On Thu, 06 May 2004 14:05:21 -0400 Stephen Smalley wrote:
>On Thu, 2004-05-06 at 10:14, Bob Gustafson wrote:
>> I was just able to upgrade 'yum update \*' my whole system (kernel 351smp)
>> and reboot and startx and Soundcard Detection (with sound).
>>
>> This was all with boot params 'selinux=1 enforcing=1'
>>
>> Congratulations on a pretty smooth transition.
>
>Not to be paranoid, but could you run /usr/sbin/sestatus -v as root?
>
>--
[root@hoho2 user1]# date
Thu May 6 14:14:53 CDT 2004
[root@hoho2 user1]# /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Policy version: 17
Policy booleans:
user_ping inactive
Process contexts:
Current context: root:sysadm_r:sysadm_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: root:object_r:sysadm_devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Do copy and paste into file from screen
[root@hoho2 user1]# vim small.bug
[root@hoho2 user1]# rsync small.bug hoho0:/home/bobg
root@hoho0's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
As expected (???), but see log lines at bottom of this message.
Target machine does not have rsync with selinux.
Server is very old version of rsync, upgrade recommended.
Uptime on the target machine (lots of things have happened in 84 days):
[root@hoho0 root]# uptime
2:28pm up 84 days, 4 min, 2 users, load average: 0.00, 0.00, 0.00
[root@hoho0 root]#
OK, now delicately step around the wall.
[root@hoho2 user1]# setenforce 0
[root@hoho2 user1]# rsync small.bug hoho0:/home/bobg
root@hoho0's password:
Server is very old version of rsync, upgrade recommended.
And lock the door afterwards
[root@hoho2 user1]# setenforce 1
[root@hoho2 user1]#
=====================
So, is it bullet-proof?
What doc would help to interpret the output of sestatus?
[I was reading this morning - I have about an inch of paper to go]
----
Some added info
Last night, I downloaded the upgraded setools. When I installed it/them, I
noticed that the policy files were recompiled as part of the 'make install'.
Since the policy files had been recompiled, I figured that it would not
hurt to do another 'fixfiles relabel', which was done before this morning's
success with yum.
BobG
Also, I noticed that when I have a gnome terminal window open and do 'su',
the following lines appear in /var/log/messages.
Is this an unneeded artifact coming from the X window system? The fact that
it was denied does not seem to affect the rootness of tasks after doing the
'su'
May 6 14:37:31 hoho2 su(pam_unix)[3755]: session opened for user root by
user1(uid=500)
May 6 14:37:31 hoho2 kernel: audit(1083872251.894:0): avc: denied {
add_name } for pid=3755 exe=/bin/su name=.xautholimVP
scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=dir
May 6 14:37:31 hoho2 kernel: audit(1083872251.894:0): avc: denied {
create } for pid=3755 exe=/bin/su name=.xautholimVP
scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t
tclass=file
May 6 14:37:31 hoho2 kernel: audit(1083872251.895:0): avc: denied {
setattr } for pid=3755 exe=/bin/su name=.xautholimVP dev=sda2 ino=7290886
scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t
tclass=file
