I would like to raise an issue concerning the use of SElinux that has meant that my decision to leave SElinux enabled and forcing in F9 and 10 for the first time has taken up a significant amount of time to get things working. It is very good to have the additional security that SElinux gives but it is important to pland and manage the transition from non-SElinux systems to a newer setup where the machines are all running with SElinux enabled. For a machine that has a totally fresh install of F10 with all partitions being created by the new system, and not needing to use nfs or analogous links to other machines for everyday operation, seems to largely be free of problems related to SElinux, except for a few minor tweaks that may be necessary. So complete novices to linux (apart from current problems with dbus/PackageKit etc that are now resolved or being resolved) installing on a new machine should have a relatively good experience with Fedora 10 for most. However for the older hacks (including myself) who have machines where the root partition takes the new fresh install but in which other partitions are not touched during install, and contain a myriad of programs, mail areas, and other files that have been there since time immemorial and developed and configured to work consistently across many Fedora upgrades, there are likely to be wrong contexts littering those old partitions that have to be manually set correctly even after a "restorecon -R" on those old partitions. Additionally when someone installs F10 on a laptop or desktop that gets some of its files from an nfs server that is not running SElinux then there may be significant issues to resolve unless the nfs server is also upgraded to run SElinux. I have not seen any complete guidance in a single place on how to make the transition from all non-SElinux to a system where SElinux is enabled, particularly where multiple machines are involved. Does anyone know of a link to such guidance? It would certainly be of value to a lot of people who currently simply get frustrated and end up either turning SElinux to permissive or simply disabling it. I decided when I did my first F9 install to leave SElinux enabled and enforcing... and it took me some time to go through the files and change contexts whenever I got avc denials popping up, and in some cases I got help from the lists, largely through Dan Walsh's help, and slowly got things sorted out until the machine ran without avc denials. One example is that in many cases using symlinks gave serious problems and I had to switch over to using bind mounts instead. However there is a residual issue in that with special configurations on some partitions eg to store mail spools away from the root partition, then the use of "semanage fcontext..." to create rules that will survive a "restorecon -R" will be fine on the machine until it is next upgraded.... after a clean install of a newer Fedora then presumably a restorecon will not remember the rules painstakingly created on the previous system? Or is there a way to copy those rules from a backup of the previous system? I wonder if anyone else on this list may have had thoughts about these and similar issues? -- View this message in context: http://www.nabble.com/SElinux-on-upgraded-machines-tp20973024p20973024.html Sent from the Fedora Test List mailing list archive at Nabble.com. -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
