Not good

Daniel J Walsh dwalsh at redhat.com
Sat Apr 3 13:29:58 UTC 2004 

Gene Czarcinski wrote:

>On Saturday 03 April 2004 00:46, Daniel J Walsh wrote:
>  
>
>>First off you should never have to do a relabel,  Or only under extreme
>>circumstances.
>>The problem here was the movement of the .Xauthority file out to /tmp.
>>The new policy should fix your problem.
>>    
>>
>
>When we get to the end point (FC2 gold) this system is going to be very stable 
>and secure.  However, the transition with its large number of daily updates 
>sure make things "interesting" ... I have managed to screw things up on one 
>system so that I am on my third install.  
>
>Unfortunately, discovering all of the different nuances necessary in a 
>security policy supporting real people, real systems, and real situations is 
>a lot more difficult than having a policy in a controlled experiment.  Well, 
>we are all here trying to pound this into something that works and I believe 
>it will work pretty well when FC2 gold comes out but a wole lot better in FC2 
>gold.  This is going to take time.
>
>One big gripe I do have is up2date: 
>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119538
>
>When rpm fails to (properly) install a package because of some selinux policy 
>thing, this is not handled well by up2date.  In fact, up2date reports that 
>the package was installed properly when it was not installed.  My latest 
>experience with that is when I tried updating gdm ... old package removed but 
>new package not installed.  I only found this because I am manually querying 
>rpm after every update.  When I tried to manually install the package, I saw 
>the errors.  I then did "setenforce 0", manually installed the old package, 
>manually installed the new package, and "setenforce 1".  Update now complete.
>
>This rpm/up2date problem needs to be addressed.  Unfortuantely, it is not 
>clear that my bugzilla report is being addressed.
>  
>
I have written the steps in the bug report on how to get up2date fixed.  
The final fix for the up2date package has not been released yet.

Fixing up2date is a multi step process.

One update to latest policy.
restorecon /usr/sbin/up2date

update to latest usermode

Add 
ROLE=sysadm_r
TYPE=rpm_t
to

/etc/security/console.apps/up2date.


>Gene
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>

More information about the fedora-selinux-list mailing list