1:43 a.m.
Here is the message from the "fedora-test-list"
In reply to Gene C. on this list (his posting is on my other box),
This message is being sent from Mozilla running on the current
/development tree (at runlevel 5) in "enforcing mode". Below are the
three avc denied messages from when I booted in enforcing mode.
This is with the "as provided" policy with one change in the "users"
file to add my username as an "admin".
Once you have installed the policy and policy-sources and done
"make reload" in /etc/security/selinux/src/policy you must also do
"make relabel" (it can take a while) to label all the files correctly.
Richard Hally
from /var/log/messages:
Mar 25 20:17:10 old1 kernel: audit(1080263823.652:0): avc: denied {
append } for pid=1053 exe=/sbin/syslogd name=news.crit dev=hdc3
ino=196974 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:innd_log_t tclass=file
Mar 25 20:17:10 old1 kernel: audit(1080263823.653:0): avc: denied {
append } for pid=1053 exe=/sbin/syslogd name=news.err dev=hdc3
ino=196975 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:innd_log_t tclass=file
Mar 25 20:17:10 old1 kernel: audit(1080263823.654:0): avc: denied {
append } for pid=1053 exe=/sbin/syslogd name=news.notice dev=hdc3
ino=196973 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:innd_log_t tclass=file
--
fedora-test-list mailing list
fedora-test-list(a)redhat.com
To unsubscribe:
http://www.redhat.com/mailman/listinfo/fedora-test-list
7:53 a.m.
On Fri, 26 Mar 2004 18:43, "Richard Hally" <rhally(a)mindspring.com> wrote:
Mar 25 20:17:10 old1 kernel: audit(1080263823.652:0): avc: denied
{
append } for pid=1053 exe=/sbin/syslogd name=news.crit dev=hdc3
ino=196974 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:innd_log_t tclass=file
I've attached a new version of innd.te which should fix this.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
8 a.m.
On Fri, 2004-03-26 at 02:43, Richard Hally wrote:
Once you have installed the policy and policy-sources and done
"make reload" in /etc/security/selinux/src/policy you must also do
"make relabel" (it can take a while) to label all the files correctly.
The 'make relabel' shouldn't be necessary if you do a clean install, as
rpm knows to set the file contexts now, right? Only necessary if you
are upgrading an existing system to FC2 devel and need to retroactively
apply the labels.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
10:53 a.m.
On Fri, Mar 26, 2004 at 09:00:43AM -0500, Stephen Smalley wrote:
The 'make relabel' shouldn't be necessary if you do a
clean install, as
rpm knows to set the file contexts now, right? Only necessary if you
are upgrading an existing system to FC2 devel and need to retroactively
apply the labels.
Unless you are not formatting a partition, like /home. You will need
to relabel /home:
/usr/sbin/setfiles /etc/security/selinux/file_contexts /home
2:27 p.m.
-----Original Message-----
From: fedora-selinux-list-bounces(a)redhat.com
[mailto:fedora-selinux-list-bounces@redhat.com]On Behalf Of Stephen Smalley
Sent: Friday, March 26, 2004 9:01 AM
To: Fedora SELinux support list for users & developers.
Subject: Re: FW: selinux enforcing
On Fri, 2004-03-26 at 02:43, Richard Hally wrote:
Once you have installed the policy and policy-sources and done
"make reload" in /etc/security/selinux/src/policy you must also do
"make relabel" (it can take a while) to label all the files correctly.
The 'make relabel' shouldn't be necessary if you do a clean install, as
rpm knows to set the file contexts now, right? Only necessary if you
are upgrading an existing system to FC2 devel and need to retroactively
apply the labels.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
--
I only do the "make relabel" after installing an updated policy to
regression test the relabel and in case there have been changes to the
file_contexts provided in the update. The other possible "wrong context"
situation may be from running in permissive mode where something that would
not happen in enforcing mode was allowed to happen and a file received an
incorrect context.
Am I on the right track or "do I need a visit from the clue stick"?
Richard Hally
2:45 p.m.
On Fri, 2004-03-26 at 15:27, Richard Hally wrote:
I only do the "make relabel" after installing an updated
policy to
regression test the relabel and in case there have been changes to the
file_contexts provided in the update. The other possible "wrong context"
situation may be from running in permissive mode where something that would
not happen in enforcing mode was allowed to happen and a file received an
incorrect context.
Am I on the right track or "do I need a visit from the clue stick"?
No, that's right. I was just noting that a clean install of fc2 devel
with selinux should set the file contexts initially for you, without
requiring an initial make relabel, since rpm knows about security
contexts now. I'm not 100% certain of that; I suppose a 'make
checklabels' after a clean install would be prudent.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
2:54 p.m.
On Friday 26 March 2004 15:45, Stephen Smalley wrote:
On Fri, 2004-03-26 at 15:27, Richard Hally wrote:
> I only do the "make relabel" after installing an updated policy to
> regression test the relabel and in case there have been changes to the
> file_contexts provided in the update. The other possible "wrong context"
> situation may be from running in permissive mode where something that
> would not happen in enforcing mode was allowed to happen and a file
> received an incorrect context.
> Am I on the right track or "do I need a visit from the clue stick"?
No, that's right. I was just noting that a clean install of fc2 devel
with selinux should set the file contexts initially for you, without
requiring an initial make relabel, since rpm knows about security
contexts now. I'm not 100% certain of that; I suppose a 'make
checklabels' after a clean install would be prudent.
OK, I just had something a bit strange happen ...
I updated some of the packages on my x86_64 system including policy and
policy-sources (to 1.9-15). I then rebooted. Oops .. things were a bit
stange such as my admin id (defined in users) could not find the its home
directory. Login as root and ran "make reload" and "make relabel" and
then
reboot again. This time things work as expected.
From the above, this should not be happening ... right?
Gene
10:25 a.m.
On Friday 26 March 2004 02:43, Richard Hally wrote:
In reply to Gene C. on this list (his posting is on my other box),
This message is being sent from Mozilla running on the current
/development tree (at runlevel 5) in "enforcing mode". Below are the
three avc denied messages from when I booted in enforcing mode.
This is with the "as provided" policy with one change in the "users"
file to add my username as an "admin".
Once you have installed the policy and policy-sources and done
"make reload" in /etc/security/selinux/src/policy you must also do
"make relabel" (it can take a while) to label all the files correctly.
OK, now we are cooking.
1. I found that there are RELEASE-NOTES under development/i386 (I am using
development/x86_64). This provides much of the info I was lacking.
2. Your info above was just great. After doing "make reload" and "make
relabel", most of the error messages disappeared and most services started
... also gdm now works. Now I can start playing with things to see how they
work.
A comment: I had done a fresh nfs everything install using a development
snapshot which is fairly current (Tuesday 24 March). I believe that things
should have worked the way they do now without my needing to run "make
reload" (and possibly "make relabel"). I did originally come up in
permissive mode so maybe that was my problem and everything would have worked
if I came up in enforcing mode from the start ... I don't know. I am going
to play with this a bit more to see if I can just install and come up with
nothing extra being done (except disabling kudzu until that problem is
fixed).
Thanks to all who provided info. I can already see that the selinux
functionality as being delivered in FC2 is just a start ... there will need
to be lots of experimenting to see just what to lock down to make this a more
secure environment.
Gene
7347
days inactive
7347
days old
selinux@lists.fedoraproject.org
7 comments
5 participants
participants (5)
-
Chuck Anderson -
Gene Czarcinski -
Richard Hally -
Russell Coker -
Stephen Smalley