Re: fc5: several troubles at my first attempt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen Smalley wrote:

On Wed, 2006-03-15 at 12:26 -0500, Stephen Smalley wrote:

On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote:

I have installed current fc5 by http about week or two ago. It updated from rawhide.
It currently installed on hda2 and it ran from qemu.

I see many avc denied messages in dmesg (repeated 210 times with different pids):
audit(1142439027.188:2): avc:  denied  { search } for  pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
hda2 here is /

Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t.
Need to relabel?


It can't mount /var/spool/squid at boot time. dmesg is:
audit(1142439059.662:212): avc:  denied  { mounton } for  pid=820 comm="mount" name="squid" dev=hda7 ino=261122 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir

Might not be included in the current policy.


hda7 here is /var
After booting I can mount it with: # mount /var/spool/squid (/etc/fstab uses default options):
"kjournald starting.  Commit interval 5 seconds
 EXT3 FS on hda5, internal journal
 EXT3-fs: mounted filesystem with ordered data mode.
 SELinux: initialized (dev hda5, type ext3), uses xattr"

I can't switch to strict mode.
I did it by editing /etc/selinux/config and touch /.autorelabel

Strict policy (i.e. SELINUXTYPE=strict) or enforcing mode (i.e.
SELINUX=enforcing)?  You want SELINUXTYPE=targeted, SELINUX=enforcing.
Boot with enforcing=0 if you need to temporarily boot permissive to
recover.  Boot with enforcing=0 autorelabel to force a relabel.


I believe that the (highly modular) strict policy is known to be broken
in fc5/rawhide because of the file contexts ordering issue, which
requires further changes to libsemanage.  Right, Dan?  So only -targeted
or -mls are in a working state.  Possibly that -strict policy shouldn't
be included in fc5 since it is known to be broken?
Yes. strict is broken, until we can update the tool chain. Which can begin shortly after we ship FC5. 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux