up2date, Large Medium and small updates....
by Tom Mitchell
Today up2date found a very long list of package updates
on rawhide 500+ for me.
Since the box is a test box ... I let it.
I am curious if labels/attributes on all the new files
will be correct for SELinux after this and other up2date (rpm)
actions (excluding changes to /etc/security/selinux/src/policy/....).
The more general question is that for Large Medium and small updates....
there may always be a question when one or more "makes" in the policy
area will be needed. Is there a good way to check... will make
check-all do the right thing?
cd /etc/security/selinux/src/policy
make ????? # lots of choices...
make relabel # necessary? when and how to check ...
Is it necessary/useful to do stuff like this before or after a reboot?
Is there a difference from vanilla in how promptly a reboot and other
housecleaning for SELinux is needed? i.e. will audit go nuts...
Also I have taken to adding an alternate boot section in
/boot/grub/grub.conf. Is this useful, useless, sane, silly,
underkill, overkill. Thus...:
title Fedora Core (2.6.3-2.1.246)
root (hd0,0)
kernel /vmlinuz-2.6.3-2.1.246 ro root=LABEL=/
initrd /initrd-2.6.3-2.1.246.img
title Fedora Core NoSELinux (2.6.3-2.1.246)
root (hd0,0)
kernel /vmlinuz-2.6.3-2.1.246 ro root=LABEL=/ selinux=0
initrd /initrd-2.6.3-2.1.246.img
Hmmm... too many questions for one subject line...
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
mitch48-at-sbcglobal-dot-net
20 years, 1 month
possible pam issue
by Dennis Gilmore
I have setup the policy on my test desktop and today went to run up2date as
my user account when propmted i entered my root password and got the
following error
[dennis@asgard dennis]$ up2date
Could not set exec context to user_u:sysadm_r:sysadm_t.
its the only problem i have had so far though i need to read more of the
documentation yet to get down and dirty
Dennis
20 years, 1 month
Installing new policy?
by Jeffrey C. Ollie
When new policy & policy-sources packages get downloaded and installed
from development, do I need to do:
cd /etc/security/selinux/src/policy
make load
make relabel
or is that only when first enabling SELinux?
Jeff
20 years, 1 month
Best way to get started?
by Dax Kelson
What do the RH folk recommend?
* Install FC2T1 and then "yum upgrade"?
* Perform a rawhide install?
Are there any "manual" steps required?
Dax Kelson
20 years, 1 month
what to do with AVCs
by Josh Boyer
What is the preferred way to report AVC messages? Should we open a bug for
each application and list the AVCs in there, or should we post them to the
list, etc?
Bugs would probably be the easiest to track and manage, since duplicates could
be marked as such. But then again, I can see lots of bugs being opened that
don't need to be...
What do the developers prefer?
josh
20 years, 1 month
initial steps
by Daniel Wittenberg
I'd like to start playing with this, and haven't worked with selinux at all.
Anyone know of a good quick-start guide?
Dan
20 years, 1 month
AVC denied messages from booting?
by Richard Hally
I'm running in SELinux permissive mode and after booting up to runlevel 5
and logging in, I look at /var/log/messages and see quite few AVC denied
messages. Is this happening on other peoples systems?
I have been downloading all the latest policy (and related) packages and the
rest of the /development tree for the last few weeks but it doesn't look
like there are fewer AVC denied messages each time I boot with each new
kernel and policy. Should I expect the default policy to allow me to boot an
"Everything installed" /development updated system with no AVC denied
messages? At some point in the near future?
More generally, what is the Red Hat plan and objective for developing the
policy they package?
Thanks for any help,
Richard Hally
20 years, 1 month
[Fedora-selinux-list] Initial Email
by Mike Chambers
Testing the list and initializing the archive list.
--
Mike Chambers
Madisonville, KY
"It's only funny until someone gets hurt...Then it's hilarious!"
20 years, 1 month
dmesg avcs
by Josh Boyer
This is my first stab at working with selinux, so be gentle ;).
I am getting these avc messages when I run dmesg:
avc: denied { use } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4
scontext=root:system_r:dmesg_t tcontext=jwboyer:user_r:user_t tclass=fd
avc: denied { read write } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev=
ino=4 scontext=root:system_r:dmesg_t tcontext=root:object_r:user_devpts_t
tclass=chr_file
So in the dmesg.te file, i defined the following rules:
allow dmesg_t user_devpts_t:chr_file { read write getattr };
allow dmesg_t user_t:fd { use };
does that look correct? from my understanding, the 2 rules i added allow the
dmesg_t domain read, write, and getattr access to pts char files...
josh
20 years, 1 month
help! some avc messages...
by Rui Miguel Silva Seabra
Hi,
I'm terribly newbie in what relates to selinux. I understand the
concept but not the hows and whats.
I also confess I haven't really looked deeply into the matter since
for the time being I'm running fedora's 2.4 Linux, since X is nearly
useless for me with 2.6 due to the synaptics keyboard.
However, I decided to take a peek at the non-X parts, but things don't
look that pretty.
I installed FC1, then after some time I jumped into development, so I
have a fairly updated development package set.
I suspect that what might have happened is that some packages were
installed in an improper order so something may have been set in a bad
way.
How do I take care of the avc messages I'm catching for almost
anything? Follows a bzip2'ed dmesg from right after boot.
TIA, Rui
--
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?
Please AVOID sending me WORD, EXCEL or POWERPOINT attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
20 years, 1 month
