FC6 SELinux issues

Daniel J Walsh dwalsh at redhat.com
Thu Oct 5 14:29:50 UTC 2006 

Gene Czarcinski wrote:
> On Wednesday 04 October 2006 18:27, Gene Czarcinski wrote:
>   
>> On Wednesday 04 October 2006 17:09, Gene Czarcinski wrote:
>>     
>>> Before I spend time putting in bugzilla reports since it going to take
>>> time to gather the documentation, I am hoping some of this is known.
>>>  This testing was done with clean installs on hardware and using vmware.
>>>
>>> 1.  install selinux-policy-mls and switch to it using the
>>> system-config-security tool ... then reboot and do the relabeling
>>> (enforcing=0).  Then reboot again (enforcing=1) ... oops, an almost
>>> immediate kernel panic!
>>>
>>> 2.  OK, get the system back up in targeted mode.  I then thought I would
>>> try strict ... install selinx-policy-strict ... then reboot and do the
>>> relabeling (enforcing=0).  Ten reboot again (enforcing=1) ... better ...
>>> no kernel panic ... but not much better since some services fail starting
>>> and, when I logon as root, I cannot do anything.
>>>       
>> Grumble, grumble.  Naturally, what did not work at work now works (sort of)
>> when I try to reproduce it at home.  I do believe that there are some
>> problems but I need to "better" reproduce them.
>>
>> I would still like to know if someone has installed something like fc6test3
>> and then installed and switched to the mls policy ... did it work? ... did
>> it not work?
>>     
>
> Well, at least one of the problems (kernel panic) appears to be hardware 
> related ... does not work on old dual P4 (Dell 350 workstation) but does work 
> on AMD X2 4400+ processor system.  There are still some services that are not 
> working but that will take a lot more work to track down.
>
> Gene
>   
MLS Policy is a server only policy.  IE We don not support X-Windows.  
So if you want to change to MLS you need to remove all X-Windows 
software and relabel.  Then it should work, but you need to understand 
how an MLS environment works.

Strict policy is not heavily tested in Fedora.  Most people run 
targeted.  We will look at any problems that you have with it, though.

There is not that much difference between strict and targeted policy at 
this point on the system space side and I want to work on adding 
Userspace confinement via targeted policy and booleans in the future.  
So people can begin to confine userspace if they so choose.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the selinux mailing list