Daniel J Walsh wrote:
I have changed selinux-policy-targeted to require policycoreutils so it will be pulled in in the future. Secondly from the looks of it you are running strict policy. Please either run system-config-securitylevel and select targeted policy and reboot. (/.autorelabel) should be created and
Selinux gives sort of a working system when using system-config-securitylevel to enable selinux via the gui.(without policycoreutils being installed) I am not too sure if this would introduce "dep hell" if having policycoreutils pulled in when selinux-policy for targeted or strict is pulled from a repo.
or you can edit /etc/selinux/config and change SELINUXTYPE=strict to SELINUXTYPE=targeted and touch /.autorelabel then reboot.
The init scripts will take care of relabeling.
Thanks for pulling in this package when installing selinux-policy-targeted. This sounds like it will help reduce the problem with httpd and system logs not being written when installing the policy and activating selinux.
I changed to targeted using system-config-securitylevel and I liked the warning that the system would relabel on next boot. Also, on the system when rebooted, I liked the warning that relabeling might take some time. Checking the log for avc errors after the system was relabled shows no avc errors.
I'll keep in mind that strict policy is more current within rawhide. I was not aware that the strict policy within FC3 would not be current. Since FC3 was setup for targeted policy as default, I'll stay clear of strict policy for awhile.
I have another computer with rawhide repositories. I'll try strict on this system later on down the road. Rawhide was a little bit mongrelized on the day after FC3 came out. In a week, it might be a little more in tune. Regarding the need for relabeling being a roadblock for non-selinux systems. It might allow the system to choose this at either anaconda for install, but not activate selinux until either questions at firstboot or when selecting policy from s-c-securitylevel.After relabeling my filesystem again in runlevel 1, I seem to get the same type of errors as experienced before. .mozilla related files seemed to be the major files that content was tried to be changed, when relabeling for strict. See attached avc for today.The strict policy you are running 1.17.30 is way out of date. If you want to run strict policy you need to grab the one off of Rawhide or my people page and update and relabel. Upgrades from not SELinux boxes are not supported for SELinux for the simple reason that relabeling is required. So your machine ended up in a rather strange state.
In order to bring up X, running setenforce 0 at a root shell was needed, in order to launch X successfully. If there is some lingering config file, either systemwide or hanging out in the per user directory that is blocking X, I don't know.
Thanks for the helpful information.
Jim
Dan
-- A prohibitionist is the sort of man one wouldn't care to drink with -- even if he drank. -- H.L. Mencken
