On Sat, 2004-05-29 at 20:37, Tom London wrote:
So here's the condensed version;
1. installing selinux-policy-strict-sources (and selinux-policy-strict)
did not setup /etc/selinux/config, nor did it modify
/etc/sysconfig/selinux. (I must admit that I was confused by the
message thread. Did I need to remove /etc/sysconfig/selinux before doing
the 'yum install selinux-policy-strict-sources'? I thought the install
would add the 'SELINUXTYPE=strict' line to an existing file, but I may
have read this wrong.)
I don't think that Dan has set up the spec file to do this yet in
%post. So you have to manually create /etc/selinux/config at present.
/etc/sysconfig/selinux is obsolete with the newer libselinux and
SysVinit. /usr/bin/selinuxconfig will show what libselinux thinks are
the active policy paths.
2. My system was 'setup' to boot by default into
'disabled' mode. This
caused a lot of problems with unlabeled files, directories, etc.
I think that this will eventually be covered by changing the spec file
to create /etc/selinux/config if it does not already exist. Dan?
3. I had to 'yum remove setools'. Did this cause my booting
No, I don't think it created any of the problems you experienced. But
setools will need to be updated to use the new libselinux functions, and
4. I added both 'SELINUXTYPE=' and 'POLICYTYPE='
/etc/sysconfig/selinux and to /etc/selinux/config. Are both
needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
SELINUXTYPE is correct. There was a bug in the spec file that was using
POLICYTYPE; that should be changed if it hasn't already.
5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux.
that provide the correct info/format?
Yes, except that you need to add a SELINUXTYPE=strict (or targeted) to
it, and it is named /etc/selinux/config.
You also need to relabel after updating the policy to get /etc/selinux
into the right types. Odds of successfully making this transition in
enforcing mode are slim, I suspect.
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency