[DSE-Dev] Tag latest bunch of selinux BRs

David Härdeman david at hardeman.nu
Wed Nov 8 00:43:10 CET 2006


user selinux-devel at lists.alioth.debian.org
usertags #397476 selinux
usertags #397523 selinux
usertags #397525 selinux
usertags #397528 selinux
thanks

Manoj, Erich,

I recently started playing with SELinux and I'm now trying to reduce the 
number of audit messages I get from a regular boot before I dare try out 
enforcing mode.

If I've understood things correctly, during the initramfs stage (an 
initramfs image built using initramfs-tools that is), a lot of device 
nodes are created in /dev which is later moved over to /dev on the root 
filesystem.

However, since those nodes are created before any policy is loaded, 
they'll not get the correct contexts.

That's sorted out later during the rcS stage of the boot, but by then I 
already had some warnings, especially wrt. mount and some of the LVM 
nodes created during the initramfs stage.

I've made a couple of patches based on my limited understanding of 
SELinux so far (see above list), but I'd be good if either of you could 
take a brief look at them to make sure that I haven't messed up.

With those patches applied I'm now down to four audit messages:

* One at the beginning, while /dev/console still has the generic 
  system_u:object_r:tmpfs_t context (not sure how to get rid of since 
  even running restorecon /dev/console will in itself trigger the audit 
  message)

* Two from HAL trying to create a .hal-mtab-lock file in /media

* One from ssh:ing to other machines (most probably my SELinux 
  inexperience showing here)

So overall things look pretty good :)

Thanks for your efforts so far...

-- 
David Härdeman



More information about the SELinux-devel mailing list