Overview

File Alan_Rouse-openSUSE_with_SELinux.txt of Package selinux-policy

openSUSE with SELinux
~~~~~~~~~~~~~~~~~~~~~

The following procedure describes a way to create a system from openSUSE 11.3
installation media, with SELinux enabled and enforcing, and to produce the
necessary RPMs for creating other instances.

Be careful not to skip steps.

Ignore error message "libsemanage.dbase query: could not query record value ..."
in several steps below.

1. Install a default openSUSE 11.3 system (with KDE)
2. Kickoff Launcher -> Computer -> Install/Remove Software
   * Search tab; enter "selinux" (select Name, Keywords, Summary checkboxes)
     and click Search button
   * Right mouse -> All in this List -> Install
   * Click Accept button
   * Accept the automatic changes (click Continue)
3. Install utilities required for this procedure
   * Open terminal
   * Login as root (su)
   * zypper install make m4 gcc patch git
   * usermod -s /sbin/nologin nobody
4. Build selinux policy from source
   * Get and install selinux-policy-05042010-1.src.rpm
   * cd /usr/src/packages/SPECS/
   * rpmbuild -ba selinux-policy.spec
   * cd /usr/src/packages/RPMS/noarch
   * rpm -i selinux-policy-05042010-1.noarch.rpm
   * rpm -i selinux-policy-targeted-05042010-1.noarch.rpm
   -- OR, if you already have the two rpms built,
      just install them and skip the above steps
5. Edit /etc/selinux/config
   * set SELINUX=permissive
   * set SELINUXTYPE=targeted
6. Turn on SELinux in permissive mode from the grub boot line
   * vi /boot/grub/menu.lst
   * insert "3" for runlevel 3 after the kernel parameter,
     and at the end "security=selinux selinux=1 enforcing=0"
   * reboot and login to runlevel 3
7. Perform configurations required for selinux
   * semanage login -a -s sysadm_u root
   * semanage login -a -s user_u <unprivileged-user>
   * fixfiles -F relabel
     ... does not matter whether or not you ask it to clear out files from /tmp
   * vi /etc/init.d/boot
     * insert "restorecon -R /dev" as line 132
   * pam-config -d --debug --apparmor
   * pam-config -a --debug --selinux
   * Now must fix su since pam-config incorrectly adds pam-selinux.so to su
   * cd /etc/pam.d/
   * cp common-session common-session-su
   * vi common-session-su
     - and delete the two lines containing 'pam-selinux'
   * vi su
     - and change 'common-session' to 'common-session-su'
   * edit /boot/grub/menu.lst
     - remove the "3" so it will boot to desktop
   * rm /var/log/messages; rm /var/log/audit/audit.log
8. Reboot
openSUSE Build Service is sponsored by
Places