[DSE-Dev] Tag latest bunch of selinux BRs
David Härdeman
david at hardeman.nu
Wed Nov 8 00:43:10 CET 2006
user selinux-devel at lists.alioth.debian.org
usertags #397476 selinux
usertags #397523 selinux
usertags #397525 selinux
usertags #397528 selinux
thanks
Manoj, Erich,
I recently started playing with SELinux and I'm now trying to reduce the
number of audit messages I get from a regular boot before I dare try out
enforcing mode.
If I've understood things correctly, during the initramfs stage (an
initramfs image built using initramfs-tools that is), a lot of device
nodes are created in /dev which is later moved over to /dev on the root
filesystem.
However, since those nodes are created before any policy is loaded,
they'll not get the correct contexts.
That's sorted out later during the rcS stage of the boot, but by then I
already had some warnings, especially wrt. mount and some of the LVM
nodes created during the initramfs stage.
I've made a couple of patches based on my limited understanding of
SELinux so far (see above list), but I'd be good if either of you could
take a brief look at them to make sure that I haven't messed up.
With those patches applied I'm now down to four audit messages:
* One at the beginning, while /dev/console still has the generic
system_u:object_r:tmpfs_t context (not sure how to get rid of since
even running restorecon /dev/console will in itself trigger the audit
message)
* Two from HAL trying to create a .hal-mtab-lock file in /media
* One from ssh:ing to other machines (most probably my SELinux
inexperience showing here)
So overall things look pretty good :)
Thanks for your efforts so far...
--
David Härdeman
More information about the SELinux-devel
mailing list