I have been running FC6T3 plus updates and an even more recent install from
FC6 development (selinux targeted and enforcing) and everything is looking
very good. Since I follow the LSPP list and know that a lot of work has been
done with the mls policy for RHEL 5 (and FC6), I thought I would give it a
try.
Before I spend time putting in bugzilla reports since it going to take time to
gather the documentation, I am hoping some of this is known. This testing
was done with clean installs on hardware and using vmware.
1. install selinux-policy-mls and switch to it using the
system-config-security tool ... then reboot and do the relabeling
(enforcing=0). Then reboot again (enforcing=1) ... oops, an almost immediate
kernel panic!
2. OK, get the system back up in targeted mode. I then thought I would try
strict ... install selinx-policy-strict ... then reboot and do the relabeling
(enforcing=0). Ten reboot again (enforcing=1) ... better ... no kernel
panic ... but not much better since some services fail starting and, when I
logon as root, I cannot do anything.
This is NOT GOOD!!!
3. While doing the above tests, I tried using the system-config-security gui
tool to change the policy. I booted up with enforcing=0 and then tried the
tool to change back to targeted. Since I run targeted with enforcing, I left
the tool specification as enforcing. Unfortunately, the tool sets enforcing
for the runtime system BEFORE it changes /etc/sysconfig/selinux file.
Folks, this does not look ready for prime time as close as we are to final!
While I do not expect everything to work, I do expect a bit more than what I
got. From what I saw, this should be easily repeatable by developers.
As I said, it is going to take me a bit of time to gather documentation for
bugzilla reports. I hope that someone out there can give these policies a
try to see if they can duplicate what I experienced.
--
Gene Czarcinski