[DSE-User] SELinux on Wheezy
Arno Schuring
aelschuring at hotmail.com
Tue Feb 7 23:34:13 UTC 2012
Hi all,
(posting to this list feels a bit like screaming into the void, but
let's hope there's at least a faint echo somewhere :)
Over the past few weeks I have been trying to get SELinux in a workable
state for me. That endeavour started out as wanting to try selinux on
Squeeze, but after determining that making it work would be nontrivial,
I decided to focus on the policy in testing instead.
Now that I have a more-or-less working machine*, I think it's time to
share my modifications. Primarily as a guide to others, but also to
discuss the modifications and where they belong (e.g. program error,
local policy, Debian policy or upstream).
I did have to modify more than just the policy, but so far my
modifications have dealt mostly with init scripts. Most of these have
been submitted in the bts as wishlist items, not sure if selinux
warrants a higher severity level.
I intend to send one message per module. Even though most modules don't
change more than a few lines and I changed about 15 modules, sending
multiple messages makes them easier to locate in the archive.
Finally, some random observations:
- newer kernels want security=selinux, not selinux=1
- sudo is now selinux-aware (as of 1.8.3p2 iirc)
- the initscripts touch .ramfs on every tmpfs mount. I've allowed it
locally but I'm not convinced this is necessary
- /usr/sbin/service could be made selinux-aware, and automatically use
run_init if required. I have it patched locally, but unsure of its
general applicatibility because run_init errors out if selinux is
disabled, and my solution of grepping sestatus' output is ugly
Regards,
Arno
* more-or-less: dspam, exim and dovecot still run in permissive mode.
Dspam policy lifted from Fedora 16, exim can problaby be confined as
soon as the exim->dspam domain transition is solved; dovecot has
proven elusive so far.
More information about the Selinux-user
mailing list