Mailinglist Archive: opensuse-bugs (4691 mails)

< Previous Next >
[Bug 581505] New: SELinux tools
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 19 Feb 2010 22:12:26 +0000
  • Message-id: <bug-581505-21960@xxxxxxxxxxxxxxxxxxxxxxxx/>

Summary: SELinux tools
Classification: openSUSE
Product: openSUSE 11.2
Version: Final
Platform: All
OS/Version: openSUSE 11.2
Status: NEW
Severity: Major
Priority: P5 - None
Component: Other
AssignedTo: bnc-team-screening@xxxxxxxxxxxxxxxxxxxxxx
ReportedBy: alan@xxxxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
Blocker: ---

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; MS-RTC LM 8; .NET CLR
3.5.30729; .NET CLR 3.0.30618)

Please make the latest upstream policycoreutils available. It has fixes that
are necessary to getting SELinux working. During a "fixfiles relabel" the
inability for even root to traverse a FUSE mount that is owned by another user
was worked around by a change to setfiles in policycoreutils 2.0.71 to skip
inaccessible mounts.

Also please make available the version of findutils which is built with the
selinux patch. Also necessary for "fixfiles relabel" to work. The lack of
support for the -context predicate in find indicates that the findutils package
was not built with SELinux support. It appears that this support is still a
separate patch in the Fedora package rather than being part of upstream
findutils, so you would need to grab it from the Fedora .src.rpm or source

Reproducible: Always

Steps to Reproduce:
The following will allow you to get to a Gnome desktop with selinux enabled in
permissive mode -- and will demonstrate the above bugs along the way. Hopefully
helpful to you in providing support to the growing population of folks
interested in selinux!:
1. Default install of OpenSuse 11.2 (used Gnome desktop)
2. Boot normally to desktop, open terminal, su -
3. Do this:

zypper install selinux-tools selinux-policy libselinux* libsemanage*
policycoreutils checkpolicy setools-console make m4 gcc findutils-locate git

vi /boot/grub/menu.lst
-- and add to the Desktop kernel boot line: "security=selinux selinux=1

cd /etc/selinux
cp -R refpolicy-standard targeted <i>(Note, this is a workaround for another
bug but I don't know enough about it yet to describe the solution).</i>
usermod -s /sbin/nologin nobody
reboot <should boot to desktop>
Get policy src: This is necessary because the policy in the OpenSuse repository
is built with MONOLITHIC=y.
-- launch firefox, go to
-- search for selinux-policy, download src
-- install src rpm
cp /usr/src/packages/SOURCES/refpolicy-2.20081210.tar.bz2 /tmp
cd /tmp
bunzip2 refpolicy-2.20081210.tar.bz2
tar xvf refpolicy-2.20081210.tar
cd refpolicy
vi build.conf (set NAME = refpolicy-standard; set DISTRO = suse; set
make clean; make conf; make; make install; make load; make install-src
cd /etc/selinux/refpolicy-standard/src/policy
make clean; make conf; make; make install; make load
cd /etc/selinux
rsync -avz refpolicy-standard/ targeted
End of getting policy source:
setsebool -P init_upstart=on

fixfiles relabel (at this point you'll see the error messages)
-- put SETLOCALDEFS=0 in /etc/selinux/config
<you should find yourself at the Gnome desktop with selinux enabled>

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >