On Sat, 2004-05-29 at 20:37, Tom London wrote: > So here's the condensed version; > 1. installing selinux-policy-strict-sources (and selinux-policy-strict) > did not setup /etc/selinux/config, nor did it modify > /etc/sysconfig/selinux. (I must admit that I was confused by the > message thread. Did I need to remove /etc/sysconfig/selinux before doing > the 'yum install selinux-policy-strict-sources'? I thought the install > would add the 'SELINUXTYPE=strict' line to an existing file, but I may > have read this wrong.) I don't think that Dan has set up the spec file to do this yet in %post. So you have to manually create /etc/selinux/config at present. /etc/sysconfig/selinux is obsolete with the newer libselinux and SysVinit. /usr/bin/selinuxconfig will show what libselinux thinks are the active policy paths. > 2. My system was 'setup' to boot by default into 'disabled' mode. This > caused a lot of problems with unlabeled files, directories, etc. I think that this will eventually be covered by changing the spec file to create /etc/selinux/config if it does not already exist. Dan? > 3. I had to 'yum remove setools'. Did this cause my booting or other > problems? No, I don't think it created any of the problems you experienced. But setools will need to be updated to use the new libselinux functions, and rebuilt. > 4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to > /etc/sysconfig/selinux and to /etc/selinux/config. Are both > needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'... SELINUXTYPE is correct. There was a bug in the spec file that was using POLICYTYPE; that should be changed if it hasn't already. > 5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does > that provide the correct info/format? Yes, except that you need to add a SELINUXTYPE=strict (or targeted) to it, and it is named /etc/selinux/config. You also need to relabel after updating the policy to get /etc/selinux into the right types. Odds of successfully making this transition in enforcing mode are slim, I suspect. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
