OK, it is getting close to when FC2 Test2 is to be available so I thought I would start playing with selinux. Rather than try to update Test1 and get it right, I downloaded FC2 x86_64 development yesterday (finally, a mirror that was current) and did an "everything" install with selinux set to "permissive".
I had some initial problems with running kudzu so I have turned it off (not run at bootup). I saw the email about sgi_fam so I set it off also (although I still get a bunch of messages at bootup.
The system comes up fine in permissive mode so I tried changing /etc/sysconfig/selinux to "enforcing". Oops, lots more messages during bootup and a lot of services failing startup. Then I got this popup that the "gdm" user did not exist so gdm was not started.
I assume that the way things are suppose to work is that the system comes up in enforcing mode the same way it would without selinux but that now I had to do things only with some kind of "role" for anything requiring special privledges.
Is there any kind of "cookbook" that explains how to get started? I looked at the stuff in selinux-doc but there is nothing simple there.
I am not sure what to report any problems against either.
OK, can anyone point me to any "hints" on how to get started?
Gene
Here are a couple of links to HOWTOs
https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=2126...
https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=2126...
Richard Hally
-----Original Message----- From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Gene Czarcinski Sent: Thursday, March 25, 2004 12:21 PM To: fedora-selinux-list@redhat.com Subject: How to start using selinux?
OK, it is getting close to when FC2 Test2 is to be available so I thought I would start playing with selinux. Rather than try to update Test1 and get it right, I downloaded FC2 x86_64 development yesterday (finally, a mirror that was current) and did an "everything" install with selinux set to "permissive".
I had some initial problems with running kudzu so I have turned it off (not run at bootup). I saw the email about sgi_fam so I set it off also (although I still get a bunch of messages at bootup.
The system comes up fine in permissive mode so I tried changing /etc/sysconfig/selinux to "enforcing". Oops, lots more messages during bootup and a lot of services failing startup. Then I got this popup that the "gdm" user did not exist so gdm was not started.
I assume that the way things are suppose to work is that the system comes up in enforcing mode the same way it would without selinux but that now I had to do things only with some kind of "role" for anything requiring special privledges.
Is there any kind of "cookbook" that explains how to get started? I looked at the stuff in selinux-doc but there is nothing simple there.
I am not sure what to report any problems against either.
OK, can anyone point me to any "hints" on how to get started?
Gene
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thursday 25 March 2004 14:09, Richard Hally wrote:
Here are a couple of links to HOWTOs
https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=2126...
https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=2126...
Thanks. There are good but ..
What I am looking for is something a bit more "cook bookish". Since the default (current snapshot of FC2 development) is to install with selinux set to enforcing, I am expecting the system to come up (it does not) and then some "cook book" instructions on setting things up so I can begin plying with things. Right now if I bootup with selinux set to enforcing, I cannot do anything .. even login.
I was hoping to see something with selinux running where I could then work (play) with the system to understand selinux configuration and usage.
Right now, booting up in single user mode is my most useful too since that is the only way I have found to get out of enforcing mode.
I am hoping I do not need a two week course to be able to understand how to configure selinux. I do not know what FC2 Test2 will have in it but from what I have seen so far, the default had better be permissive rather than enforcing ... either that or slip the schedule a bit more.
Gene
-----Original Message----- From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Gene Czarcinski Sent: Thursday, March 25, 2004 5:13 PM To: fedora-selinux-list@redhat.com Subject: Re: How to start using selinux?
On Thursday 25 March 2004 14:09, Richard Hally wrote:
Here are a couple of links to HOWTOs
https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=2126...
https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=2126...
Thanks. There are good but ..
What I am looking for is something a bit more "cook bookish". Since the default (current snapshot of FC2 development) is to install with selinux set to enforcing, I am expecting the system to come up (it does not) and then some "cook book" instructions on setting things up so I can begin plying with things. Right now if I bootup with selinux set to enforcing, I cannot do anything .. even login.
The recommended way to start off is in permissive mode. Kernel ...253.2.1 does not start in enforcing mode automatically by default. I was hoping to see something with selinux running where I could then work (play) with the system to understand selinux configuration and usage.
One thing you can do is duplicate the lines in grub for a particular kernel and add ENFORCING to the title and enforcing=1 to the end of the kernel line. That way you can start off in either mode.
The way to see which mode is to "cat /selinux/enforce" 0 is permissive. To change to enforcing while running "echo 1 > /selinux/enforce".
Right now, booting up in single user mode is my most useful too since that is the only way I have found to get out of enforcing mode.
I am hoping I do not need a two week course to be able to understand how to configure selinux. I do not know what FC2 Test2 will have in it but from what I have seen so far, the default had better be permissive rather than enforcing ... either that or slip the schedule a bit more.
Gene
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, 25 Mar 2004, Gene Czarcinski wrote:
I had some initial problems with running kudzu so I have turned it off (not run at bootup). I saw the email about sgi_fam so I set it off also (although I still get a bunch of messages at bootup.
Can you post these messages, please?
Whatever is still not working needs to be fixed :-)
- James
On Thursday 25 March 2004 14:58, James Morris wrote:
On Thu, 25 Mar 2004, Gene Czarcinski wrote:
I had some initial problems with running kudzu so I have turned it off (not run at bootup). I saw the email about sgi_fam so I set it off also (although I still get a bunch of messages at bootup.
Can you post these messages, please?
Whatever is still not working needs to be fixed :-)
OK ... the kudzu/sk98lin problem is https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119011
The messages, etc. are far too much data to put on the mailing list so I am emailing them directly to you (jmorris@redhat.com).
The data include /var/log/messages and dmesg for booting up with selinux set to permissive as well as /var/log/messages for booting up with selinux set to enforcing (lots and lots of messages plus failed services).
All testing was done an an ASUS mobo with a Opteron 140 and yesterday's snapshot of FC2 x86_64 development.
Please not that when the system bootup completed, gdm would not start. In addition, I could not login as root. I have not done anything except play with /etc/sysconfig/selinux changing between enforcing and permissive. Since the default for the install is "enforcing", I would expect the installed system to at least come up and that I could login.
To change between enforcing and permissive, I had to reboot into single user mode and after changing /etc/sysconfig/selinux to rebot to have it take effect.
Gene
On Thu, 25 Mar 2004, Gene Czarcinski wrote:
The messages, etc. are far too much data to put on the mailing list so I am emailing them directly to you (jmorris@redhat.com).
Can you either put these one a web site or just send the first few denial messages to the list?
- James
On Thursday 25 March 2004 17:02, James Morris wrote:
On Thu, 25 Mar 2004, Gene Czarcinski wrote:
The messages, etc. are far too much data to put on the mailing list so I am emailing them directly to you (jmorris@redhat.com).
Can you either put these one a web site or just send the first few denial messages to the list?
Already sent. I can put them on a ftp server. Do you still want me to do that?
With all of the messages coming out in enforcing mode, I am not sure what is important and what is not. I am also not sure that the service startup failures were captured.
Gene
On Thu, 2004-03-25 at 17:16, Gene Czarcinski wrote:
Already sent. I can put them on a ftp server. Do you still want me to do that?
With all of the messages coming out in enforcing mode, I am not sure what is important and what is not. I am also not sure that the service startup failures were captured.
You are more likely to get help if you post at least the first few messages to the entire list. It might also help to see the output from ls -Z / (i.e. is your root filesystem labeled), and ps -eZ (i.e. are your processes running in the right domain).
Chris PeBenito of the Hardened Gentoo project just posted a "sestatus" tool on the NSA selinux list the other day that might be helpful in giving status about your system's SELinux setup, see http://marc.theaimsgroup.com/?l=selinux&m=108026017519073&w=2
On Fri, 26 Mar 2004 08:48, Gene Czarcinski gene@czarc.net wrote:
OK ... the kudzu/sk98lin problem is https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119011
You say that occurs when booting with "selinux=0", so the core SE Linux code will be disabled. Unless there is some bug in James' code to disable SE Linux this would not be related to SE Linux at all.
selinux@lists.fedoraproject.org