FC6 SELinux issues

[Gene Czarcinski]

I have been running FC6T3 plus updates and an even more recent install from 
FC6 development (selinux targeted and enforcing) and everything is looking 
very good.  Since I follow the LSPP list and know that a lot of work has been 
done with the mls policy for RHEL 5 (and FC6), I thought I would give it a 
try.

Before I spend time putting in bugzilla reports since it going to take time to 
gather the documentation, I am hoping some of this is known.  This testing 
was done with clean installs on hardware and using vmware.

1.  install selinux-policy-mls and switch to it using the 
system-config-security tool ... then reboot and do the relabeling 
(enforcing=0).  Then reboot again (enforcing=1) ... oops, an almost immediate 
kernel panic!

2.  OK, get the system back up in targeted mode.  I then thought I would try 
strict ... install selinx-policy-strict ... then reboot and do the relabeling 
(enforcing=0).  Ten reboot again (enforcing=1) ... better ... no kernel 
panic ... but not much better since some services fail starting and, when I 
logon as root, I cannot do anything.

This is NOT GOOD!!!

3. While doing the above tests, I tried using the system-config-security gui 
tool to change the policy.  I booted up with enforcing=0 and then tried the 
tool to change back to targeted.  Since I run targeted with enforcing, I left 
the tool specification as enforcing.  Unfortunately, the tool sets enforcing 
for the runtime system BEFORE it changes /etc/sysconfig/selinux file.

Folks, this does not look ready for prime time as close as we are to final!  
While I do not expect everything to work, I do expect a bit more than what I 
got.  From what I saw, this should be easily repeatable by developers.

As I said, it is going to take me a bit of time to gather documentation for 
bugzilla reports.  I hope that someone out there can give these policies a 
try to see if they can duplicate what I experienced.
-- 
Gene Czarcinski