Sysadmin Ramblings

Update (2 Dec 2005): kiosk extension is broken, I’m now using a hacked browser.jar (version 1.0.7), I made a few changes to xinitrc-common as well Simple kiosk implementation, not entirely thorough, but enough for our purposes. Machine boots and gdm logs into a user without a password, firefox starts fullscreen and opens our homepage. Simple to implement. Read the rest of this entry »

Make a backup and set the security context:

[root@surrey policy]# <strong>mv /etc/selinux/targeted/policy/policy.18 /etc/selinux/targeted/policy/policy.18.orig</strong>

[root@surrey policy]# <strong>cp new/policy.18 /etc/selinux/targeted/policy/</strong>

[root@surrey policy]# <strong>chcon system_u:object_r:policy_config_t /etc/selinux/targeted/policy/policy.18</strong>

[root@surrey policy]# <strong>/usr/sbin/setfiles -q -c /etc/selinux/targeted/policy/policy.18

/etc/selinux/targeted/contexts/files/file_contexts</strong>

[root@surrey policy]#<strong> load_policy /etc/selinux/targeted/policy/policy.18

</strong>

Check that the policy was uploaded:

[root@surrey policy]# <strong>tail -100 /var/log/messages |grep security</strong>

Dec� 6 11:39:49 surrey kernel: audit(1133887189.765:3): avc:� granted� { load_policy } for� pid=4407

comm="load_policy" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t

tclass=security

Dec� 6 11:39:49 surrey kernel: security:� 3 users, 4 roles, 349 types, 25 bools

Dec� 6 11:39:49 surrey kernel: security:� 55 classes, 18748 rules

Symptom:

[user@surrey ~]: gnome-volume-manager ** (gnome-volume-manager:10207): WARNING **: manager.c/912: failed to initialize HAL!

Generate policy rules using audit2allow

[root@surrey ~]# audit2allow -i /var/log/messages allow initrc_t unconfined_t:dbus send_msg; allow unconfined_t initrc_t:dbus { acquire_svc send_msg };

Install policy source rpm

[root@surrey ~]# <strong>yum install selinux-policy-targeted-sources</strong>

Add local rules to local.te

[root@surrey ~]# <strong>pushd /etc/selinux/targeted/src/policy/domains/misc/</strong>

/etc/selinux/targeted/src/policy/domains/misc ~

[root@surrey misc]# <strong>cat <<</strong><strong>EOF>local.te</strong>

> allow initrc_t unconfined_t:dbus send_msg;

> allow unconfined_t initrc_t:dbus { acquire_svc send_msg };

> EOF

[root@surrey misc]# <strong>popd</strong>

~

[root@surrey ~]# <strong>pushd /etc/selinux/targeted/src/policy/</strong>

/etc/selinux/targeted/src/policy ~

[root@surrey policy]# <strong>make install</strong>

mkdir -p tmp

m4� -Imacros -s flask/security_classes flask/initial_sids flask/access_vectors tunables/distro.tun

tunables/tunable.tun attrib.te tmp/program_used_flags.te macros/program/apache_macros.te

... > policy.conf.tmp

mv policy.conf.tmp policy.conf

mkdir -p /etc/selinux/targeted/policy

/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf

/usr/bin/checkpolicy:� loading policy configuration from policy.conf

security:� 3 users, 4 roles, 349 types, 25 bools

security:� 55 classes, 18748 rules

/usr/bin/checkpolicy:� policy configuration loaded

/usr/bin/checkpolicy:� writing binary representation (version 18) to /etc/selinux/targeted/policy/policy.18

Building file_contexts ...

install -m 644 file_contexts/file_contexts /etc/selinux/targeted/contexts/files/file_contexts

Validating file_contexts ...

/usr/sbin/setfiles -q -c /etc/selinux/targeted/policy/policy.18 /etc/selinux/targeted/contexts/files/file_contexts

[root@surrey policy]#

Start gnome-volume-manager manually

[user@surrey ~]: <strong>gnome-volume-manager</strong>

manager.c/978: mount_all: mounting /dev/sda1

manager.c/834: Mounted: /org/freedesktop/Hal/devices/block_7DC6-5886