On Tue, 23 Sep 2008 16:16:00 +1000, Murray McAllister said: > * selinux-policy-[policy]: provides SELinux policies. For targeted > policy, install selinux-policy-targeted. For MLS, install > selinux-policy-mls. The strict policy was merged in Fedora 9, allowing > confined and unconfined users to co-exist on the same system. Strict was merged with what, exactly? (This threw me for a loop when strict evaporated out of rawhide, before I figured out that MLS was what I needed as the replacement - for most of my boxes, I don't actually *need* the MLS/MCS stuff, I just need to not have an 'unconfined' on the box. For a *few* others, the MCS stuff is handy. And actual MLS is barely on the radar here...) > denied if running in enforcing mode. When using disabled mode, SELinux > is disabled (the SELinux module is not registered with the Linux > kernel), and only DAC rules are used. Might want to note that operating in disabled mode probably means you want to do a relabel if you re-enable SELinux, because any files created/modified while running disabled are probably unlabeled. > SELINUXTYPE=targeted: The SELINUXTYPE option sets the SELinux policy to > use. Targeted policy is the default policy used. Only change this option > if you want to use the MLS policy. To use the MLS policy, install the > selinux-policy-mls package; configure SELINUXTYPE=mls in > /etc/selinux/config; and reboot your system. Someplace, you want to discuss why one might want to use MLS (whether as the replacement for the old 'strict' policy where everything ran confined as opposed to 'targeted', or if you have an actual use case for the MLS/MCS features). > 4. In permissive mode, SELinux policy is not enforced, but denials are > still logged for actions that would have been denied if running in > enforcing mode. Before changing to enforcing mode, as the Linux root > user, run the grep "SELinux is preventing" /var/log/messages command to Erm. What *exactly* produces that entry in /var/log/messages? All my AVC stuff ends up in auditd. Or is this just because the setroubleshoot RPMs aren't *quite* as mandatory as you noted above, and I don't see those messages because I don't have them installed *and enabled*? (Gotta watch out for those pesky 'chkconfig off' ;) > # should users run something like "> /var/log/messages" before rebooting? This is a good way to lose potentially important log entries. Also, note that if the box is running syslog-ng, the file might be called /var/log/messages.YYMMDD or similar (very handy, that - no need to worry about cronjobs rolling the files). > 5. If there were no denial messages in /var/log/messages, configure > SELINUX=enforcing in /etc/selinux/config: You need to discuss the very possible case that there *were* denial messages. How do you fix them? audit2allow is *one* option, as is correctly labelling files (if you have them in a non-standard place, you probably want to be doing an 'semanage fcontext -a'). But blindly doing either of those is a good way to hose yourself gloriously. > 7. As the Linux root user, run the semanage login -l command to confirm > that the mapping between SELinux and Linux users is correct. The output > should be as follows: Also handy at this point - explain how to add additional SELinux userids and map login IDs to them (you can't really do anything with the MLS/MCS support if everybody is either user_u or staff_u).
Attachment:
pgpGRPdTME7nW.pgp
Description: PGP signature
