When I install FC4T2 and convert it to strict policy I get a huge number of AVC messages related to setfiles running in domain initrc_t. It seems that the solution to this problem when converting from targeted to strict is to have the following in setfiles.te: ifdef(`distro_redhat', ` domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t) ') We already have can_setenforce(initrc_t) in initrc.te so this isn't really granting any extra access. In the targeted policy we need to have definitions of all the types that are used before /.autorelabel is checked. I have attached an archive of the policy necessary in targeted to make the conversion to strict run smoothly. Note that it only adds 9 aliases and 46 lines of file context so it won't have any noticable overhead when using targeted policy, but it will make things quite a bit nicer when converting from targeted to strict. While the AVC messages don't really do any harm, it will give less annoyance and confusion for users to have them gone. Incidentally for my testing I've relabeled the system in enforcing mode and had it work fine. We can't do this in production because in some situations a relabel operation will be because of the configuration of the machine being badly messed up, enough so that it may not be possible to relabel in enforcing mode. Incidentally I've just filed a bugzilla requesting that there be a "autorelabel" option for the kernel command line to give the same results as a /.autorelabel file. That saves booting a messed up machine in permissive mode for the purpose of creating the file. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154496 -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Attachment:
t.tgz
Description: application/tgz
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list