From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o9PCeY4T024170 for ; Mon, 25 Oct 2010 08:40:34 -0400 Received: from mail-pw0-f53.google.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id o9P8MF8H029294 for ; Mon, 25 Oct 2010 08:22:16 GMT Received: by pwj5 with SMTP id 5so879127pwj.12 for ; Mon, 25 Oct 2010 01:22:15 -0700 (PDT) Message-ID: <4CC53E5F.8060708@gmail.com> Date: Mon, 25 Oct 2010 01:22:55 -0700 From: "Justin P. Mattock" MIME-Version: 1.0 To: imsand@puzzle.ch CC: Daniel J Walsh , Chad Sellers , selinux@tycho.nsa.gov Subject: Re: Context settings after ssh login References: <4CADF149.3040301@redhat.com> <4CAE025C.6010005@gmail.com> <44256.193.5.216.100.1287499358.squirrel@mail.puzzle.ch> <4CBDB14E.2030207@gmail.com> <12764.193.5.216.100.1287503226.squirrel@mail.puzzle.ch> <4CBDC997.6030800@gmail.com> <10617.193.5.216.100.1287564131.squirrel@mail.puzzle.ch> <4CBEF2B4.3050408@gmail.com> <35906.193.5.216.100.1287584724.squirrel@mail.puzzle.ch> <4CC3400C.8060004@gmail.com> <30707.193.5.216.100.1287990574.squirrel@mail.puzzle.ch> <4CC53877.7040106@gmail.com> In-Reply-To: <4CC53877.7040106@gmail.com> Content-Type: multipart/alternative; boundary="------------090101070807050700080605" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. --------------090101070807050700080605 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 10/25/2010 12:57 AM, Justin P. Mattock wrote: > On 10/25/2010 12:09 AM, imsand@puzzle.ch wrote: >> Hi Justin. >> >> First of all, thanks a lot for your efforts. > > youre welcome!! >> Unfortunately I'm a little bit confused about what you've done exactly to >> make it run. >> Can you please summarize it and make a little step by step guide for me? > > I can try, but maybe later on another post(a bit late over here.) >> Did selinux worked out of the box (on sles11.1)? Didn't had you have to >> fix the bug in /lib/mkinitrd/scripts/boot-boot.sh and rebuild initrd? > > long story short, installed sles11.1, changed the repos to download > git-core > then changed repos to download the rest of the packages to build the > latest Mainline kernel > (make, make modules_install) > then after that, installed all the SELinux packages, rebooted realized > even though this system is > using sysvinit the policy still wont load without an initrd(must be > because my other systems have > _nothing_ of the sort with initrd in them(*.h)or something, so ended > up using mkinitrd_setup to make the image > so the policy can load.. > > Then once loaded made sure the home directory was labelled correctly, > as well as other > areas that I've seen issues with, then just started the sshd..with the > other machine with SELinux, > and the iphone(touchterm ssh(free)).. > >> which package have you build with --with-selinux and the --with-pam? > this was on my cblfs system.. I just built this(all gnome etc..)and > didnt realize that I had > built this wrong until I looked at config.log of the package and > noticed I messd up.. > > after that things went good..(from over here sles11.1 sshd looks built > fine, maybe this is config issues.., > only issue I noticed is getsebool/setsebool are missing, so just do: > mv /etc/initscript{,-old} > to avoid problems during boot, or define the init_upstart boolean in > boolean.conf.) > >> which policy did you used?http://oss.tresys.com/git/refpolicy.git? >> > > yep... I follow track > >> kind regards >> Matthias >> >> > > Justin P. Mattock > FWIW heres the system info with SELinux and sles11.1: http://fpaste.org/hdTI/ Justin P. Mattock --------------090101070807050700080605 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit On 10/25/2010 12:57 AM, Justin P. Mattock wrote:
On 10/25/2010 12:09 AM, imsand@puzzle.ch wrote: 
Hi Justin.

First of all, thanks a lot for your efforts.

youre welcome!!
Unfortunately I'm a little bit confused about what you've done exactly to
make it run.
Can you please summarize it and make a little step by step guide for me?

I can try, but maybe later on another post(a bit late over here.)
Did selinux worked out of the box (on sles11.1)? Didn't had you have to
fix the bug in /lib/mkinitrd/scripts/boot-boot.sh and rebuild initrd?

long story short, installed sles11.1, changed the repos to download git-core
then changed repos to download the rest of the packages to build the latest Mainline kernel
(make, make modules_install)
then after that, installed all the SELinux packages, rebooted realized even though this system is
using sysvinit the policy still wont load without an initrd(must be because my other systems have
_nothing_ of the sort with initrd in them(*.h)or something, so ended up using mkinitrd_setup to make the image
so the policy can load..

Then once loaded made sure the home directory was labelled correctly, as well as other
areas that I've seen issues with, then just started the sshd..with the other machine with SELinux,
and the iphone(touchterm ssh(free))..

which package have you build with --with-selinux and the --with-pam?
this was on my cblfs system.. I just built this(all gnome etc..)and didnt realize that I had
built this wrong until I looked at config.log of the package and noticed I messd up..

after that things went good..(from over here sles11.1 sshd looks built fine, maybe this is config issues..,
only issue I noticed is getsebool/setsebool are missing, so just do: mv /etc/initscript{,-old}
to avoid problems during boot, or define the init_upstart boolean in boolean.conf.)

which policy did you used? http://oss.tresys.com/git/refpolicy.git?

yep... I follow track

kind regards
Matthias


Justin P. Mattock


FWIW heres the system info with SELinux and sles11.1:
http://fpaste.org/hdTI/

Justin P. Mattock
--------------090101070807050700080605-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.