May 2004 - selinux - Fedora Mailing-Lists

by Gary Peck

For some reason restorecon and setfiles have different notions of what context certain files should be. For example: # ls -Z /usr/lib/libz.* -rwxr-xr-x+ root root system_u:object_r:lib_t /usr/lib/libz.a lrwxrwxrwx+ root root system_u:object_r:lib_t /usr/lib/libz.so -> libz.so.1.2.1.1 lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libz.so.1 -> libz.so.1.2.1.1 -rwxr-xr-x root root system_u:object_r:shlib_t /usr/lib/libz.so.1.2.1.1 # restorecon -v /usr/lib/libz.* restorecon set context /usr/lib/libz.so->system_u:object_r:shlib_t restorecon set context /usr/lib/libz.so.1->system_u:object_r:shlib_t # setfiles -v /etc/security/selinux/file_contexts /usr/lib/libz.* setfiles: read 1450 specifications setfiles: labeling files under /usr/lib/libz.a setfiles: hash table stats: 1 elements, 1/65536 buckets used, longest chain length 1 setfiles: labeling files under /usr/lib/libz.so setfiles: relabeling /usr/lib/libz.so from system_u:object_r:shlib_t to system_u:object_r:lib_t setfiles: hash table stats: 1 elements, 1/65536 buckets used, longest chain length 1 setfiles: labeling files under /usr/lib/libz.so.1 setfiles: relabeling /usr/lib/libz.so.1 from system_u:object_r:shlib_t to system_u:object_r:lib_t setfiles: hash table stats: 1 elements, 1/65536 buckets used, longest chain length 1 setfiles: labeling files under /usr/lib/libz.so.1.2.1.1 setfiles: hash table stats: 1 elements, 1/65536 buckets used, longest chain length 1 setfiles: Done. So, restorecon thinks that *.so files should be shlib_t, whereas setfiles thinks they should be lib_t. Which one is right and why do they disagree? I thought that they both get their context info from the same place. This is with policy-1.11.3-5 and policycoreutils-1.11-4. gary

19 years, 2 months

5
15
0 / 0

Installing the new policy

by Richard Hally

Included below is the out put from doing a "yum install selinux-policy\*" while in enforcing mode: [root@old1 root]# yum install selinux-policy\* Gathering header information file(s) from server(s) Server: Fedora Core 2 - i386 - Base Server: Fedora Core 2 - Development Tree Server: Fedora Core 2 - i386 - Released Updates Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: [install: selinux-policy-targeted 1.13.1-1.noarch] [install: selinux-policy-strict 1.13.1-1.noarch] [install: selinux-policy-strict-sources 1.13.1-1.noarch] [install: selinux-policy-targeted-sources 1.13.1-1.noarch] Is this ok [y/N]: y Downloading Packages Getting selinux-policy-targeted-1.13.1-1.noarch.rpm selinux-policy-targeted-1 100% |=========================| 25 kB 00:00 Getting selinux-policy-strict-1.13.1-1.noarch.rpm selinux-policy-strict-1.1 100% |=========================| 1.1 MB 00:08 Getting selinux-policy-strict-sources-1.13.1-1.noarch.rpm selinux-policy-strict-sou 100% |=========================| 1.3 MB 00:12 Getting selinux-policy-targeted-sources-1.13.1-1.noarch.rpm selinux-policy-targeted-s 100% |=========================| 252 kB 00:01 Running test transaction: Test transaction complete, Success! selinux-policy-strict 100 % done 1/6 Can't open '/etc/selinux/strict/policy/policy.17': Permission denied selinux-policy-targeted 100 % done 2/6 Can't open '/etc/selinux/targeted/policy/policy.17': Permission denied selinux-policy-strict-sources 100 % done 3/6 make: Entering directory `/etc/selinux/strict/src/policy' /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers` Can't open '/etc/selinux/strict/policy/policy.17': Permission denied make: *** [tmp/load] Error 2 make: Leaving directory `/etc/selinux/strict/src/policy' selinux-policy-targeted-sources 100 % done 4/6 make: Entering directory `/etc/selinux/targeted/src/policy' /usr/sbin/load_policy /etc/selinux/targeted/policy/policy.`cat /selinux/policyvers` Can't open '/etc/selinux/targeted/policy/policy.17': Permission denied make: *** [tmp/load] Error 2 make: Leaving directory `/etc/selinux/targeted/src/policy' warning: /etc/security/selinux/policy.17 saved as /etc/security/selinux/policy.17.rpmsave warning: /etc/security/selinux/file_contexts saved as /etc/security/selinux/file_contexts.rpmsave Erasing: policy 5/6 warning: /etc/security/selinux/src/policy/users saved as /etc/security/selinux/src/policy/users.rpmsave warning: /etc/security/selinux/src/policy/file_contexts/program/seuser.fc saved as /etc/security/selinux/src/policy/file_contexts/program/seuser.fc.rpmsave Erasing: policy-sources 6/6 Installed: selinux-policy-targeted 1.13.1-1.noarch selinux-policy-strict 1.13.1-1.noarch selinux-policy-strict-sources 1.13.1-1.noarch selinux-policy-targeted-sources 1.13.1-1.noarch Transaction(s) Complete [root@old1 root]# Richard Hally

19 years, 3 months

6
7
0 / 0

Re: Installing the new policy

by Tom London

I also had some issues in the newest selinux-policy installs from the development tree. First, I had to remove setools to remove a yum/rpm conflict. After successfully yum'ing selinux-policy-strict-sources (which also installed selinux-policy-strict and removed policy and policy-sources), I rebooted in single user mode, where I did the usual 'fixfiles relabel'. I then rebooted to multiuser mode, where I determined that the 'mode' was set to 'disabled' (i.e., 'getenforce->disabled'). Rooting around uncovered that there was no /etc/selinux/config installed, nor was /etc/sysconfig/selinux updated with the 'SELINUXTYPE=strict' line. Since the thread on this was confusing to me, I also added a line 'POLICYTYPE=strict'). I modified /etc/syconfig/selinux copied it to /etc/selinux/config and rebooted. Still came up with selinux in 'disabled' mode. Checking /var/log/messages showed 'SELinux disabled at boot'. So, I rebooted adding 'selinux=1' to the boot line. This time, the boot failed with 'can't read /etc/fstab' and brought me up in 'filesystem repair' mode. There I determined that /etc/fstab had no security context assigned to it (Did it get rewritten during a 'disabled' boot?) I rebooted without the 'selinux=1' but in single-user mode, where I adjusted the context of /etc/fstab, /etc/sysconfig/selinux and /etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up in permissive mode. Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'. Rebooting with 'selinux=1' into permissive/multi-user worked. I changed /etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting single-user (i.e., with 'selinux=1 single') worked. Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It got jammed setting up X.org log files. Seems that /var/log/Xorg.0.log.old had no security context so the attempt to move /var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a leftover from a 'disabled' boot.) I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed /tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user. So here's the condensed version; 1. installing selinux-policy-strict-sources (and selinux-policy-strict) did not setup /etc/selinux/config, nor did it modify /etc/sysconfig/selinux. (I must admit that I was confused by the message thread. Did I need to remove /etc/sysconfig/selinux before doing the 'yum install selinux-policy-strict-sources'? I thought the install would add the 'SELINUXTYPE=strict' line to an existing file, but I may have read this wrong.) 2. My system was 'setup' to boot by default into 'disabled' mode. This caused a lot of problems with unlabeled files, directories, etc. Accidently forgetting to add 'selinux=1' to the boot line may cause this. 3. I had to 'yum remove setools'. Did this cause my booting or other problems? 4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to /etc/sysconfig/selinux and to /etc/selinux/config. Are both needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'... 5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does that provide the correct info/format? System is up and running in strict/enforcing mode. I will later try to install selinux-policy-targeted*. tom

19 years, 3 months

3
2
0 / 0

Simplistic X11 logins not working.. (newbie questions)

by Erik Fichtner

So. I've got vanilla FC2 with SELinux loaded and the standard policy sources loaded on my laptop. For various reasons (low memory and a general dislike for all things GNOME; primarily), I'm trying to make good old xdm work and start boring old twm. This requires a little bit of manhandling within /etc/X11/xdm/Xsession and /etc/inittab. No big deal here. As packaged, the policy sets up xdm running as system_u:system_r:xdm_t. This starts a copy of X which is transitioned into system_u:system_r:xdm_xserver_t. Then there's a display ":0" sitting around on a third pid running as system_u:system_r:xdm_t. Fine. Logging in as my user (which results in a nice clean emf:user_r:user_t on the console) launches a twm as system_u:system_r:xdm_t, and then when I attempt to run an Xterm; i get the following avc denies: avc: denied { read write } for pid=3793 exe=/usr/bin/xterm name=ptmx dev=hda2 ino=134859 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:ptmx_t tclass=chr_file avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir and xterm promptly exits since it can't get a pty, and everything is still running as system_r:xdm_t; the real issue here. /etc/security/default_contexts does have an entry for: system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t I even tried changing that to read: system_r:xdm_t user_r:user_t At this point, I started flailing around a little bit and created an Xwm.{te|fc} pair: type Xwm_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(xdm_t,Xwm_exec_t,user_t) /usr/X11R6/bin/twm system_u:object_r:Xwm_exec_t reloaded the policy, and relabelled twm. Alles gut, ya? Nein! Now, when xdm->Xsession fires off twm, i get this: security_compute_sid: invalid context system_u:system_r:user_t for scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:Xwm_exec_t tclass=process and twm exits. Clearly, that wasn't the answer. So..... Questions are: 1) why doesn't default_contexts appear to have any influence upon xdm? 1a) is there a way to force it? 2) what am I supposed to do to get my window manager and its children into user_r:user_t ? Thanks in advance... -- Erik Fichtner; Unix Ronin

19 years, 3 months

2
2
0 / 0

mysql issues...

by Valdis.Kletnieks＠vt.edu

Running the mysql command as a mortal user dies: $ mysql -hlocalhost -u MMMMMM -p MMMMMM Enter password: ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) after throwing this avc message: May 24 21:34:19 pink kernel: audit(1085448859.069:0): avc: denied { search } for pid=4519 exe=/usr/bin/mysql name=mysql dev=dm-6 ino=129035 scontext=user_u:user_r:user_t tcontext=system_u:object_r:mysqld_db_t tclass=dir It's not able to search /var/lib/mysql to find the socket... A (slightly edited) grep shows us: [/etc/security/selinux/src/policy]3 find . | xargs grep mysqld_var_run | more ./domains/program/apache.te:allow httpd_php_t mysqld_var_run_t:dir { search }; ./domains/program/apache.te:allow httpd_php_t mysqld_var_run_t:sock_file { write }; ./domains/program/mysqld.te:allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; ./domains/program/mysqld.te:allow initrc_t mysqld_var_run_t:sock_file write; ./domains/program/mysqld.te:allow logrotate_t mysqld_var_run_t:dir search; ./domains/program/mysqld.te:allow logrotate_t mysqld_var_run_t:sock_file write; ./file_contexts/program/mysqld.fc:/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t ./file_contexts/file_contexts:/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t Does anybody see a good reason why we don't have this too: mysqld.te: allow mysql_cmd_t mysqld_var_run_t:dir search; mysqld.te: allow mysql_cmd_t mysqld_var_run_t:sock_file write; and add this to mysqld.fc: /usr/bin/mysql system_u:object_r:mysql_cmd_t (or the correct version thereof, it's way too late to think straight.. ;)

19 years, 3 months

3
4
0 / 0

Permission denied when building kernel

by Matthew East

I cannot build and install a kernel with selinux enabled. Here is what happens towards the end of the modules_install stage: if [ -r System.map ]; then /sbin/depmod -ae -F System.map -b /var/tmp/kernel-2.6.6-root -r 2.6.6; fi WARNING: Couldn't open directory /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6: Permission denied FATAL: Could not open /var/tmp/kernel-2.6.6-root/lib/modules/2.6.6/modules.dep.temp for writing: Permission denied make[1]: *** [_modinst_post] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.11877 (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.11877 (%install) make: *** [rpm] Error 1 Here are the error messages: [root@localhost linux-2.6.6]# dmesg |tail {snip} audit(1085609097.359:0): avc: denied { search } for pid=17414 exe=/sbin/depmod name=tmp dev=hda2 ino=196228 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:tmp_t tclass=dir audit(1085609097.359:0): avc: denied { search } for pid=17414 exe=/sbin/depmod name=tmp dev=hda2 ino=196228 scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:tmp_t tclass=dir I hope that someone can help me with this!! Maybe I am going about the compiling the wrong way, but it works fine with selinux disabled. Many thanks in advance, Matt p.s. Just for the record, or in case they are useful, here are the error messages I get when booting my new kernel which was compiled with selinux set to permissive. Freeing unused kernel memory: 160k freed security: 5 users, 7 roles, 1244 types, 1 bools security: 30 classes, 303377 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev , type selinuxfs), uses genfs_contexts SELinux: initialized (dev hda2, type ext3), uses xattr audit(1085619351.268:0): avc: denied { ioctl } for pid=164 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.271:0): avc: denied { getattr } for pid=176 exe=/bin/bash path=/etc/hotplug dev=hda2 ino=49185 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1085619351.271:0): avc: denied { read } for pid=164 exe=/bin/bash path=pipe:[842] dev= ino=842 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file audit(1085619351.272:0): avc: denied { ioctl } for pid=165 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.274:0): avc: denied { search } for pid=177 exe=/bin/bash name=hotplug dev=hda2 ino=49185 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1085619351.274:0): avc: denied { read } for pid=165 exe=/bin/bash path=pipe:[843] dev= ino=843 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file audit(1085619351.274:0): avc: denied { ioctl } for pid=167 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.277:0): avc: denied { search } for pid=178 exe=/bin/bash name=hotplug dev=hda2 ino=49185 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1085619351.277:0): avc: denied { read } for pid=167 exe=/bin/bash path=pipe:[844] dev= ino=844 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file audit(1085619351.277:0): avc: denied { ioctl } for pid=166 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.280:0): avc: denied { search } for pid=179 exe=/bin/bash name=hotplug dev=hda2 ino=49185 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1085619351.280:0): avc: denied { read } for pid=166 exe=/bin/bash path=pipe:[845] dev= ino=845 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file audit(1085619351.290:0): avc: denied { getattr } for pid=177 exe=/bin/env path=/etc/ld.so.cache dev=hda2 ino=50220 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1085619351.290:0): avc: denied { read } for pid=177 exe=/bin/env name=libc-2.3.3.so dev=hda2 ino=131669 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1085619351.290:0): avc: denied { getattr } for pid=177 exe=/bin/env path=/lib/tls dev=hda2 ino=130821 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1085619351.290:0): avc: denied { read } for pid=176 exe=/bin/bash path=/lib/ld-2.3.3.so dev=hda2 ino=130827 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1085619351.290:0): avc: denied { getattr } for pid=176 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.291:0): avc: denied { write } for pid=176 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.292:0): avc: denied { search } for pid=164 exe=/bin/bash name=hotplug dev=hda2 ino=49185 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1085619351.292:0): avc: denied { read } for pid=179 exe=/bin/bash path=/lib/ld-2.3.3.so dev=hda2 ino=130827 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1085619351.293:0): avc: denied { getattr } for pid=179 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.293:0): avc: denied { write } for pid=179 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.294:0): avc: denied { search } for pid=166 exe=/bin/bash name=hotplug dev=hda2 ino=49185 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1085619351.294:0): avc: denied { read } for pid=178 exe=/bin/bash path=/lib/ld-2.3.3.so dev=hda2 ino=130827 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file audit(1085619351.294:0): avc: denied { getattr } for pid=178 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.295:0): avc: denied { write } for pid=178 exe=/bin/bash path=/dev/null dev=hda2 ino=283937 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file audit(1085619351.296:0): avc: denied { search } for pid=167 exe=/bin/bash name=hotplug dev=hda2 ino=49185 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1085619351.699:0): avc: denied { getattr } for pid=177 exe=/bin/env path=pipe:[843] dev= ino=843 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file audit(1085619351.700:0): avc: denied { write } for pid=177 exe=/bin/env path=pipe:[843] dev= ino=843 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file SELinux: initialized (dev ram0, type ext2), uses xattr SELinux: initialized (dev , type mqueue), not configured for labeling SELinux: initialized (dev , type hugetlbfs), not configured for labeling SELinux: initialized (dev , type devpts), uses transition SIDs SELinux: initialized (dev , type eventpollfs), uses genfs_contexts SELinux: initialized (dev , type pipefs), uses task SIDs SELinux: initialized (dev , type tmpfs), uses transition SIDs SELinux: initialized (dev , type futexfs), uses genfs_contexts SELinux: initialized (dev , type sockfs), uses task SIDs SELinux: initialized (dev , type proc), uses genfs_contexts SELinux: initialized (dev , type bdev), uses genfs_contexts SELinux: initialized (dev , type rootfs), uses genfs_contexts SELinux: initialized (dev , type sysfs), uses genfs_contexts

19 years, 3 months

6
7
0 / 0

Script to check security?

by Bob Gustafson

With all of the possible variations in security settings - strict, permissive, local, lots of users, only daemons, etc. Is there a script around somewhere - something like 'configure' which is used at the beginning of a component build - which will query various pieces of a system, do a 'setenforce 1' and then try various programs and grep the output to give some binary answer, then do 'setenforce 0' and try the same program, etc. This script would help to give struggling sysadmins some degree of confidence that what is being done to their 'policy.local' or whatever, is benign. Of course the script could be corrupted or buggy - one more thing to add to when adding or changing the SELinux system, but there would be advantages: Just as the 'no child left behind' program uses testing to measure the effectiveness of public expenditures on schools ( :-) ), a security testing script could help to test the effectiveness of the SELinux system as it evolves. A testing script would also help to rein in the tendency to add wrinkles and grow the complexity of the system - each wrinkle would have a test module to check it. BobG

19 years, 3 months

3
5
0 / 0

Re: Finding unlabeled files?

by Tom London

Thanks. However, I'm having a slightly different problem: because of various circumstances, some files that should be labeled appear to be unlabeled. I'm thinking that I missed the easy way: just running 'fixfiles check' or 'setfiles -n -v ...' tom ---------------------------------------------------------------- * From: Thomas Bleher <bleher informatik uni-muenchen de> * Tom London <selinux comcast net> [2004-05-30 20:12]: > I understand its 'safer' to run 'fixfiles relabel', but some vestigial > unlabeled files seem to remain... Look into your policy for file contexts which specify "<<none>>" as context. This means that setfiles does not touch these files at all, as they can not be properly labeled by looking at the file name; so it is best to leave them alone. If you come from a non-SELinux system you should probably delete all these files[0] and reboot. Thomas [0] the policy I'm looking right now has <<none>> only for files which can be safely deleted if the system is in single user mode and is restarted immediately afterwards.

19 years, 4 months

1
0
0 / 0

Finding unlabeled files?

by Tom London

I used the following to find files that are not labeled: find / -context 'null' -print 2>&1 | grep 'No data available' This prints out error messages of the form: getfilecon(/var/spool/cron/mailman): No data available getfilecon(/var/spool/at/.SEQ): No data available getfilecon(/initrd): No data available getfilecon(/initrd/sys): No data available getfilecon(/initrd/sbin): No data available getfilecon(/initrd/linuxrc): No data available etc. Is there a better/proper way of doing this? (If not, perhaps I'll write one...) The situation comes up when converting a system to SELinux, or if you accidently boot up an SELinux system in 'disabled' mode. I understand its 'safer' to run 'fixfiles relabel', but some vestigial unlabeled files seem to remain... Thanks, tom

19 years, 4 months

3
2
0 / 0

selinux and RHEL

by Gene Czarcinski

This may be a bit early but ... are there plans to incorporate selinux into Red Hat Enterprise Linux? If there is, is the target for RHEL 4 or later? Gene

19 years, 4 months

4
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2004