On 30/08/16 20:26, Petr Lautrbach wrote: > > On RHEL and CentOS should sufficient to: > > 1. install selinux-policy-mls package > 2. set SELinux to permissive and mls type > 3. run fixfiles -F onboot > 4. reboot > 5. if everything went fine and the filesystem is correctly relabeled, > switch back to enforcing > > and if you want to login as root using ssh, you need to turn > ssh_sysadm_login boolean on > Thanks for the suggestion. Unfortunately that is pretty much what I originally did, which is why I thought I'll give the reference policy a go since getting the source is easier. The main difference with the original vendor setup was that I touched /.autorelabel rather than run fixfiles (which I think does the same thing). Result is that at (5) cannot log in as root, normal or staff_u on the console, normal user or a staff_u user over the net. I don't want to allow root over the net. I've just retested as you have mentioned and the same results. I'll have another look at the vendor supplied mls setup tomorrow (this one didn't have the /dev/log issue), but does have other AVC's listed. So, looks like I have two challenges- a. figure out why the vendor setup doesn't appear to work, and b. understand the /dev/log. etc changes from reference policy to vendor policy. -- Paul ---- http://blog.m0noc.com/ | https://keybase.io/m0noc 4329 E4C5 71F3 58B2 2246 D04D 25DA 39C2 3876 FE3D _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
