Dear SELinux Gurus,

I am a PhD candidate conducting research into the usability of security mechanisms. I would really appreciate some help regarding the use of SELinux. Let me know if this is not the right place to be asking these types of questions.

I generated a policy for opera using polgengui. I then ran the generated ./opera.sh.

Although SELinux was still set to enforcing mode opera seemed to run unconfined. The executable and process was labelled as expected (unconfined_u:unconfined_r:opera_t). AVCs were generated, but not enforced.

I added to opera.te using
grep opera /var/log/audit/audit.log | audit2allow >> opera.te
and reran ./opera.sh
until no AVCs were generated.

Looking at opera.te I noticed the line “permissive opera_t”, and not knowing exactly what this line does, I thought it may be placing this domain into permissive mode (although the gui tools suggest otherwise). Removing the line causes “/bin/sh: /usr/bin/opera: Permission denied”. No AVCs are generated.

So I am not sure why opera seams to be unconfined, or if removing the permissive line was on the right track. Any advice?

Also I tried creating a policy for kwrite. This time the created policy seemed to be in effect as soon as I ran the kwrite.sh script. I set setenforce 0 and added to kwrite.te (as above for opera) until no error msgs were generated. Then I reran ./kwrite.sh. Now kwrite exists with “kwrite(2533): Couldn’t register name ‘”org.kate-editor.kwrite-2533’” with DBUS – another process owns it already!”. When setenforce 0 it runs without AVCs.

Again I am sure I am missing something simple and your advice will help a lot.

I need to resolve this asap and will really appreciate any advice.

Soon I will be running a comparative study comparing a number of security mechanisms and I need to sort this out.

Thank you,

Cliffe.