[ubuntu-hardened] refpolicy

Chad Sellers csellers at tresys.com
Mon Aug 4 22:33:19 BST 2008 

On 8/4/08 4:59 PM, "gdsm at tgfslp.dalmany.co.uk" <gdsm at tgfslp.dalmany.co.uk>
wrote:

> 
> Hello,
> 
> I have been looking at using the refpolicy from tresys.com as Ubuntu only
> has a policy for cups.  I am not sure if their is anyone on the list who
> can help.
> 
> Ubuntu hardy
> linux 2.6.25.10 from www.kernel.org with SELinux enabled.
> 
> At bootup, I get the following
> Aug  3 22:19:07 hp-laptop kernel: [    8.035418] type=1400
> audit(1217798318.515:
> 3): avc:  denied  { search } for  pid=869 comm="hotplug" name="/" dev=hda1
> ino=2
>  scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t
> tclass=dir
> 
/ should not be labeled default_t, it should be root_t. Did you relabel your
filesystem after switching over to upstream refpolicy? What filesystem are
you using? What settings did you set in your refpolicy build.conf? Did you
first install the Ubuntu selinux package to make sure you got all the
appropriate tools? How did you install refpolicy?

> I know this is only hotplug, but I get quite a few with
> name="/"
> and
> tcontext=system_u:object_r:default_t
> obviously my / is labelled system_u:object_r:default_t as shown below
> 
> ls -Za /
>     system_u:object_r:default_t .
>     system_u:object_r:default_t ..
> <snip>
> 
> Another example is syslog
> Aug  3 22:38:30 hp-laptop kernel: [ 1201.056587] type=1400
> audit(1217799510.147:457): avc:  denied  { search } for  pid=3821
> comm="klogd" name="/" dev=hda1 ino=2 scontext=system_u:system_r:klogd_t
> tcontext=system_u:object_r:default_t tclass=dir
> Aug  3 22:38:30 hp-laptop kernel: [ 1201.056672] type=1400
> audit(1217799510.147:458): avc:  denied  { search } for  pid=3756
> comm="syslogd" name="/" dev=hda1 ino=2
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:default_t
> tclass=dir
> 
> 
> This means when I enforce, nothing is logged.
> 
You're a long way from going into enforcing. You first need to get the
policy installed properly, then you'll likely need to do a good bit of
policy development (depending on how many and which modules you selected to
be installed in your modules.conf) before the system will run in enforcing.


> I am presuming I do not have / labelled correctly.
> 
> What should the correct label be please?
> 
> If you need any other information, please ask.
> 
> Many thanks,
> 
> Spencer
>

More information about the ubuntu-hardened mailing list