dmesg stuff that relates to rules maybe could be ironed out by running audit2allow.
2) I also noticed initial logins on FC6 taking way longer. Consecutive logins didn't take as long though.
3) I don't pretend to grok SELinux, but if IIRC an unprivileged user in the user context of his/her own account should have role "user_r". Post your error messages.
4) Bummer. If it's not in permissive mode, check if the kernel was compiled with "NSA SELinux Development support", you need that for permissive mode. If the kernel was compiled with "NSA SELinux boot parameter" you can also make running permissive mode a boot arg (enforcing=0) which comes in handy when testing (as opposed to disabling SELinux which will fsck up your systems labelling).

There's lotsa docs on SELinux and there's SELinux mailinglists you could search / join. However in the case of vast subjects like SELinux IMHO nothing beats a dead tree copy like Prentice Hall's SELinux by Example.