* Can I change default policy from targeted to minimum @ 2015-09-11 11:55 Divya Vyas 2015-09-11 13:41 ` Dominick Grift 0 siblings, 1 reply; 10+ messages in thread From: Divya Vyas @ 2015-09-11 11:55 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 599 bytes --] Hi, I have mls and targeted policy installed on my system. I want to have a minimum policy with all user unconfined and nothing restricted. I took a minimum policy from selinux-policy-minium noarch rpm and kept in /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to load a new policy . load_policy SELinux: Could not open policy file <= /etc/selinux/minimum/policy/policy.28: No such file or directory load_policy: Can't load policy: No such file or directory Getting this error while the policy.28 exists in the path. Please guide me to have a minimum unrestricted policy. [-- Attachment #2: Type: text/html, Size: 721 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can I change default policy from targeted to minimum 2015-09-11 11:55 Can I change default policy from targeted to minimum Divya Vyas @ 2015-09-11 13:41 ` Dominick Grift 2015-09-11 15:45 ` Divya Vyas 2015-09-18 23:30 ` how to run setsebool -P in chroot? Bond Masuda 0 siblings, 2 replies; 10+ messages in thread From: Dominick Grift @ 2015-09-11 13:41 UTC (permalink / raw) To: Divya Vyas; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, Sep 11, 2015 at 05:25:39PM +0530, Divya Vyas wrote: > Hi, > > I have mls and targeted policy installed on my system. I want to have a > minimum policy with all user unconfined and nothing restricted. > > I took a minimum policy from selinux-policy-minium noarch rpm and kept in > /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to load a > new policy . > > load_policy > SELinux: Could not open policy file <= > /etc/selinux/minimum/policy/policy.28: No such file or directory > load_policy: Can't load policy: No such file or directory > > Getting this error while the policy.28 exists in the path. > > Please guide me to have a minimum unrestricted policy. Looks like youre using Fedora. the "minimum" policy model is specific to Fedora. You might be able to get support on the Fedora selinux maillist: https://admin.fedoraproject.org/mailman/listinfo/selinux With that said. You could try (if things break then you get to keep the pieces): sudo setenforce 0 && sudo semodule -B && sudo load_policy > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJV8tobAAoJENAR6kfG5xmcZc8L/R22F6gTxgCrQaOa6uZAQ+V3 G1Wyx8N31NYWJmJ4tpQCdOtKuLeNT3RTybPIGE7+W4tklAZRSob6ljpG4ySpJjO4 SaI03QDVr1L1Hn5EduZDYsEgWXr4rSbRwRbAfV7EW1G+7cKVQktV8OejLPXFLUhj FsemqCJV44dvI8739w9T5KsmRJpVUvTDRwzlWPVWkmRk3Sj6yfPA/N2az3YAVq0B FOV26XUqE8EmGJC4N93VqTEo+f9rH52PhTJVArzSElBdYsVsSDRrCJCuKSJd42Cr MA1MtDu+DRwuGA0JZtEXekrKOG/6Jx/ZGKlfIwgMAqFjd3FSApWbtEpWDWvXD1Ol i9NvOMheLi3PkyM0NUlaE73davDTbyb1hlk0h1WDFvSJCUlNYG5KVkk2metAYk5B 3NC7EYvrroqnClXq1DfQfPxFPk2KfnnB0A6I4szUK7pJyh1LXG9+BlcecbtQx8Oy m1NC/L+9/+zv7hKl+SUMnkLimC2MrvM2qvYYMnm8aw== =znWe -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can I change default policy from targeted to minimum 2015-09-11 13:41 ` Dominick Grift @ 2015-09-11 15:45 ` Divya Vyas 2015-09-11 15:53 ` Dominick Grift 2015-09-18 23:30 ` how to run setsebool -P in chroot? Bond Masuda 1 sibling, 1 reply; 10+ messages in thread From: Divya Vyas @ 2015-09-11 15:45 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 2500 bytes --] Hi Dominick, No its not fedora. It is basically yocto based kernel and root filesystem . Is it possible to have a minimum policy to allow everything and try out limiting something. On Fri, Sep 11, 2015 at 7:11 PM, Dominick Grift <dac.override@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Fri, Sep 11, 2015 at 05:25:39PM +0530, Divya Vyas wrote: > > Hi, > > > > I have mls and targeted policy installed on my system. I want to have a > > minimum policy with all user unconfined and nothing restricted. > > > > I took a minimum policy from selinux-policy-minium noarch rpm and kept in > > /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to load > a > > new policy . > > > > load_policy > > SELinux: Could not open policy file <= > > /etc/selinux/minimum/policy/policy.28: No such file or directory > > load_policy: Can't load policy: No such file or directory > > > > Getting this error while the policy.28 exists in the path. > > > > Please guide me to have a minimum unrestricted policy. > > Looks like youre using Fedora. the "minimum" policy model is specific to > Fedora. You might be able to get support on the Fedora selinux maillist: > https://admin.fedoraproject.org/mailman/listinfo/selinux > > With that said. You could try (if things break then you get to keep the > pieces): sudo setenforce 0 && sudo semodule -B && > sudo load_policy > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > > > - -- > 02DFF788 > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 > Dominick Grift > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQGcBAEBCgAGBQJV8tobAAoJENAR6kfG5xmcZc8L/R22F6gTxgCrQaOa6uZAQ+V3 > G1Wyx8N31NYWJmJ4tpQCdOtKuLeNT3RTybPIGE7+W4tklAZRSob6ljpG4ySpJjO4 > SaI03QDVr1L1Hn5EduZDYsEgWXr4rSbRwRbAfV7EW1G+7cKVQktV8OejLPXFLUhj > FsemqCJV44dvI8739w9T5KsmRJpVUvTDRwzlWPVWkmRk3Sj6yfPA/N2az3YAVq0B > FOV26XUqE8EmGJC4N93VqTEo+f9rH52PhTJVArzSElBdYsVsSDRrCJCuKSJd42Cr > MA1MtDu+DRwuGA0JZtEXekrKOG/6Jx/ZGKlfIwgMAqFjd3FSApWbtEpWDWvXD1Ol > i9NvOMheLi3PkyM0NUlaE73davDTbyb1hlk0h1WDFvSJCUlNYG5KVkk2metAYk5B > 3NC7EYvrroqnClXq1DfQfPxFPk2KfnnB0A6I4szUK7pJyh1LXG9+BlcecbtQx8Oy > m1NC/L+9/+zv7hKl+SUMnkLimC2MrvM2qvYYMnm8aw== > =znWe > -----END PGP SIGNATURE----- > [-- Attachment #2: Type: text/html, Size: 3525 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can I change default policy from targeted to minimum 2015-09-11 15:45 ` Divya Vyas @ 2015-09-11 15:53 ` Dominick Grift 2015-09-11 16:43 ` Divya Vyas 0 siblings, 1 reply; 10+ messages in thread From: Dominick Grift @ 2015-09-11 15:53 UTC (permalink / raw) To: Divya Vyas; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, Sep 11, 2015 at 09:15:56PM +0530, Divya Vyas wrote: > Hi Dominick, > > No its not fedora. It is basically yocto based kernel and root filesystem . > > Is it possible to have a minimum policy to allow everything and try out > limiting something. Sure, you could write one yourself (configurable policy is what SELinux is all about amongst other things). Theres also this: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/security/SELinux.txt?id=e22619a29fcdb513b7bc020e84225bb3b5914259 But it has a bug that only recently got fixed No matter what you choose, it is going to be a little hard if you arent confident with SELinux For the real adventurous theres my base policy, which needs tweaking to get it to work: https://github.com/doverride/cilpolicy > > > > On Fri, Sep 11, 2015 at 7:11 PM, Dominick Grift <dac.override@gmail.com> > wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > On Fri, Sep 11, 2015 at 05:25:39PM +0530, Divya Vyas wrote: > > > Hi, > > > > > > I have mls and targeted policy installed on my system. I want to have a > > > minimum policy with all user unconfined and nothing restricted. > > > > > > I took a minimum policy from selinux-policy-minium noarch rpm and kept in > > > /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to load > > a > > > new policy . > > > > > > load_policy > > > SELinux: Could not open policy file <= > > > /etc/selinux/minimum/policy/policy.28: No such file or directory > > > load_policy: Can't load policy: No such file or directory > > > > > > Getting this error while the policy.28 exists in the path. > > > > > > Please guide me to have a minimum unrestricted policy. > > > > Looks like youre using Fedora. the "minimum" policy model is specific to > > Fedora. You might be able to get support on the Fedora selinux maillist: > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > With that said. You could try (if things break then you get to keep the > > pieces): sudo setenforce 0 && sudo semodule -B && > > sudo load_policy > > > > > _______________________________________________ > > > Selinux mailing list > > > Selinux@tycho.nsa.gov > > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > > To get help, send an email containing "help" to > > Selinux-request@tycho.nsa.gov. > > > > > > - -- > > 02DFF788 > > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 > > Dominick Grift > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2 > > > > iQGcBAEBCgAGBQJV8tobAAoJENAR6kfG5xmcZc8L/R22F6gTxgCrQaOa6uZAQ+V3 > > G1Wyx8N31NYWJmJ4tpQCdOtKuLeNT3RTybPIGE7+W4tklAZRSob6ljpG4ySpJjO4 > > SaI03QDVr1L1Hn5EduZDYsEgWXr4rSbRwRbAfV7EW1G+7cKVQktV8OejLPXFLUhj > > FsemqCJV44dvI8739w9T5KsmRJpVUvTDRwzlWPVWkmRk3Sj6yfPA/N2az3YAVq0B > > FOV26XUqE8EmGJC4N93VqTEo+f9rH52PhTJVArzSElBdYsVsSDRrCJCuKSJd42Cr > > MA1MtDu+DRwuGA0JZtEXekrKOG/6Jx/ZGKlfIwgMAqFjd3FSApWbtEpWDWvXD1Ol > > i9NvOMheLi3PkyM0NUlaE73davDTbyb1hlk0h1WDFvSJCUlNYG5KVkk2metAYk5B > > 3NC7EYvrroqnClXq1DfQfPxFPk2KfnnB0A6I4szUK7pJyh1LXG9+BlcecbtQx8Oy > > m1NC/L+9/+zv7hKl+SUMnkLimC2MrvM2qvYYMnm8aw== > > =znWe > > -----END PGP SIGNATURE----- > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJV8vkEAAoJENAR6kfG5xmcX90L+wQHC3H8XDMAT9F9ZbWQyz+P 4t32n22Q8o92p5vmVQeCUiQU6eBbkFtidW5f6gc8txtiW/+c+nccVjwXYxBh4SLn t8P6zL6gknA2vpgSXspZgOhHtAaZY8jnPq2imHZvZIBbNHPna8JggTpDPHe2Ef4G 3asKRdwZY2cVDwGLdKph6yfgZq22WnhM3nG0UvE623JVubtUUWZ15sch31kU7bx1 qAA5jtEch38TOC1VZU+EjsUvGaX/HIrDV2C5v9uC6zUA++10x8mPKMn11/oV+KbW 6coANYiPf+Uer63wQLQCpXuzW/8ARhzJCRyxeNHk3pQTr4UDsk9r3dEyjZclG7wT ryxNrgrrzBsizlPmuwL06kwi8/Nh+vZpyG6gU39U36/rP6fEyYvfiTL8/Pm1RavF N6dOjDgKSMNRWT6qcS9/yCQ4WuNhgRxF9G2PlrZENnY9jYCiP0dPbrQXDJEa9nly CK/lSaYqptSJ+zNMRhmZnEsFP/AIFw55guoaSWOZoQ== =uFQg -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can I change default policy from targeted to minimum 2015-09-11 15:53 ` Dominick Grift @ 2015-09-11 16:43 ` Divya Vyas 2015-09-11 16:51 ` Dominick Grift 2015-09-11 17:11 ` Stephen Smalley 0 siblings, 2 replies; 10+ messages in thread From: Divya Vyas @ 2015-09-11 16:43 UTC (permalink / raw) To: Divya Vyas, selinux [-- Attachment #1: Type: text/plain, Size: 4859 bytes --] Hi Dominick, I have a question, What is role of policy.29/28/27 . If I understand correctly It is a binary policy called while kernel booting. Is is symbolic lick with policy.kern. Thanks, Divya On Fri, Sep 11, 2015 at 9:23 PM, Dominick Grift <dac.override@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Fri, Sep 11, 2015 at 09:15:56PM +0530, Divya Vyas wrote: > > Hi Dominick, > > > > No its not fedora. It is basically yocto based kernel and root > filesystem . > > > > Is it possible to have a minimum policy to allow everything and try out > > limiting something. > > Sure, you could write one yourself (configurable policy is what SELinux > is all about amongst other things). Theres also this: > > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/security/SELinux.txt?id=e22619a29fcdb513b7bc020e84225bb3b5914259 > > But it has a bug that only recently got fixed > > No matter what you choose, it is going to be a little hard if you arent > confident with SELinux > > For the real adventurous theres my base policy, which needs tweaking to > get it to work: > > https://github.com/doverride/cilpolicy > > > > > > > > > > On Fri, Sep 11, 2015 at 7:11 PM, Dominick Grift <dac.override@gmail.com> > > wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA512 > > > > > > On Fri, Sep 11, 2015 at 05:25:39PM +0530, Divya Vyas wrote: > > > > Hi, > > > > > > > > I have mls and targeted policy installed on my system. I want to > have a > > > > minimum policy with all user unconfined and nothing restricted. > > > > > > > > I took a minimum policy from selinux-policy-minium noarch rpm and > kept in > > > > /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to > load > > > a > > > > new policy . > > > > > > > > load_policy > > > > SELinux: Could not open policy file <= > > > > /etc/selinux/minimum/policy/policy.28: No such file or directory > > > > load_policy: Can't load policy: No such file or directory > > > > > > > > Getting this error while the policy.28 exists in the path. > > > > > > > > Please guide me to have a minimum unrestricted policy. > > > > > > Looks like youre using Fedora. the "minimum" policy model is specific > to > > > Fedora. You might be able to get support on the Fedora selinux > maillist: > > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > > With that said. You could try (if things break then you get to keep the > > > pieces): sudo setenforce 0 && sudo semodule -B && > > > sudo load_policy > > > > > > > _______________________________________________ > > > > Selinux mailing list > > > > Selinux@tycho.nsa.gov > > > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > > > To get help, send an email containing "help" to > > > Selinux-request@tycho.nsa.gov. > > > > > > > > > - -- > > > 02DFF788 > > > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 > > > Dominick Grift > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v2 > > > > > > iQGcBAEBCgAGBQJV8tobAAoJENAR6kfG5xmcZc8L/R22F6gTxgCrQaOa6uZAQ+V3 > > > G1Wyx8N31NYWJmJ4tpQCdOtKuLeNT3RTybPIGE7+W4tklAZRSob6ljpG4ySpJjO4 > > > SaI03QDVr1L1Hn5EduZDYsEgWXr4rSbRwRbAfV7EW1G+7cKVQktV8OejLPXFLUhj > > > FsemqCJV44dvI8739w9T5KsmRJpVUvTDRwzlWPVWkmRk3Sj6yfPA/N2az3YAVq0B > > > FOV26XUqE8EmGJC4N93VqTEo+f9rH52PhTJVArzSElBdYsVsSDRrCJCuKSJd42Cr > > > MA1MtDu+DRwuGA0JZtEXekrKOG/6Jx/ZGKlfIwgMAqFjd3FSApWbtEpWDWvXD1Ol > > > i9NvOMheLi3PkyM0NUlaE73davDTbyb1hlk0h1WDFvSJCUlNYG5KVkk2metAYk5B > > > 3NC7EYvrroqnClXq1DfQfPxFPk2KfnnB0A6I4szUK7pJyh1LXG9+BlcecbtQx8Oy > > > m1NC/L+9/+zv7hKl+SUMnkLimC2MrvM2qvYYMnm8aw== > > > =znWe > > > -----END PGP SIGNATURE----- > > > > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > > > - -- > 02DFF788 > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 > Dominick Grift > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQGcBAEBCgAGBQJV8vkEAAoJENAR6kfG5xmcX90L+wQHC3H8XDMAT9F9ZbWQyz+P > 4t32n22Q8o92p5vmVQeCUiQU6eBbkFtidW5f6gc8txtiW/+c+nccVjwXYxBh4SLn > t8P6zL6gknA2vpgSXspZgOhHtAaZY8jnPq2imHZvZIBbNHPna8JggTpDPHe2Ef4G > 3asKRdwZY2cVDwGLdKph6yfgZq22WnhM3nG0UvE623JVubtUUWZ15sch31kU7bx1 > qAA5jtEch38TOC1VZU+EjsUvGaX/HIrDV2C5v9uC6zUA++10x8mPKMn11/oV+KbW > 6coANYiPf+Uer63wQLQCpXuzW/8ARhzJCRyxeNHk3pQTr4UDsk9r3dEyjZclG7wT > ryxNrgrrzBsizlPmuwL06kwi8/Nh+vZpyG6gU39U36/rP6fEyYvfiTL8/Pm1RavF > N6dOjDgKSMNRWT6qcS9/yCQ4WuNhgRxF9G2PlrZENnY9jYCiP0dPbrQXDJEa9nly > CK/lSaYqptSJ+zNMRhmZnEsFP/AIFw55guoaSWOZoQ== > =uFQg > -----END PGP SIGNATURE----- > [-- Attachment #2: Type: text/html, Size: 7142 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can I change default policy from targeted to minimum 2015-09-11 16:43 ` Divya Vyas @ 2015-09-11 16:51 ` Dominick Grift 2015-09-11 17:11 ` Stephen Smalley 1 sibling, 0 replies; 10+ messages in thread From: Dominick Grift @ 2015-09-11 16:51 UTC (permalink / raw) To: Divya Vyas; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, Sep 11, 2015 at 10:13:34PM +0530, Divya Vyas wrote: > Hi Dominick, > > I have a question, What is role of policy.29/28/27 . If I understand > correctly It is a binary policy called while kernel booting. Is is > symbolic lick with policy.kern. the /etc/selinux/SELINUXTYPE/policy/policy.X file is supposed to be the actually policy database. I am not sure why in your case this is a symlink to policy.kern see: http://selinuxproject.org/page/NB_PolicyType > > Thanks, > Divya > > On Fri, Sep 11, 2015 at 9:23 PM, Dominick Grift <dac.override@gmail.com> > wrote: - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJV8waiAAoJENAR6kfG5xmcKDgMAIeO5dBCzoDW/C1K6DiiKWk6 P8okCWnjclLhOQsvUjnHRvrRUf19aVkHfAjzG6qaV/NoHXbP3OsQc4UQelCRuflF 0uNMz+cyCumjSAVXcdDorUCVQ688vOSe0jFRV9kudycCrL8s1TeKFHtpXcyYj5pC oWvUNZgdAkQle8A208UVeEOFfKsMVa1c9BKhpWXLiBvuyfYL+qNod6tx4YWIqkbT R21wEVsm4FoI50bNXNQ3sqhElS4M81kKgohbIHha6yVi6BRHlVcWgRSrxkuwQyYc o0R422FJKEGLHO3WM9Z2CGXglaZoyUtp8xLEQ+NvsP8xvX+PDpNPDAdkSiZZ2yue hwk+svXeQas7mIRZBHDcRMWQwj8ZdsQOnMuXSAMZEJF0bazjNwvrI4//qUq0n4yq USi9YJm58Ghj8H5UFtk80d0iyQEl1jg4819MSoEhrBeMqddfmZ14lq8DvPl/m3SH n7uQ21YZfy3VDBPPiO+cyQmx0JWJgRUO3GWrzFCzWg== =IJ/r -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can I change default policy from targeted to minimum 2015-09-11 16:43 ` Divya Vyas 2015-09-11 16:51 ` Dominick Grift @ 2015-09-11 17:11 ` Stephen Smalley 1 sibling, 0 replies; 10+ messages in thread From: Stephen Smalley @ 2015-09-11 17:11 UTC (permalink / raw) To: Divya Vyas, selinux On 09/11/2015 12:43 PM, Divya Vyas wrote: > Hi Dominick, > > I have a question, What is role of policy.29/28/27 . If I understand > correctly It is a binary policy called while kernel booting. Is is > symbolic lick with policy.kern. The suffix indicates the policy format version; the version number is also contained within the file header but having it as a file name suffix is convenient for supporting multiple versions on the same system (e.g. for booting different kernels) and for allowing userspace to select the right file without having to parse it. It isn't normally just a symlink. In Android, we dispensed with the policy version suffix and just called it "sepolicy" because we could ensure that the kernel and userspace were aligned and that the policy file would always be compatible with the kernel. We also had to move it out of /etc and into / so that it could be loaded before the /system partition was mounted, since /etc in Android is just a symlink to /system/etc and is not available immediately. ^ permalink raw reply [flat|nested] 10+ messages in thread
* how to run setsebool -P in chroot? 2015-09-11 13:41 ` Dominick Grift 2015-09-11 15:45 ` Divya Vyas @ 2015-09-18 23:30 ` Bond Masuda 2015-09-20 21:13 ` Paul Moore 2015-09-21 20:12 ` Stephen Smalley 1 sibling, 2 replies; 10+ messages in thread From: Bond Masuda @ 2015-09-18 23:30 UTC (permalink / raw) To: selinux Hello, I'm trying to run setsebool in a chroot environment like: chroot /mnt/test /usr/sbin/setsebool -P antivirus_can_scan_system 1 But I get: setsebool: SELinux is disabled. I'm guessing this is because the environment is not running. Is there a way around this? I need to be able to set some of the booleans this way. Thanks Bond ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how to run setsebool -P in chroot? 2015-09-18 23:30 ` how to run setsebool -P in chroot? Bond Masuda @ 2015-09-20 21:13 ` Paul Moore 2015-09-21 20:12 ` Stephen Smalley 1 sibling, 0 replies; 10+ messages in thread From: Paul Moore @ 2015-09-20 21:13 UTC (permalink / raw) To: Bond Masuda; +Cc: selinux On Fri, Sep 18, 2015 at 7:30 PM, Bond Masuda <bond.masuda@jlbond.com> wrote: > Hello, > > I'm trying to run setsebool in a chroot environment like: > > chroot /mnt/test /usr/sbin/setsebool -P antivirus_can_scan_system 1 > > But I get: > > setsebool: SELinux is disabled. > > I'm guessing this is because the environment is not running. Is there a way > around this? I need to be able to set some of the booleans this way. You are likely seeing the SELinux disabled message because you don't have /sys/fs/selinux mounted in your chroot. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how to run setsebool -P in chroot? 2015-09-18 23:30 ` how to run setsebool -P in chroot? Bond Masuda 2015-09-20 21:13 ` Paul Moore @ 2015-09-21 20:12 ` Stephen Smalley 1 sibling, 0 replies; 10+ messages in thread From: Stephen Smalley @ 2015-09-21 20:12 UTC (permalink / raw) To: Bond Masuda, selinux On 09/18/2015 07:30 PM, Bond Masuda wrote: > Hello, > > I'm trying to run setsebool in a chroot environment like: > > chroot /mnt/test /usr/sbin/setsebool -P antivirus_can_scan_system 1 > > But I get: > > setsebool: SELinux is disabled. > > I'm guessing this is because the environment is not running. Is there a > way around this? I need to be able to set some of the booleans this way. I would try using semanage boolean -N instead of setsebool -P. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-09-21 20:12 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-09-11 11:55 Can I change default policy from targeted to minimum Divya Vyas 2015-09-11 13:41 ` Dominick Grift 2015-09-11 15:45 ` Divya Vyas 2015-09-11 15:53 ` Dominick Grift 2015-09-11 16:43 ` Divya Vyas 2015-09-11 16:51 ` Dominick Grift 2015-09-11 17:11 ` Stephen Smalley 2015-09-18 23:30 ` how to run setsebool -P in chroot? Bond Masuda 2015-09-20 21:13 ` Paul Moore 2015-09-21 20:12 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.