> The application 'seuser' did not seem to be able to find
the policy.conf
> file. I found the .tcl file and hacked a bit on that, but tcl is not a
> native language for me. (Today I found the
/usr/share/setools/seuser.conf
> file with the missing 'policy' in the policy.conf path)
>
I believe this has been fixed in the most recent setools update.
Yes - Dan Walsh incorporated the fix into setools-1.3-2. Also, we are going
to release 1.3.1 soon with this and another critical bug fixed.
Karl
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134
<snip>
> ------
>
> Then I found an application 'System Settings -> Security Level' With
> this tool, I could turn my firewall on and also turn on something in
> SELinux. The SELinux button said 'Active'. I clicked on it and
> saw options 'Warn' and 'Disabled'. Then I went back to the
Firewall
> settings and decided not to do anything there. Clicking the OK button at
> the bottom
> gave me a dialog box - something about 'do you want security to be on'.
> Since I thought security was already on, I clicked on yes...
>
this SELinux feature of system-config-securitylevel has been taken out
for the FC2 release. IMHO, it needs some work to differentiate between
setting the current state of enforcing and setting the state for the
next boot of the system.
The init will still use /etc/sysconfig/selinux.
<snip>
> Fortunately, I had printed out some of the SELinux documentation
> (printed out, not read as yet). I noticed an email message from Hannes
> Mayer saying to pass 'selinux=0' to grub at boot time.
Careful here, kernel-2.6.5-1.349 has the selinux bootparam turned off
( I think they will reenable it) so be sure your /etc/sysconfig/selinux
is set correctly when using that kernel.
>
> This I did, and wonderfully my system booted up. It did not even have
> the pesky extra error messages which I had noticed for awhile when
> booting my running system - 'avc denied', etc.
>
snip
>
> A lesser goal would be to dynamically set and (hopefully) unset the
> enforcing parameter as mentioned later in Tom Mitchell's timely and very
> helpful email message - and then see what problems develop - in a
> (hopefully) controlled environment.
>
getenforce and setenforce commands allow for dynamic changes of mode.
> (I would like to creep up on the concept of SecurityEnabled with lots of
> log messages, but not too many.. :-) )
not quite "creep up on", Looks like you jumped right in. Welcome
It looks like Stephen Smalley has answered your major questions in his
reply.
> The human path/process is important for newbie testers though. Too many
> rocks and the extra eyeballs get discouraged.
There are several HOWTOs and FAQ around but you probably already knew
that.
Richard Hally
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list