On Thu, 2006-11-30 at 21:10 +0100, Jimmy wrote:
Does the strict policy work at all?
Ive installed FC6 4 times on 2 different PCs, and after the default
installation ive installed the strict policypackage and enabled it,
relabeled the disk and rebooted it.
X boots up, but i cant login. I get an error message, and looking
deeper into it it says:
"Xlib: connection to ":0.0" refused by server
Xlib: no protocol specified
xrdb: Can´t open display ':0'
...
..."
When i switch off enforced (setenforce 0), it works fine. I have tried
this with the latest policy and updates as well, and seriously
starting to wonder if the policy really works "out of the box".
The reason i want the strict policy is Fedoras own description of the
strict policy:
"Strict policy works best where you have a controlled userspace. For
example, you can setup a security policy where your users are only
allowed to use the Web browser to view files on the Internet and only
allowed to download to certain directories. You could limit what
applications the Web browser can launch to helper applications."
This is exactly what i want to do, i want to be able to boot up a FC6
on my Vmware machine, and start a firefox session and browse some
stuff on the web in a secure way.
Sooo... is the strict policy broken, or am i broken? ;)
Strict policy almost always requires some customization, and since it is
not the default, it has a much smaller user (and thus testing) base in
Fedora. Have you looked at the avc: denied messages in
your /var/log/messages file (before auditd starts) and
in /var/log/audit/audit.log (once auditd starts) to see the specific
denials? Have you tried using audit2allow(1)? Read the Fedora SELinux
FAQ?
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
--
Stephen Smalley
National Security Agency