Re: Fedora (again) forces me to disable SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mark wrote:

Hey,

I just installed the Fedora 9 Beta release and am doing a full system
update as we speak.
While downloading the updates nothing is wrong.. it just downloads and
that's it. But when installing the updates i get a ton of selinux
notices!! and this is just a default Fedora 9 beta followed by a yum
-y update.
A few suggestions... first, this is beta software, so naturally the fresh beta install is going to have some issues. Why wouldn't you expect that it is possible selinux wouldn't play quietly in its corner right after you install... yet you probably wouldn't think twice about a few little issues with gdm or nautilus? 

Now suggestions.
- To keep selinux running nicely on your desktop you need to relabel or restorecon your files frequently, especially after any updates are done. If you update selinux-policy or your kernel, immediately do 'touch /.autorelabel' and then reboot... when you don't you're tempting selinux to annoy you with denials (expected behavior). - Use tmpfs for /tmp. This one suggestion from Dan Walsh has been very helpful for my systems. Just add the following line to your /etc/fstab: 
tmpfs  /tmp  tmpfs  defaults 0 0

 then do:
rm -Rf /tmp/*; reboot
Then remember that files in tmp are supposed to be temporary and don't save large downloads, misc files, etc, in tmp... they will disappear at reboot, and tmp is only 512Mb with tmpfs defaults.
- Run selinux-policy-targeted (the default, so don't change it) and then learn a little bit about what denials mean, why they happen, and report those that you cannot figure out. Use setroubleshoot and sealert. I've got lots of denials in my audit database right now (actually 30+ of them are new today, for various stuff I've been testing)... but not one of them has stopped me from 'doing real work' on the system. 

--
Andrew Farris <lordmorgul@xxxxxxxxx> www.lordmorgul.net
 gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB  5BD5 5F89 8E1B 8300 BF29
 revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux