When I install FC4T2 and convert it to strict policy I get a huge number of
AVC messages related to setfiles running in domain initrc_t.
It seems that the solution to this problem when converting from targeted to
strict is to have the following in setfiles.te:
domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
We already have can_setenforce(initrc_t) in initrc.te so this isn't really
granting any extra access.
In the targeted policy we need to have definitions of all the types that are
used before /.autorelabel is checked. I have attached an archive of the
policy necessary in targeted to make the conversion to strict run smoothly.
Note that it only adds 9 aliases and 46 lines of file context so it won't
have any noticable overhead when using targeted policy, but it will make
things quite a bit nicer when converting from targeted to strict.
While the AVC messages don't really do any harm, it will give less annoyance
and confusion for users to have them gone. Incidentally for my testing I've
relabeled the system in enforcing mode and had it work fine. We can't do
this in production because in some situations a relabel operation will be
because of the configuration of the machine being badly messed up, enough so
that it may not be possible to relabel in enforcing mode.
Incidentally I've just filed a bugzilla requesting that there be a
"autorelabel" option for the kernel command line to give the same results as
a /.autorelabel file. That saves booting a messed up machine in permissive
mode for the purpose of creating the file.
My NSA Security Enhanced Linux packages
Bonnie++ hard drive benchmark
Postal SMTP/POP benchmark
My home page