Re: Context settings after ssh login

["Justin P. Mattock" <justinmattock@gmail.com>]

  On 10/26/2010 01:27 AM, imsand@puzzle.ch wrote:
>>    On 10/25/2010 12:57 AM, Justin P. Mattock wrote:
>>> On 10/25/2010 12:09 AM, imsand@puzzle.ch wrote:
>>>> Hi Justin.
>>>>
>>>> First of all, thanks a lot for your efforts.
>>> youre welcome!!
>>>> Unfortunately I'm a little bit confused about what you've done exactly
>>>> to
>>>> make it run.
>>>> Can you please summarize it and make a little step by step guide for
>>>> me?
>>> I can try, but maybe later on another post(a bit late over here.)
>>>> Did selinux worked out of the box (on sles11.1)? Didn't had you have to
>>>> fix the bug in /lib/mkinitrd/scripts/boot-boot.sh and rebuild initrd?
>>> long story short, installed sles11.1, changed the repos to download
>>> git-core
>>> then changed repos to download the rest of the packages to build the
>>> latest Mainline kernel
>>> (make, make modules_install)
> On my installation I took the original kernel, shipped with sles11.1. I
> don't want to compile a new one unless it's strongly recommended. Why
> don't you use the original kernel and packages of sles11.1?

The only way I have access through internet is through the wireless..and 
most distros
dont have my wireless driver...(and of course nvidia module as well for 
a proper looking screen)
so I use a copy of a good revision kernel to get online, pull, then build...

>>> then after that, installed all the SELinux packages, rebooted realized
>>> even though this system is
>>> using sysvinit the policy still wont load without an initrd(must be
>>> because my other systems have
>>> _nothing_ of the sort with initrd in them(*.h)or something, so ended
>>> up using mkinitrd_setup to make the image
>>> so the policy can load..
>>>
> Okey. I also had to rebuild initrd with the adjustments I already described.

cool... yeah you need the image, or else the policy will not load
>>> Then once loaded made sure the home directory was labelled correctly,
>>> as well as other
>>> areas that I've seen issues with, then just started the sshd..with the
>>> other machine with SELinux,
>>> and the iphone(touchterm ssh(free))..
>>>
>>>> which package have you build with --with-selinux and the --with-pam?
> I did't rebuild any packages. Do I have to recomple some packages with
> these options? I just took the original versions, shipped with sles 11.1.

I think the sshd package is good, but I did notice I couldnt find 
getsebool/setsebool to change a boolean
(either it's in /usr/share/man or somewhere else)
>>> this was on my cblfs system.. I just built this(all gnome etc..)and
>>> didnt realize that I had
>>> built this wrong until I looked at config.log of the package and
>>> noticed I messd up..
>>>
>>> after that things went good..(from over here sles11.1 sshd looks built
>>> fine, maybe this is config issues..,
>>> only issue I noticed is getsebool/setsebool are missing, so just do:
>>> mv /etc/initscript{,-old}
>>> to avoid problems during boot, or define the init_upstart boolean in
>>> boolean.conf.)
> I set the init_upstart boolean.

yeah but without setsebool you cant change that...(just rename 
/etc/initscript and/or
modify booleans.conf)
>>>> which policy did you used?http://oss.tresys.com/git/refpolicy.git?
>>>>
>>> yep... I follow track
> I can't compile the latest refpolicy version from git. make conf results
> in: doc/policy.xml:604: element module: validity error : Element module
> content does not follow the DTD, expecting (summary , desc? , required? ,
> (interface | template)* , (bool | tunable)*), got ()
> d
>

thats a first I've seen.. I get errors as well something about 
/tmp/seusers etc..
I just delete and pull git until it works..(biggest pain in the a** are 
these compile errors
that dont need to happen)

> but the latest release from
> (http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2) is
> working..
>>>> kind regards
>>>> Matthias
>>>>
>>>>
>>>

cheers,

Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.