getting started with SELinux
Hi!
I'm attempting to set up an SELinux system using the Debian packages
and am unashamed to admit that I'm a little stuck at the moment. I
have two problems that I could use some help with:
1. I've done the bare minimum amount of tweaking of the default
policy beyond answering all the questions about which programs I'd
like to create domains for (i.e. I've assigned the existing users
on the box user_r contexts and given the sysadmins sysadmin_r).
When I try to run "make policy", I'm given this frustrating
message in return:
/usr/bin/checkpolicy -o policy policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
ERROR 'attribute file_type is not declared' at token ';' on line 867:
#
type device_t, file_type;
/usr/bin/checkpolicy: error(s) encountered while parsing
configuration
make: *** [policy] Error 1
I know I'm not the first person to encounter this error, because I
saw someone else with the exact same problem (down to the same
line number) in a posting on the selinux list. Unfortunately,
there was no response archived. Some grepping demonstrated that
file_type was indeed not defined in any of the .te files, but it's
a base type, right? What does this error really mean?
2. When I attempt to boot into my SELinux kernel (all packages,
versions, and kernel configuration options at the end of this
message), I get an error about being unable to find
/usr/bin/load_policy, even with an initrd that uses the script
provided by selinux-default-policy. Is there anything special I
need to know about building the initrd? I imagine this may be
linked to my lack of a policy, but the message I get is along the
lines of 'sh: line 1: unable to find /usr/bin/load_policy', which
makes me think something else is going on. I have to pass
'selinux=0' on the kernel command line to get the kernel to boot.
Any pointers? I'm really excited about the idea of putting SELinux
into production, but I'm feeling a little stymied right now.
Yours,
Forrest
VERSIONS:
un libselinux-dev <none> (no description available)
ii libselinux1 1.2-1.1 SELinux shared libraries
un libselinux1-dev <none> (no description available)
un old-selinux-policy <none> (no description available)
ii selinux 2003081307-8 Management utilities for NSA Security Enhanced Linux
ii selinux-doc 1.1-1 documentation for Security-Enhanced Linux
un selinux-policy <none> (no description available)
iF selinux-policy-defaul 1.2.real-7 Policy config files and management for NSA Security Enhanc
ii selinux-utils 1.2-1.1 SELinux utility programs
ii kernel-image-2.4.22 10.03.FLN Linux kernel binary image for version 2.4.22.
ii initrd-tools 0.1.54 Tools to generate an initrd image.
CONFIG OPTIONS:
CONFIG_EXT3_FS_XATTR_USER=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_DEVPTS_FS_SECURITY=y
CONFIG_EXT2_FS_XATTR_USER=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_MLS is not set
# CONFIG_SECURITY_OWLSM is not set
CONFIG_SECURITY_DTE=y
--
. . . the self-reflecting image of a narcotized mind . . .
ozymandias G desiderata ogd@aoaioxxysz.net desperate, deathless
(415)823-6356 http://www.pushby.com/forrest/ ::AOAIOXXYSZ::
Reply to: