On Thu, 2006-11-30 at 21:10 +0100, Jimmy wrote: > Does the strict policy work at all? > Ive installed FC6 4 times on 2 different PCs, and after the default > installation ive installed the strict policypackage and enabled it, > relabeled the disk and rebooted it. > X boots up, but i cant login. I get an error message, and looking > deeper into it it says: > "Xlib: connection to ":0.0" refused by server > Xlib: no protocol specified > > xrdb: Can´t open display ':0' > ... > ..." > > When i switch off enforced (setenforce 0), it works fine. I have tried > this with the latest policy and updates as well, and seriously > starting to wonder if the policy really works "out of the box". > The reason i want the strict policy is Fedoras own description of the > strict policy: > > "Strict policy works best where you have a controlled userspace. For > example, you can setup a security policy where your users are only > allowed to use the Web browser to view files on the Internet and only > allowed to download to certain directories. You could limit what > applications the Web browser can launch to helper applications." > > This is exactly what i want to do, i want to be able to boot up a FC6 > on my Vmware machine, and start a firefox session and browse some > stuff on the web in a secure way. > Sooo... is the strict policy broken, or am i broken? ;) Strict policy almost always requires some customization, and since it is not the default, it has a much smaller user (and thus testing) base in Fedora. Have you looked at the avc: denied messages in your /var/log/messages file (before auditd starts) and in /var/log/audit/audit.log (once auditd starts) to see the specific denials? Have you tried using audit2allow(1)? Read the Fedora SELinux FAQ? http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
