On Tue, 2006-10-24 at 14:17 -0400, David Nedrow wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Has anyone successfully switched from targeted to strict policies > under either FC5 or FC6? > > Under FC6, I switched policies and relabeled on a boot. I also booted > into permissive mode. From there, I did an audit2allow to generate a > list of items I would need to add to my running policy. > > After creating the module and loading it, all of the AVC messages > disappear even after a reboot. So, to my way of thinking, everything > should be working. However, if I enable enforcement root can log in > but not do anything beyond that. Only a reboot with enforcing set to > permissive at the grub prompt gets roots login working again. Even > after that, there are no new AVC messages. > > Does anyone have an idea as to what I'm missing? > > Prior to FC5, I had no problems with the strict policy. A few observations: - root is not necessarily all powerful under SELinux; it depends on what role/domain he has. What does id show? root often has to first newrole -r sysadm_r in order to assume administrative privileges under strict policy. To enable other users to assume admin privileges, you will need to map them to staff_u using semanage so that they can newrole to sysadm_r and then run su or sudo as appropriate. - Some AVC denials may not be audited due to dontaudit rules in the policy. These rules are to avoid flooding the audit logs with noise from extraneous access attempts by libraries and applications that are not truly required for operation. In the past (before FC5), one could re-enable all such auditing by rebuilding the policy sources with 'make clean enableaudit load'. With the introduction of modular policy in FC5, you no longer have the full policy sources sitting around (unless you grab the .src.rpm), so the policy package instead prebuilds an enableaudit.pp file under /usr/share/selinux/(targeted|strict) that you can install via semodule -b to re-enable auditing at least in the base module. But I don't believe this addresses non-base modules, which is an issue in a highly modularized policy like strict. - FC5 strict policy was broken for other reasons (broken optionals-in-base support in that libsepol and checkpolicy). That may get sorted if Dan updates FC5 policy and rebuilds it with the latest libsepol and checkpolicy. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
