Here is the message from the "fedora-test-list"
In reply to Gene C. on this list (his posting is on my other box), This message is being sent from Mozilla running on the current /development tree (at runlevel 5) in "enforcing mode". Below are the three avc denied messages from when I booted in enforcing mode. This is with the "as provided" policy with one change in the "users" file to add my username as an "admin". Once you have installed the policy and policy-sources and done "make reload" in /etc/security/selinux/src/policy you must also do "make relabel" (it can take a while) to label all the files correctly.
Richard Hally
from /var/log/messages:
Mar 25 20:17:10 old1 kernel: audit(1080263823.652:0): avc: denied { append } for pid=1053 exe=/sbin/syslogd name=news.crit dev=hdc3 ino=196974 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:innd_log_t tclass=file Mar 25 20:17:10 old1 kernel: audit(1080263823.653:0): avc: denied { append } for pid=1053 exe=/sbin/syslogd name=news.err dev=hdc3 ino=196975 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:innd_log_t tclass=file Mar 25 20:17:10 old1 kernel: audit(1080263823.654:0): avc: denied { append } for pid=1053 exe=/sbin/syslogd name=news.notice dev=hdc3 ino=196973 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:innd_log_t tclass=file
-- fedora-test-list mailing list fedora-test-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-test-list
On Fri, 26 Mar 2004 18:43, "Richard Hally" rhally@mindspring.com wrote:
Mar 25 20:17:10 old1 kernel: audit(1080263823.652:0): avc: denied { append } for pid=1053 exe=/sbin/syslogd name=news.crit dev=hdc3 ino=196974 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:innd_log_t tclass=file
I've attached a new version of innd.te which should fix this.
On Fri, 2004-03-26 at 02:43, Richard Hally wrote:
Once you have installed the policy and policy-sources and done "make reload" in /etc/security/selinux/src/policy you must also do "make relabel" (it can take a while) to label all the files correctly.
The 'make relabel' shouldn't be necessary if you do a clean install, as rpm knows to set the file contexts now, right? Only necessary if you are upgrading an existing system to FC2 devel and need to retroactively apply the labels.
On Fri, Mar 26, 2004 at 09:00:43AM -0500, Stephen Smalley wrote:
The 'make relabel' shouldn't be necessary if you do a clean install, as rpm knows to set the file contexts now, right? Only necessary if you are upgrading an existing system to FC2 devel and need to retroactively apply the labels.
Unless you are not formatting a partition, like /home. You will need to relabel /home:
/usr/sbin/setfiles /etc/security/selinux/file_contexts /home
-----Original Message----- From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-bounces@redhat.com]On Behalf Of Stephen Smalley Sent: Friday, March 26, 2004 9:01 AM To: Fedora SELinux support list for users & developers. Subject: Re: FW: selinux enforcing
On Fri, 2004-03-26 at 02:43, Richard Hally wrote:
Once you have installed the policy and policy-sources and done "make reload" in /etc/security/selinux/src/policy you must also do "make relabel" (it can take a while) to label all the files correctly.
The 'make relabel' shouldn't be necessary if you do a clean install, as rpm knows to set the file contexts now, right? Only necessary if you are upgrading an existing system to FC2 devel and need to retroactively apply the labels.
-- Stephen Smalley sds@epoch.ncsc.mil National Security Agency
-- I only do the "make relabel" after installing an updated policy to regression test the relabel and in case there have been changes to the file_contexts provided in the update. The other possible "wrong context" situation may be from running in permissive mode where something that would not happen in enforcing mode was allowed to happen and a file received an incorrect context. Am I on the right track or "do I need a visit from the clue stick"? Richard Hally
On Fri, 2004-03-26 at 15:27, Richard Hally wrote:
I only do the "make relabel" after installing an updated policy to regression test the relabel and in case there have been changes to the file_contexts provided in the update. The other possible "wrong context" situation may be from running in permissive mode where something that would not happen in enforcing mode was allowed to happen and a file received an incorrect context. Am I on the right track or "do I need a visit from the clue stick"?
No, that's right. I was just noting that a clean install of fc2 devel with selinux should set the file contexts initially for you, without requiring an initial make relabel, since rpm knows about security contexts now. I'm not 100% certain of that; I suppose a 'make checklabels' after a clean install would be prudent.
On Friday 26 March 2004 15:45, Stephen Smalley wrote:
On Fri, 2004-03-26 at 15:27, Richard Hally wrote:
I only do the "make relabel" after installing an updated policy to regression test the relabel and in case there have been changes to the file_contexts provided in the update. The other possible "wrong context" situation may be from running in permissive mode where something that would not happen in enforcing mode was allowed to happen and a file received an incorrect context. Am I on the right track or "do I need a visit from the clue stick"?
No, that's right. I was just noting that a clean install of fc2 devel with selinux should set the file contexts initially for you, without requiring an initial make relabel, since rpm knows about security contexts now. I'm not 100% certain of that; I suppose a 'make checklabels' after a clean install would be prudent.
OK, I just had something a bit strange happen ...
I updated some of the packages on my x86_64 system including policy and policy-sources (to 1.9-15). I then rebooted. Oops .. things were a bit stange such as my admin id (defined in users) could not find the its home directory. Login as root and ran "make reload" and "make relabel" and then reboot again. This time things work as expected.
From the above, this should not be happening ... right?
Gene
On Friday 26 March 2004 02:43, Richard Hally wrote:
In reply to Gene C. on this list (his posting is on my other box), This message is being sent from Mozilla running on the current /development tree (at runlevel 5) in "enforcing mode". Below are the three avc denied messages from when I booted in enforcing mode. This is with the "as provided" policy with one change in the "users" file to add my username as an "admin". Once you have installed the policy and policy-sources and done "make reload" in /etc/security/selinux/src/policy you must also do "make relabel" (it can take a while) to label all the files correctly.
OK, now we are cooking.
1. I found that there are RELEASE-NOTES under development/i386 (I am using development/x86_64). This provides much of the info I was lacking.
2. Your info above was just great. After doing "make reload" and "make relabel", most of the error messages disappeared and most services started ... also gdm now works. Now I can start playing with things to see how they work.
A comment: I had done a fresh nfs everything install using a development snapshot which is fairly current (Tuesday 24 March). I believe that things should have worked the way they do now without my needing to run "make reload" (and possibly "make relabel"). I did originally come up in permissive mode so maybe that was my problem and everything would have worked if I came up in enforcing mode from the start ... I don't know. I am going to play with this a bit more to see if I can just install and come up with nothing extra being done (except disabling kudzu until that problem is fixed).
Thanks to all who provided info. I can already see that the selinux functionality as being delivered in FC2 is just a start ... there will need to be lots of experimenting to see just what to lock down to make this a more secure environment.
Gene
selinux@lists.fedoraproject.org