SELinux on Wheezy

So, Collier Technologies LLC needs to pass annual audits to operate a certification authority recognized by the SoS. To this end, I’m working with the fine group of developers who maintain SELinux. It seems that the configuration of Xorg that I’m using while typing this here blog post does not have a policy set up for it in the Debian packages. Or if it does, I don’t know enough about it to figure it out.

I’ve been keeping logs and publishing them here:

I’ll update this post as progress is made.

[edit 20120608T1042]

It looks like loading all .pp files (except alsa) makes X run:

cjac@foxtrot:/usr/share/selinux/default$ time sudo \
semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'`

real	0m24.148s
user	0m23.249s
sys	0m0.628s

I had to boot into single user mode and load the policies before switching to runlevel 2. To get the kernel args added to the grub command line, I modified /etc/default/grub to include this line:

cjac@foxtrot:/usr/share/selinux/default$ grep -i selinux /etc/default/grub
GRUB_CMDLINE_LINUX=" selinux=1 security=selinux"

Next steps:

[edit 20120208T1305]

It looks like the seinfo package has not been updated in the last 18 months.

cjac@foxtrot:/usr/src/git/debian/setools$ grep url .git/config 
	url = git://
cjac@foxtrot:/usr/src/git/debian/setools$ git log | head -4
commit 22a5d3e451d8a1e60a3c746466c865e63089a92a
Merge: fa238f0 149e283
Author: Manoj Srivastava 
Date:   Tue Jul 20 23:10:06 2010 -0700

[edit 20120208T1346]

Stephen tells me that the modules are persistent across re-boots.

> What's the best way to do this at boot?

You just do it once and it remains until/unless you remove it with
semodule -r.  No need to do it on each boot.  Normally it is done when
you install the policy package, but since your policy package apparently
didn't install all modules, I'm suggesting that you do so manually.  
This entry was posted in 19.34 RCW, colliertech, debian, F5 Networks, feds, Free Software, investment, nsa, security, SELinux, wheezy, xorg. Bookmark the permalink.

Leave a Reply