Gene Czarcinski wrote:
On Saturday 03 April 2004 00:46, Daniel J Walsh wrote:I have written the steps in the bug report on how to get up2date fixed. The final fix for the up2date package has not been released yet.
First off you should never have to do a relabel, Or only under extreme
circumstances.
The problem here was the movement of the .Xauthority file out to /tmp.
The new policy should fix your problem.
When we get to the end point (FC2 gold) this system is going to be very stable and secure. However, the transition with its large number of daily updates sure make things "interesting" ... I have managed to screw things up on one system so that I am on my third install.
Unfortunately, discovering all of the different nuances necessary in a security policy supporting real people, real systems, and real situations is a lot more difficult than having a policy in a controlled experiment. Well, we are all here trying to pound this into something that works and I believe it will work pretty well when FC2 gold comes out but a wole lot better in FC2 gold. This is going to take time.
One big gripe I do have is up2date: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119538
When rpm fails to (properly) install a package because of some selinux policy thing, this is not handled well by up2date. In fact, up2date reports that the package was installed properly when it was not installed. My latest experience with that is when I tried updating gdm ... old package removed but new package not installed. I only found this because I am manually querying rpm after every update. When I tried to manually install the package, I saw the errors. I then did "setenforce 0", manually installed the old package, manually installed the new package, and "setenforce 1". Update now complete.
This rpm/up2date problem needs to be addressed. Unfortuantely, it is not clear that my bugzilla report is being addressed.
Fixing up2date is a multi step process.
One update to latest policy. restorecon /usr/sbin/up2date
update to latest usermode
Add ROLE=sysadm_r
TYPE=rpm_t
to
/etc/security/console.apps/up2date.
Gene
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list