Re: Installing the new policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2004-05-29 at 20:37, Tom London wrote:
> So here's the condensed version;
> 1. installing selinux-policy-strict-sources (and selinux-policy-strict) 
> did not setup /etc/selinux/config, nor did it modify 
> /etc/sysconfig/selinux.  (I must admit that I was confused by the 
> message thread. Did I need to remove /etc/sysconfig/selinux before doing 
> the 'yum install selinux-policy-strict-sources'?  I thought the install 
> would add the 'SELINUXTYPE=strict' line to an existing file, but I may 
> have read this wrong.)

I don't think that Dan has set up the spec file to do this yet in
%post.  So you have to manually create /etc/selinux/config at present. 
/etc/sysconfig/selinux is obsolete with the newer libselinux and
SysVinit.  /usr/bin/selinuxconfig will show what libselinux thinks are
the active policy paths.

> 2. My system was 'setup' to boot by default into 'disabled' mode. This 
> caused a lot of problems with unlabeled files, directories, etc. 

I think that this will eventually be covered by changing the spec file
to create /etc/selinux/config if it does not already exist.  Dan?

> 3. I had to 'yum remove setools'. Did this cause my booting or other 
> problems?

No, I don't think it created any of the problems you experienced.  But
setools will need to be updated to use the new libselinux functions, and
rebuilt.

> 4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to 
> /etc/sysconfig/selinux and to /etc/selinux/config.  Are both 
> needed/correct?  /sbin/fixfiles seems to want 'SELINUXTYPE'...

SELINUXTYPE is correct.  There was a bug in the spec file that was using
POLICYTYPE; that should be changed if it hasn't already.

> 5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does 
> that provide the correct info/format?

Yes, except that you need to add a SELINUXTYPE=strict (or targeted) to
it, and it is named /etc/selinux/config.

You also need to relabel after updating the policy to get /etc/selinux
into the right types.  Odds of successfully making this transition in
enforcing mode are slim, I suspect.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux