Re: SELinux Policy in OpenSUSE 11.2

["Justin P. mattock" <justinmattock@gmail.com>]

On 02/19/2010 06:35 AM, Stephen Smalley wrote:
> On Thu, 2010-02-18 at 15:17 -0800, Justin P. mattock wrote:
>> then after being able to build and install the policy  then I focused in
>> on the booleans, I set(although am not sure if they fixed the errors
>> with avahi)where these:
>>
>> allow_polyinstantiation=on
>> init_upstart=on(although I think they use sysvinit(notsure))
>
> I was suggesting trying to set the init_upstart boolean because it
> disables the transition from init_t to sysadm_t on executing a shell and
> it appeared that for some reason that was causing system services to be
> left in sysadm_t.
>
> Question:  Are your boolean settings persisting across reboot?
>

yep.. i.g. vim policy/booleans.conf(make chnges), then make policy
with the binary policy on my other machine I used setsebool -P

>> then once I was able to get a clean boot(even with the "targeted" dbus
>> issue)
>> I focused in on the login context:
>> name:user_r:user_t
>>
>> this can be done in:
>> /etc/pam.d/{login,gdm,xdm}
>>
>> adding:
>> session required pam_selinux.so close
>> session required pam_selinux.so open
>> (suse has nothing of this in there files,
>> or atleast I didn't see them)
>
> So someone needs to file bugs against those packages asking to have the
> pam_selinux.so entries added.  Should be harmless if SELinux is
> disabled; they will just exit with success.
>

yeah I was surprised to not see them there.

>> so after adding all allow rules from dmesg/messages(audit2allow)
>> I then added all allow rules from /var/log/audit/audit.log
>> (there probably is a tool, but haven't figured what it is yet)
>
> Well, we ought to look at the actual denials to see if they truly should
> be allowed or if they instead indicate problems with your processes
> running in the wrong context or your files being mislabeled.
>

seemed like it was o.k., to me(but could be wrong).

there was I think three avc's that where defined as neverallow
in the policy.

an avc from hal which executed execmem to lower the gpu power level.
mount mounting the hard drive(if remember correctly).
and then a capability avc's

in the past running ubuntu I remember those three,if I can remember the 
next policy update had fixed those or later down the line.

BTW: just to let you know I took that image and reformatted it
and put on my system so I can start looking into a kernel bug
if you need me to reinstall let me know(should only take a few mins to 
get back where I was(now that I have a handle on whats happening)).

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.