|
His guys, First let me start off by saying that I’ve been running Fedora Core 2
with SELinux in permissive mode since a few days after it was released
officially with no real system problems. That being said, I’m trying to understand how to do things properly to
maintain the integrity of the system and perform the auditing I desire. Is there a good place to look which
documents the SELinux relevant commands?
The Fedora Core 2 SELinux FAQ has some interesting info, but relatively
few commands. A Gentoo related
site gave me some command ideas. Perhaps
this is on the documentation CD for Fedora Core 2, which I have yet to
download? I expected to be able to
hunt through the man pages starting with man selinux, but that didn’t pan
out. I found some other references
online called the Getting Started with SE Linux HOWTO and Gentoo SE Linux HOWTO,
but these offered some commands not available in the Fedora Core 2 implementation. To be more specific, I have been able
to type “id” and “newrole”, but not able to type “rlpkg” and “run_init”. Re-labeling a file system is something
they do with “cd /etc/security/selinux/src/plicy; make relabel”, but I was
unable to find the equivalent. I have a very specific issue that I’m trying to figure out. For some reason, when a role violation
(perhaps there’s a better phrase) occurs and a log message is produced in
/var/log/messages, I would like see a user id and the context. For example in “Getting Started with SE
Linux HOWTO (7. Explanation of log file messages) the example show the
following scontext: scontext: faye:user_r:user_t This is great, as I would know to contact the user faye and ask about
the situation. But on my Fedora
Core 2 machine, my /var/log/messages produces: scontext: user_u:user_r:user_t This is not so useful. As I
have no idea who user_u is. I am
using NIS for this system. Typing “id”
on my system produces: uid=706(dan) gid=20(games) groups=20(games),501(test)
context=user_u:user_r:user_t So I guess everything is consistent with the log entry as far as the
system is concerned. I just don’t
want a generic user_u to get filled in for violations. I want the specific user id and name. Perhaps I need to configure some more
stuff for use with NIS? Daniel J. Levine Section Supervisor Johns Hopkins University Applied Physics Laboratory 443-778-3952 240-228-3952 |
