Not good
Daniel J Walsh
dwalsh at redhat.com
Sat Apr 3 13:29:58 UTC 2004
Gene Czarcinski wrote:
>On Saturday 03 April 2004 00:46, Daniel J Walsh wrote:
>
>
>>First off you should never have to do a relabel, Or only under extreme
>>circumstances.
>>The problem here was the movement of the .Xauthority file out to /tmp.
>>The new policy should fix your problem.
>>
>>
>
>When we get to the end point (FC2 gold) this system is going to be very stable
>and secure. However, the transition with its large number of daily updates
>sure make things "interesting" ... I have managed to screw things up on one
>system so that I am on my third install.
>
>Unfortunately, discovering all of the different nuances necessary in a
>security policy supporting real people, real systems, and real situations is
>a lot more difficult than having a policy in a controlled experiment. Well,
>we are all here trying to pound this into something that works and I believe
>it will work pretty well when FC2 gold comes out but a wole lot better in FC2
>gold. This is going to take time.
>
>One big gripe I do have is up2date:
>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119538
>
>When rpm fails to (properly) install a package because of some selinux policy
>thing, this is not handled well by up2date. In fact, up2date reports that
>the package was installed properly when it was not installed. My latest
>experience with that is when I tried updating gdm ... old package removed but
>new package not installed. I only found this because I am manually querying
>rpm after every update. When I tried to manually install the package, I saw
>the errors. I then did "setenforce 0", manually installed the old package,
>manually installed the new package, and "setenforce 1". Update now complete.
>
>This rpm/up2date problem needs to be addressed. Unfortuantely, it is not
>clear that my bugzilla report is being addressed.
>
>
I have written the steps in the bug report on how to get up2date fixed.
The final fix for the up2date package has not been released yet.
Fixing up2date is a multi step process.
One update to latest policy.
restorecon /usr/sbin/up2date
update to latest usermode
Add
ROLE=sysadm_r
TYPE=rpm_t
to
/etc/security/console.apps/up2date.
>Gene
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list