1:36 p.m.
I'm new to SELinux, and have been banging my head against the wall on
how to change from the targeted to the strict policy on my Fedora 7
box. I just figured out how to do it, and thought that it would be a
good thing to have in the archive so others might more easily find a
solution.
1 - Install the strict policy using the package manager. I used
selinux-policy-strict-2.6.4-29.fc.noarch.
2 - Using the SELinux Administration tool, set the "system default
policy type" to "strict".
3 - Set the "system default enforcing mode" to "permissive".
4 - Check "Relabel on next reboot".
3 - Reboot
If you leave enforcing mode set to the default of "enforcing" you'll
get this error on reboot:
/sbin/init: error while loading shared libraries: libsepol.so.1:
failed to map segment from shared object: Permission denied
Kernel panic - not syncing: Attempted to kill init!
Note, you can also make these changes via the command line by
editing /etc/selinux/config, setup a relabel by
touching /.autorelabel and rebooting.
Hope that helps someone.
--Patrick
2:28 p.m.
Patrick McNeal wrote:
I'm new to SELinux, and have been banging my head against the
wall on
how to change from the targeted to the strict policy on my Fedora 7
box. I just figured out how to do it, and thought that it would be a
good thing to have in the archive so others might more easily find a
solution.
1 - Install the strict policy using the package manager. I used
selinux-policy-strict-2.6.4-29.fc.noarch.
2 - Using the SELinux Administration tool, set the "system default
policy type" to "strict".
3 - Set the "system default enforcing mode" to "permissive".
4 - Check "Relabel on next reboot".
3 - Reboot
If you leave enforcing mode set to the default of "enforcing" you'll
get this error on reboot:
/sbin/init: error while loading shared libraries: libsepol.so.1:
failed to map segment from shared object: Permission denied
Kernel panic - not syncing: Attempted to kill init!
Note, you can also make these changes via the command line by editing
/etc/selinux/config, setup a relabel by touching /.autorelabel and
rebooting.
Hope that helps someone.
--Patrick
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to boot first
in permissive mode to allow relabeling to happen,
then reboot in enforcing mode.
Or just setenforce 1 after the first boot.
At the kernel boot line you can just enter enforcing=0 to boot in
permissive mode.
11:48 a.m.
New subject: Strict policy on FC6 and F7
Hallo
After a problem with the strict policy in FC6: firefox does not start under
strict policy. No messages at all. I decided to check if firefox under strict
policy on F7 works.
I have installed F7 and enabled strict policy. But from now on I can no longer
login in enforcing is on . When I enter username and password and I get
permission denied even for root in GDM. In console I just get new "username"
prompt.
I do not understand why firefox does not start in fc6 and
can not longin on F7 under strict policy?
What might be wrong?
Hal
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
4:27 p.m.
New subject: Strict policy on FC6 and F7
2007-08-07 (火) の 09:48 -0700 に Hal さんは書きました:
Hallo
After a problem with the strict policy in FC6: firefox does not start under
strict policy. No messages at all. I decided to check if firefox under strict
policy on F7 works.
I have installed F7 and enabled strict policy. But from now on I can no longer
login in enforcing is on . When I enter username and password and I get
permission denied even for root in GDM. In console I just get new "username"
prompt.
I do not understand why firefox does not start in fc6 and
can not longin on F7 under strict policy?
What might be wrong?
Because, now you're in enforcing mode,
please disable SELinux and login.
Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require {
type local_login_t;
class netlink_audit_socket { append bind connect shutdown ioctl
getattr
setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create
read };
}
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp
#semodule -i local.pp
#semodule -l|grep local
Set SELinux enforcing.
Did it work?
Hal
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&...
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
6105
days inactive
6110
days old
selinux@lists.fedoraproject.org
3 comments
4 participants
participants (4)
-
Daniel J Walsh -
Hal -
Patrick McNeal -
shintaro_fujiwara