I'm having some issues running SELinux on Intrepid. The issue is this: when I run SELinux in enforcing mode, I can't do anything. I fully understand that's the point of SELinux in some regards, but I get messages like these:
- Unable to switch to tty1: permission denied
- Unable to execute /bin/bash: permission denied
I know what's happening: SELinux is blocking these applications,will tell me that. So the problem is: how do I fix this situation?Code:cat /var/log/syslog | grep 'avc'
I'm going to explain what I've done so far as well, as perhaps there's something I've missed here.
- I was running 8.04 earlier this year which lets you just. However, on intrepid, that doesn't seem to work (i.e. installs no policy) which is interesting. Anyway, I installed selinux-policy-default which pulled all it's dependencies in i.e. setools.Code:sudo apt-get install selinux
- This didn't work and I realised from my last exploration you have to have a running selinux kernel first. So I set about selinux=1'ing it into existence.
- I found that actually the initramfs scripts are broken in /etc/initramfs-tools/scripts/init-bottom/_load_policy (see https://bugs.launchpad.net/ubuntu/+s...ux/+bug/277030) and fixed it for my system, regenerated the initramfs.
- I added selinux=1 to the defopts in /boot/grub/menu.lst and ran update grub, so now all kernels will be selinux-enabled.
- Loaded up with the new all-powerful kernel and re-installed selinux-policy-default just to make sure. I don't get asked about .tc files (I did on Hardy) as described here: http://mctalby.mc.man.ac.uk/~mc/_uni....SE_Linux.html .
- Reboot. We are still in permissive mode. Check with sestatus:
Code:sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 23 Policy from config file: default
- OK, now reboot, edit grub on the fly adding enforcing=1 to the end of the boot line and boot. Hey presto, up comes X, or a tty, but gnome sessions last less than 10 seconds and ttys give the above error.
I should also add that I modified /etc/pam.d/login, changing the word on the end of pam_selinux.so from close (which denied access to X11 also!) to multiple (implying give me a choice on a MLS system). I will try removing multiple too.
I suppose I could use audit2allow to enable all the things being denied to be allowed but there are such a number of avc errors I'm not convinced that would necessarily be secure... might as well not run selinux at all.
Any ideas? What am I doing wrong please?
I may be wrong... but it appears the full policy isn't implemented, hence why simple things are denied? Or am I missing something? Can I install the refpolicy myself and if so does anyone know of any tutorials for doing so on ubuntu/debian?
Thanks in advance for anything you have!
P.S. I don't want to use AppArmor, I am aware it exists, is easier, installed and enabled by default and all that. I'm also aware Fedora has working SELinux... I am tempted, but prefer Ubuntu's way of doing things at the moment, plus 8.04 SELinux worked for me.