1 |
First let me say that seinit is a great idea. It'll make working on the |
2 |
policy a little more convenient. |
3 |
|
4 |
I just tried it, however, and it didn't work. All the really useful error |
5 |
messages zipped by too fast to read, but as far as I could tell the policy |
6 |
loaded but everything after that failed due to permission denied. |
7 |
|
8 |
I tried re-labeling seinit so its context type was init_exec_t instead of |
9 |
sbin_t but that didn't work. |
10 |
|
11 |
Is there a policy change needed for this to work? |
12 |
|
13 |
-Tad |
14 |
|
15 |
> -----Original Message----- |
16 |
> From: Chris PeBenito [mailto:pebenito@g.o] |
17 |
> Sent: Monday, November 24, 2003 10:15 AM |
18 |
> To: Hardened Gentoo Mail List |
19 |
> Subject: [gentoo-hardened] Non-initrd SELinux initial policy loading |
20 |
> |
21 |
> For those interested in not using the initrd for doing the initial |
22 |
> SELinux policy load, its now possible. For those who still want to |
23 |
> continue to use the initrd, you can simply ignore this email. |
24 |
> /sbin/seinit will load the policy, and then exec the real init |
25 |
> (/sbin/init). No more forgetting to regenerate the initrd :) . If you |
26 |
> choose to not use the initrd anymore, you can also unmerge mkinitrd. |
27 |
> |
28 |
> Instructions: |
29 |
> 1. make sure you have policycoreutils-1.2-r2 (/sbin/seinit should exist) |
30 |
> 2. remove the initrd line from your bootloader, and add |
31 |
> init=/sbin/seinit to the kernel command line. |
32 |
> |
33 |
> GRUB Example: |
34 |
> |
35 |
> title=linux |
36 |
> root (hd0,0) |
37 |
> kernel /bzImage root=/dev/hda3 init=/sbin/seinit gentoo=nodevfs |
38 |
> |
39 |
> |
40 |
> LILO Example: |
41 |
> |
42 |
> image=/boot/bzImage |
43 |
> label=linux |
44 |
> read-only |
45 |
> root=/dev/hda3 |
46 |
> append="init=/sbin/seinit gentoo=nodevfs" |
47 |
> |
48 |
> |
49 |
> -- |
50 |
> Chris PeBenito |
51 |
> <pebenito@g.o> |
52 |
> Developer, |
53 |
> Hardened Gentoo Linux |
54 |
> Embedded Gentoo Linux |
55 |
> |
56 |
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
57 |
> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
58 |
|
59 |
|
60 |
-- |
61 |
gentoo-hardened@g.o mailing list |