On Thu, 06 May 2004 14:05:21 -0400 Stephen Smalley wrote: >On Thu, 2004-05-06 at 10:14, Bob Gustafson wrote: >> I was just able to upgrade 'yum update \*' my whole system (kernel 351smp) >> and reboot and startx and Soundcard Detection (with sound). >> >> This was all with boot params 'selinux=1 enforcing=1' >> >> Congratulations on a pretty smooth transition. > >Not to be paranoid, but could you run /usr/sbin/sestatus -v as root? > >-- [root@hoho2 user1]# date Thu May 6 14:14:53 CDT 2004 [root@hoho2 user1]# /usr/sbin/sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Policy version: 17 Policy booleans: user_ping inactive Process contexts: Current context: root:sysadm_r:sysadm_t Init context: system_u:system_r:init_t /sbin/mingetty system_u:system_r:getty_t /usr/sbin/sshd system_u:system_r:sshd_t File contexts: Controlling term: root:object_r:sysadm_devpts_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t Do copy and paste into file from screen [root@hoho2 user1]# vim small.bug [root@hoho2 user1]# rsync small.bug hoho0:/home/bobg root@hoho0's password: Warning: No xauth data; using fake authentication data for X11 forwarding. As expected (???), but see log lines at bottom of this message. Target machine does not have rsync with selinux. Server is very old version of rsync, upgrade recommended. Uptime on the target machine (lots of things have happened in 84 days): [root@hoho0 root]# uptime 2:28pm up 84 days, 4 min, 2 users, load average: 0.00, 0.00, 0.00 [root@hoho0 root]# OK, now delicately step around the wall. [root@hoho2 user1]# setenforce 0 [root@hoho2 user1]# rsync small.bug hoho0:/home/bobg root@hoho0's password: Server is very old version of rsync, upgrade recommended. And lock the door afterwards [root@hoho2 user1]# setenforce 1 [root@hoho2 user1]# ===================== So, is it bullet-proof? What doc would help to interpret the output of sestatus? [I was reading this morning - I have about an inch of paper to go] ---- Some added info Last night, I downloaded the upgraded setools. When I installed it/them, I noticed that the policy files were recompiled as part of the 'make install'. Since the policy files had been recompiled, I figured that it would not hurt to do another 'fixfiles relabel', which was done before this morning's success with yum. BobG Also, I noticed that when I have a gnome terminal window open and do 'su', the following lines appear in /var/log/messages. Is this an unneeded artifact coming from the X window system? The fact that it was denied does not seem to affect the rootness of tasks after doing the 'su' May 6 14:37:31 hoho2 su(pam_unix)[3755]: session opened for user root by user1(uid=500) May 6 14:37:31 hoho2 kernel: audit(1083872251.894:0): avc: denied { add_name } for pid=3755 exe=/bin/su name=.xautholimVP scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir May 6 14:37:31 hoho2 kernel: audit(1083872251.894:0): avc: denied { create } for pid=3755 exe=/bin/su name=.xautholimVP scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file May 6 14:37:31 hoho2 kernel: audit(1083872251.895:0): avc: denied { setattr } for pid=3755 exe=/bin/su name=.xautholimVP dev=sda2 ino=7290886 scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file