我非常喜欢fedora core 3里的Selinux,当然用Ubuntu了也不能把Selinux给扔了啊!zhuyu@phalaenopsis:~/selinux$ sudo dpkg -i selinux-policy-default_1.18-1_all.deb
(正在读取数据库 ... 系统当前总共安装有 73737 个文件和目录。)
正预备替换 selinux-policy-default 1:1.18-1 (使用 selinux-policy-default_1.18-1_all.deb) ...
正在解压缩将用于更替的包文件 selinux-policy-default ...
正在设置 selinux-policy-default (1.18-1) ...
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/program/cups.te:245:ERROR 'unknown type rpm_var_lib_t' at token ';' on line 140849:
#line 245
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/policy/policy.19] 错误 1
dpkg:处理 selinux-policy-default (--install)时出错:
子进程·post-installation script·返回了错误号·2
在处理时有错误发生:
selinux-policy-default
[问题]Selinux!
- 蝴蝶兰
- 帖子: 202
- 注册时间: 2006-04-18 10:13
- 来自: china
- 联系:
[问题]Selinux!
刚才安装Slinux时遇到一个问题,大家来看:
- 蝴蝶兰
- 帖子: 202
- 注册时间: 2006-04-18 10:13
- 来自: china
- 联系:
其实孤立地针对domains/program/cups.te:245:ERROR 'unknown type rpm_var_lib_t' at token ';' on line 140849:
#line 245 并不是什么问题,这个小小不言的东西居然鲜有人知 ,其实在/etc/selinux/src/policy.conf文件的第140849行加上注释即可。只所以出这个错是因为Selinux的各各软件包的版本搭配不当造成的。于是我下了Dapper下的Selinux。可接下来的问题是:
正在解压缩将用于更替的包文件 selinux-policy-default ...
正在设置 selinux-policy-default (1.26-7) ...
cat: /selinux/policyvers: 没有那个文件或目录
Compiling policy ...
policyvers value 0 not in range 15-20
usage: /usr/bin/checkpolicy [-b] [-d] [-M] [-c policyvers (15-20)] [-o output_file] [input_file]
make: *** [/etc/selinux/./policy/policy.] 错误 1
dpkg:处理 selinux-policy-default (--install)时出错:
子进程·post-installation script·返回了错误号·2
在处理时有错误发生:
selinux-policy-default
自己弄个Selinux居然这么费事,看来在新的发行版里真该缺省加入Selinux支持啊:)
我安装的Ubuntu是从Ubuntu的主页上下载的1CD的5.10。
我安装Selinux用到的软件包组合及我写的Shell:
apt-get install m4 || exit 1
dpkg -i selinux-doc_1.24-1_all.deb || exit 1
dpkg -i selinux-utils_1.28-2ubuntu2_i386.deb || exit 1
dpkg -i libsepol1_1.10-1_i386.deb || exit 1
dpkg -i libsepol1-dev_1.10-1_i386.deb || exit 1
dpkg -i libsemanage1_1.4-3_i386.deb
dpkg -i python2.4-semanage_1.4-3_i386.deb
dpkg -i python2.4-selinux_1.28-2ubuntu2_i386.deb
dpkg -i policycoreutils_1.28-3_i386.deb
dpkg -i cron_3.0pl1-92ubuntu1_i386.deb
dpkg -i logrotate_3.7.1-2_i386.deb
dpkg -i sysv-rc_2.86.ds1-6ubuntu26_all.deb
dpkg -i sysvinit_2.86.ds1-6ubuntu26_i386.deb
dpkg -i checkpolicy_1.28-1_i386.deb
dpkg -i libselinux1_1.28-2ubuntu2_i386.deb || exit 1
dpkg -i libselinux1-dev_1.28-2ubuntu2_i386.deb || exit 1
dpkg -i libpam-modules_0.79-3ubuntu12_i386.deb || exit 1
dpkg -i sepol-utils_1.10-1_i386.deb || exit 1
dpkg -i selinux-policy-default_1.26-7_all.deb || exit 1
echo "安装Selinux成功!"
哪位能看出这其中是不是有所不对的地方,还望给个指教!
#line 245 并不是什么问题,这个小小不言的东西居然鲜有人知 ,其实在/etc/selinux/src/policy.conf文件的第140849行加上注释即可。只所以出这个错是因为Selinux的各各软件包的版本搭配不当造成的。于是我下了Dapper下的Selinux。可接下来的问题是:
正在解压缩将用于更替的包文件 selinux-policy-default ...
正在设置 selinux-policy-default (1.26-7) ...
cat: /selinux/policyvers: 没有那个文件或目录
Compiling policy ...
policyvers value 0 not in range 15-20
usage: /usr/bin/checkpolicy [-b] [-d] [-M] [-c policyvers (15-20)] [-o output_file] [input_file]
make: *** [/etc/selinux/./policy/policy.] 错误 1
dpkg:处理 selinux-policy-default (--install)时出错:
子进程·post-installation script·返回了错误号·2
在处理时有错误发生:
selinux-policy-default
自己弄个Selinux居然这么费事,看来在新的发行版里真该缺省加入Selinux支持啊:)
我安装的Ubuntu是从Ubuntu的主页上下载的1CD的5.10。
我安装Selinux用到的软件包组合及我写的Shell:
apt-get install m4 || exit 1
dpkg -i selinux-doc_1.24-1_all.deb || exit 1
dpkg -i selinux-utils_1.28-2ubuntu2_i386.deb || exit 1
dpkg -i libsepol1_1.10-1_i386.deb || exit 1
dpkg -i libsepol1-dev_1.10-1_i386.deb || exit 1
dpkg -i libsemanage1_1.4-3_i386.deb
dpkg -i python2.4-semanage_1.4-3_i386.deb
dpkg -i python2.4-selinux_1.28-2ubuntu2_i386.deb
dpkg -i policycoreutils_1.28-3_i386.deb
dpkg -i cron_3.0pl1-92ubuntu1_i386.deb
dpkg -i logrotate_3.7.1-2_i386.deb
dpkg -i sysv-rc_2.86.ds1-6ubuntu26_all.deb
dpkg -i sysvinit_2.86.ds1-6ubuntu26_i386.deb
dpkg -i checkpolicy_1.28-1_i386.deb
dpkg -i libselinux1_1.28-2ubuntu2_i386.deb || exit 1
dpkg -i libselinux1-dev_1.28-2ubuntu2_i386.deb || exit 1
dpkg -i libpam-modules_0.79-3ubuntu12_i386.deb || exit 1
dpkg -i sepol-utils_1.10-1_i386.deb || exit 1
dpkg -i selinux-policy-default_1.26-7_all.deb || exit 1
echo "安装Selinux成功!"
哪位能看出这其中是不是有所不对的地方,还望给个指教!
- 蝴蝶兰
- 帖子: 202
- 注册时间: 2006-04-18 10:13
- 来自: china
- 联系:
-
- 帖子: 73
- 注册时间: 2006-05-12 13:15
- 来自: 哈尔滨
- 联系:
-
- 帖子: 73
- 注册时间: 2006-05-12 13:15
- 来自: 哈尔滨
- 联系:
-
- 帖子: 73
- 注册时间: 2006-05-12 13:15
- 来自: 哈尔滨
- 联系:
redflag下的Kconfig的内容
config SECURITY_SELINUX
bool "NSA SELinux Support"
depends on SECURITY && NET
default n
help
This selects NSA Security-Enhanced Linux (SELinux).
You will also need a policy configuration and a labeled filesystem.
You can obtain the policy compiler (checkpolicy), the utility for
labeling filesystems (setfiles), and an example policy configuration
from <http://www.nsa.gov/selinux/>.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_BOOTPARAM
bool "NSA SELinux boot parameter"
depends on SECURITY_SELINUX
default n
help
This option adds a kernel parameter 'selinux', which allows SELinux
to be disabled at boot. If this option is selected, SELinux
functionality can be disabled with selinux=0 on the kernel
command line. The purpose of this option is to allow a single
kernel image to be distributed with SELinux built in, but not
necessarily enabled.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_BOOTPARAM_VALUE
int "NSA SELinux boot parameter default value"
depends on SECURITY_SELINUX_BOOTPARAM
range 0 1
default 1
help
This option sets the default value for the kernel parameter
'selinux', which allows SELinux to be disabled at boot. If this
option is set to 0 (zero), the SELinux kernel parameter will
default to 0, disabling SELinux at bootup. If this option is
set to 1 (one), the SELinux kernel paramater will default to 1,
enabling SELinux at bootup.
If you are unsure how to answer this question, answer 1.
config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX
default n
help
This option enables writing to a selinuxfs node 'disable', which
allows SELinux to be disabled at runtime prior to the policy load.
SELinux will then remain disabled until the next boot.
This option is similar to the selinux=0 boot parameter, but is to
support runtime disabling of SELinux, e.g. from /sbin/init, for
portability across platforms where boot parameters are difficult
to employ.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP
bool "NSA SELinux Development Support"
depends on SECURITY_SELINUX
default y
help
This enables the development support option of NSA SELinux,
which is useful for experimenting with SELinux and developing
policies. If unsure, say Y. With this option enabled, the
kernel will start in permissive mode (log everything, deny nothing)
unless you specify enforcing=1 on the kernel command line. You
can interactively toggle the kernel between enforcing mode and
permissive mode (if permitted by the policy) via /selinux/enforce.
config SECURITY_SELINUX_AVC_STATS
bool "NSA SELinux AVC Statistics"
depends on SECURITY_SELINUX
default y
help
This option collects access vector cache statistics to
/selinux/avc/cache_stats, which may be monitored via
tools such as avcstat.
config SECURITY_SELINUX_MLS
bool "NSA SELinux MLS policy (EXPERIMENTAL)"
depends on SECURITY_SELINUX && EXPERIMENTAL
default n
help
This enables the NSA SELinux Multi-Level Security (MLS) policy in
addition to the default RBAC/TE policy. This policy is
experimental and has not been configured for use. Unless you
specifically want to experiment with MLS, say N.
config SECURITY_SELINUX
bool "NSA SELinux Support"
depends on SECURITY && NET
default n
help
This selects NSA Security-Enhanced Linux (SELinux).
You will also need a policy configuration and a labeled filesystem.
You can obtain the policy compiler (checkpolicy), the utility for
labeling filesystems (setfiles), and an example policy configuration
from <http://www.nsa.gov/selinux/>.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_BOOTPARAM
bool "NSA SELinux boot parameter"
depends on SECURITY_SELINUX
default n
help
This option adds a kernel parameter 'selinux', which allows SELinux
to be disabled at boot. If this option is selected, SELinux
functionality can be disabled with selinux=0 on the kernel
command line. The purpose of this option is to allow a single
kernel image to be distributed with SELinux built in, but not
necessarily enabled.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_BOOTPARAM_VALUE
int "NSA SELinux boot parameter default value"
depends on SECURITY_SELINUX_BOOTPARAM
range 0 1
default 1
help
This option sets the default value for the kernel parameter
'selinux', which allows SELinux to be disabled at boot. If this
option is set to 0 (zero), the SELinux kernel parameter will
default to 0, disabling SELinux at bootup. If this option is
set to 1 (one), the SELinux kernel paramater will default to 1,
enabling SELinux at bootup.
If you are unsure how to answer this question, answer 1.
config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX
default n
help
This option enables writing to a selinuxfs node 'disable', which
allows SELinux to be disabled at runtime prior to the policy load.
SELinux will then remain disabled until the next boot.
This option is similar to the selinux=0 boot parameter, but is to
support runtime disabling of SELinux, e.g. from /sbin/init, for
portability across platforms where boot parameters are difficult
to employ.
If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP
bool "NSA SELinux Development Support"
depends on SECURITY_SELINUX
default y
help
This enables the development support option of NSA SELinux,
which is useful for experimenting with SELinux and developing
policies. If unsure, say Y. With this option enabled, the
kernel will start in permissive mode (log everything, deny nothing)
unless you specify enforcing=1 on the kernel command line. You
can interactively toggle the kernel between enforcing mode and
permissive mode (if permitted by the policy) via /selinux/enforce.
config SECURITY_SELINUX_AVC_STATS
bool "NSA SELinux AVC Statistics"
depends on SECURITY_SELINUX
default y
help
This option collects access vector cache statistics to
/selinux/avc/cache_stats, which may be monitored via
tools such as avcstat.
config SECURITY_SELINUX_MLS
bool "NSA SELinux MLS policy (EXPERIMENTAL)"
depends on SECURITY_SELINUX && EXPERIMENTAL
default n
help
This enables the NSA SELinux Multi-Level Security (MLS) policy in
addition to the default RBAC/TE policy. This policy is
experimental and has not been configured for use. Unless you
specifically want to experiment with MLS, say N.
- hbj0331
- 帖子: 78
- 注册时间: 2006-04-18 12:46
- 来自: 北京
- 联系:
-
- 帖子: 120
- 注册时间: 2005-11-26 19:01
- 联系: