Installing the new policy
Stephen Smalley
sds at epoch.ncsc.mil
Wed Jun 2 16:56:15 UTC 2004
On Sat, 2004-05-29 at 20:37, Tom London wrote:
> So here's the condensed version;
> 1. installing selinux-policy-strict-sources (and selinux-policy-strict)
> did not setup /etc/selinux/config, nor did it modify
> /etc/sysconfig/selinux. (I must admit that I was confused by the
> message thread. Did I need to remove /etc/sysconfig/selinux before doing
> the 'yum install selinux-policy-strict-sources'? I thought the install
> would add the 'SELINUXTYPE=strict' line to an existing file, but I may
> have read this wrong.)
I don't think that Dan has set up the spec file to do this yet in
%post. So you have to manually create /etc/selinux/config at present.
/etc/sysconfig/selinux is obsolete with the newer libselinux and
SysVinit. /usr/bin/selinuxconfig will show what libselinux thinks are
the active policy paths.
> 2. My system was 'setup' to boot by default into 'disabled' mode. This
> caused a lot of problems with unlabeled files, directories, etc.
I think that this will eventually be covered by changing the spec file
to create /etc/selinux/config if it does not already exist. Dan?
> 3. I had to 'yum remove setools'. Did this cause my booting or other
> problems?
No, I don't think it created any of the problems you experienced. But
setools will need to be updated to use the new libselinux functions, and
rebuilt.
> 4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to
> /etc/sysconfig/selinux and to /etc/selinux/config. Are both
> needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
SELINUXTYPE is correct. There was a bug in the spec file that was using
POLICYTYPE; that should be changed if it hasn't already.
> 5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does
> that provide the correct info/format?
Yes, except that you need to add a SELINUXTYPE=strict (or targeted) to
it, and it is named /etc/selinux/config.
You also need to relabel after updating the policy to get /etc/selinux
into the right types. Odds of successfully making this transition in
enforcing mode are slim, I suspect.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list