So, Collier Technologies LLC needs to pass annual audits to operate a certification authority recognized by the SoS. To this end, I’m working with the fine group of developers who maintain SELinux. It seems that the configuration of Xorg that I’m using while typing this here blog post does not have a policy set up for it in the Debian packages. Or if it does, I don’t know enough about it to figure it out.
I’ve been keeping logs and publishing them here:
I’ll update this post as progress is made.
It looks like loading all .pp files (except alsa) makes X run:
cjac@foxtrot:/usr/share/selinux/default$ time sudo \ semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'` real 0m24.148s user 0m23.249s sys 0m0.628s
I had to boot into single user mode and load the policies before switching to runlevel 2. To get the kernel args added to the grub command line, I modified /etc/default/grub to include this line:
cjac@foxtrot:/usr/share/selinux/default$ grep -i selinux /etc/default/grub GRUB_CMDLINE_LINUX=" selinux=1 security=selinux"
It looks like the seinfo package has not been updated in the last 18 months.
cjac@foxtrot:/usr/src/git/debian/setools$ grep url .git/config url = git://git.debian.org/git/users/srivasta/debian/setools.git cjac@foxtrot:/usr/src/git/debian/setools$ git log | head -4 commit 22a5d3e451d8a1e60a3c746466c865e63089a92a Merge: fa238f0 149e283 Author: Manoj Srivastava
Date: Tue Jul 20 23:10:06 2010 -0700
Stephen tells me that the modules are persistent across re-boots.
> What's the best way to do this at boot? You just do it once and it remains until/unless you remove it with semodule -r. No need to do it on each boot. Normally it is done when you install the policy package, but since your policy package apparently didn't install all modules, I'm suggesting that you do so manually.