i have selinux enabled on my system, installed all needed pkgs, policy and …
in the boot process i get some messages about selinux avc denied for systemd-udevd and e.g.
this happens in enforcing mode. whay should i do? i just don’t want to solve this by disabling selinux because i need it.
You’ll have to describe exactly what you did to switch from AppArmor to SElinux (you can’t have both running same time) and the guide you’re following to do the switchover, setup and configuration.
Have you run your system in “complain” mode?
You’re supposed to do that to identify your problems and test fixes before you set “Enforce” mode.
You may work together with others to provide working policy or wait until someone does it.
there are some policies in security:/selinux repo.
We have to assume that you’ve read this: <https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.selinux.html>.
- Please note that, either the less complete and less complex alternative, AppArmor
can be used or, SELinux can be used but, not both …
And, that you’ve taken notice of the following text:
This means that on a system that has SELinux enabled and nothing else configured, nothing will work. To allow your system to do anything, as an administrator you will need to write rules and put them in a policy.
And, that you’ve taken notice of this: <https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.selinux.html#sec.selinux.compilepolicy>.
- The minimum openSUSE SELinux reference policy …
You should also take note of the output of “sudo sestatus -v” to verify that, you’ve at least got to the point where your system is running in “permissive” mode.
[HR][/HR]Once you’ve got your openSUSE SELinux system up and running in the “permissive” mode, you’re on your own.
- Security at SELinux level is very much a per-system issue and, there ain’t any universal solutions …
do you see anything wrong in these two? what does “*unconfined” *mean? how to correct it? and i can’t correct labels for /proc and /selinux. see these please.
Seems to be OK for the case of an initial “permissive” system.
- You now have to define which security you need and then, apply the appropriate configuration rules.
- Please be aware that, SELinux is not forgiving – any mistakes made, may well lead to a system which can not be accessed in any way at all …