| View previous topic :: View next topic |
| Author |
Message |
sanmartin
Tux's lil' helper
Joined: 10 Aug 2005
Posts: 138
Location: Massachusetts
|
 Posted: Fri Dec 01, 2006 7:54 pm Post subject: [SOLVED] SELinux: how do i make relabel? |
 |
|
I'm trying to build an SELinux system and I've been loosely following the very out-of-date guide that everyone mentions. My first big problem that I can't seem to solve is how to relabel my drive. The SELinux Handbook says to do this:
| Code: | # cd /etc/security/selinux/src/policy
# make relabel |
... But I don't have /etc/security/selinux! I've checked all the selinux-related packages I have installed and there aren't many Makefiles it might be talking about. Can someone who has this directory do an `equery b /etc/security/selinux` and tell me what package owns it? I'm obviously missing something or the directory moved.
Thanks!
Last edited by sanmartin on Fri Dec 08, 2006 2:51 pm; edited 1 time in total |
|
| Back to top |
|
 |
Kosa
Tux's lil' helper
Joined: 03 May 2005
Posts: 106
Location: Prague
|
| Posted: Sat Dec 02, 2006 5:23 pm Post subject: |
|
|
Here we go:
| Code: | # equery b /etc/security/selinux
[ Searching for file(s) /etc/security/selinux in *... ]
sec-policy/selinux-base-policy-20051022-r1 (/etc/security/selinux)
sec-policy/selinux-mysql-20051122 (/etc/security/selinux)
sec-policy/selinux-screen-20050821 (/etc/security/selinux)
sec-policy/selinux-sudo-20050716 (/etc/security/selinux)
sec-policy/selinux-postfix-20051023 (/etc/security/selinux)
sec-policy/selinux-ftpd-20050903 (/etc/security/selinux)
sec-policy/selinux-apache-20050211 (/etc/security/selinux)
sec-policy/selinux-postgresql-20050813 (/etc/security/selinux)
sec-policy/selinux-gnupg-20050823 (/etc/security/selinux)
sec-policy/selinux-clamav-20050712 (/etc/security/selinux) |
I followed this: http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml |
|
| Back to top |
|
|
dasbear
n00b
Joined: 21 Jul 2002
Posts: 33
Location: Dallas, TX
|
| Posted: Sun Dec 03, 2006 6:23 am Post subject: I have a similar problem, but I want to "unlabel" |
|
|
I have sec-policy/selinux-base-policy-20061114 installed but I don't have /etc/security/selinux
I want to remove the selinux attribute from everything on my system. |
|
| Back to top |
|
|
dasbear
n00b
Joined: 21 Jul 2002
Posts: 33
Location: Dallas, TX
|
| Posted: Sun Dec 03, 2006 7:06 am Post subject: Found a kludge to unlabel everything |
|
|
I emerged selinux-base-policy and that brought along policycoretutils, which has rmfilecon.
| Code: |
$ sudo find / -fstype xfs | awk '{printf "rmfilecon \"%s\"\n",$0}' > unlabel-selinux
$ sudo bash unlabel-selinux
|
Took a while, but it did it. |
|
| Back to top |
|
|
sanmartin
Tux's lil' helper
Joined: 10 Aug 2005
Posts: 138
Location: Massachusetts
|
| Posted: Mon Dec 04, 2006 1:49 pm Post subject: |
|
|
| Kosa wrote: | Here we go:
| Code: | # equery b /etc/security/selinux
[ Searching for file(s) /etc/security/selinux in *... ]
sec-policy/selinux-base-policy-20051022-r1 (/etc/security/selinux)
sec-policy/selinux-mysql-20051122 (/etc/security/selinux)
sec-policy/selinux-screen-20050821 (/etc/security/selinux)
sec-policy/selinux-sudo-20050716 (/etc/security/selinux)
sec-policy/selinux-postfix-20051023 (/etc/security/selinux)
sec-policy/selinux-ftpd-20050903 (/etc/security/selinux)
sec-policy/selinux-apache-20050211 (/etc/security/selinux)
sec-policy/selinux-postgresql-20050813 (/etc/security/selinux)
sec-policy/selinux-gnupg-20050823 (/etc/security/selinux)
sec-policy/selinux-clamav-20050712 (/etc/security/selinux) |
I followed this: http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml |
You seem to have a much older version of selinux-base-policy than me... I'm running 20061114, and it doesn't contain /etc/security/selinux/ 
I've been pointed at the setfiles command, which seems to do exactly what I want, but what spec_file do I point it at? For that matter, can I even do it before my initial boot or will I need to disable selinux first? I'm currently booted off the live cd (no selinux module) since udev seems to explode every time I start the system normally. I suspect it's very sad about the lack of security labels on the volume. |
|
| Back to top |
|
|
sanmartin
Tux's lil' helper
Joined: 10 Aug 2005
Posts: 138
Location: Massachusetts
|
| Posted: Fri Dec 08, 2006 2:51 pm Post subject: |
|
|
I finally found my answer. On RHEL5 (and probably 4) there is a relabel command included with policycoreutils. If you look closely in the ebuild for policycoreutils, there is a comment that says something like "rlpkg is better than relabel", followed by a line that disables building relabel. So all I had to do was:
And everything seems to be labeled now.
Next problem to solve is the udev netlink error. Still not sure what's causing that. |
|
| Back to top |
|
|
richard.scott
Veteran
Joined: 19 May 2003
Posts: 1497
Location: Oxfordshire, UK
|
| Posted: Fri Dec 22, 2006 10:39 am Post subject: |
|
|
| Quote: | | Next problem to solve is the udev netlink error. Still not sure what's causing that. |
Does your system display loads of selinux policy errors shortly after booting the initramfs? |
|
| Back to top |
|
|
sanmartin
Tux's lil' helper
Joined: 10 Aug 2005
Posts: 138
Location: Massachusetts
|
| Posted: Fri Dec 22, 2006 12:45 pm Post subject: |
|
|
| No, it turned out that my problem wasn't even related to selinux. I had accidentally deleted the contents of /dev/ that had been extracted from the stage 1 tarball, which caused udev to freak when it couldn't open /dev/null. Here is the thread with the problem and solution |
|
| Back to top |
|
|
|
Networking & Security
