[DSE-User] SELinux on Wheezy
Russell Coker
russell at coker.com.au
Wed Feb 8 01:17:37 UTC 2012
On Wed, 8 Feb 2012, Arno Schuring <aelschuring at hotmail.com> wrote:
> Over the past few weeks I have been trying to get SELinux in a workable
> state for me. That endeavour started out as wanting to try selinux on
> Squeeze, but after determining that making it work would be nontrivial,
> I decided to focus on the policy in testing instead.
If you used Postfix instead of Exim then things would have been a lot easier.
> I did have to modify more than just the policy, but so far my
> modifications have dealt mostly with init scripts. Most of these have
> been submitted in the bts as wishlist items, not sure if selinux
> warrants a higher severity level.
Great!
> I intend to send one message per module. Even though most modules don't
> change more than a few lines and I changed about 15 modules, sending
> multiple messages makes them easier to locate in the archive.
>
>
> Finally, some random observations:
> - newer kernels want security=selinux, not selinux=1
http://etbe.coker.com.au/2012/01/25/se-linux-status-2012-01/
I mentioned that in my latest SE Linux status report.
> - sudo is now selinux-aware (as of 1.8.3p2 iirc)
> - the initscripts touch .ramfs on every tmpfs mount. I've allowed it
> locally but I'm not convinced this is necessary
For "targeted" systems that will be fine. I plan to get a Play Machine
running Unstable in the near future and will resolve such issues then.
> - /usr/sbin/service could be made selinux-aware, and automatically use
> run_init if required. I have it patched locally, but unsure of its
> general applicatibility because run_init errors out if selinux is
> disabled, and my solution of grepping sestatus' output is ugly
run_init isn't (or at least shouldn't be) needed on targeted systems so a
patch probably isn't a good idea. If you run in strict mode then you just
need to know to use run_init.
> * more-or-less: dspam, exim and dovecot still run in permissive mode.
> Dspam policy lifted from Fedora 16, exim can problaby be confined as
> soon as the exim->dspam domain transition is solved; dovecot has
> proven elusive so far.
We need to get domain transitions when Exim runs child processes. One way to
do this is probably to have Exim not just call itself for a child, but to call
a process named exim-whatever which is usually a symlink to the main exim
program but which can be diverted to an executable which triggers a SE Linux
domain transition. The other way would be to patch Exim to request a domain
transition when it re-exec's itself.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the Selinux-user
mailing list