http://bugzilla.novell.com/show_bug.cgi?id=581505 http://bugzilla.novell.com/show_bug.cgi?id=581505#c0 Summary: SELinux tools Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: alan@rouses.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; MS-RTC LM 8; .NET CLR 3.5.30729; .NET CLR 3.0.30618) Please make the latest upstream policycoreutils available. It has fixes that are necessary to getting SELinux working. During a "fixfiles relabel" the inability for even root to traverse a FUSE mount that is owned by another user was worked around by a change to setfiles in policycoreutils 2.0.71 to skip inaccessible mounts. Also please make available the version of findutils which is built with the selinux patch. Also necessary for "fixfiles relabel" to work. The lack of support for the -context predicate in find indicates that the findutils package was not built with SELinux support. It appears that this support is still a separate patch in the Fedora package rather than being part of upstream findutils, so you would need to grab it from the Fedora .src.rpm or source repository. Reproducible: Always Steps to Reproduce: The following will allow you to get to a Gnome desktop with selinux enabled in permissive mode -- and will demonstrate the above bugs along the way. Hopefully helpful to you in providing support to the growing population of folks interested in selinux!: 1. Default install of OpenSuse 11.2 (used Gnome desktop) 2. Boot normally to desktop, open terminal, su - 3. Do this: zypper install selinux-tools selinux-policy libselinux* libsemanage* policycoreutils checkpolicy setools-console make m4 gcc findutils-locate git vi /boot/grub/menu.lst -- and add to the Desktop kernel boot line: "security=selinux selinux=1 enforcing=0" cd /etc/selinux cp -R refpolicy-standard targeted <i>(Note, this is a workaround for another bug but I don't know enough about it yet to describe the solution).</i> usermod -s /sbin/nologin nobody reboot <should boot to desktop> ============================================================================= Get policy src: This is necessary because the policy in the OpenSuse repository is built with MONOLITHIC=y. ============================================================================= -- launch firefox, go to http://software.opensuse.org/search/ -- search for selinux-policy, download src -- install src rpm cp /usr/src/packages/SOURCES/refpolicy-2.20081210.tar.bz2 /tmp cd /tmp bunzip2 refpolicy-2.20081210.tar.bz2 tar xvf refpolicy-2.20081210.tar cd refpolicy vi build.conf (set NAME = refpolicy-standard; set DISTRO = suse; set MONOLITHIC = n) make clean; make conf; make; make install; make load; make install-src cd /etc/selinux/refpolicy-standard/src/policy make clean; make conf; make; make install; make load cd /etc/selinux rsync -avz refpolicy-standard/ targeted reboot ============================= End of getting policy source: ============================= setsebool -P init_upstart=on fixfiles relabel (at this point you'll see the error messages) -- put SETLOCALDEFS=0 in /etc/selinux/config reboot <you should find yourself at the Gnome desktop with selinux enabled> -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.