installation of selinux on non-selinux system

Jim Cornette jim-cornette at insight.rr.com
Mon Nov 22 01:26:26 UTC 2004 

Daniel J Walsh wrote:

>>
>> Selinux gives sort of a working system when using 
>> system-config-securitylevel to enable selinux via the gui.(without 
>> policycoreutils being installed) I am not too sure if this would 
>> introduce "dep hell" if having policycoreutils pulled in when 
>> selinux-policy for targeted or strict is pulled from a repo.
>>
> I have changed selinux-policy-targeted to require policycoreutils so 
> it will be pulled in in the future.  Secondly from the looks of it you 
> are running strict policy.  Please either run 
> system-config-securitylevel and select targeted policy and reboot.  
> (/.autorelabel) should be created and
> or you can edit /etc/selinux/config and change SELINUXTYPE=strict to 
> SELINUXTYPE=targeted and touch /.autorelabel then reboot.
>
> The init scripts will take care of relabeling.

Thanks for pulling in this package when installing 
selinux-policy-targeted. This sounds like it will help reduce the 
problem with httpd and system logs not being written when installing the 
policy and activating selinux.
I changed to targeted using system-config-securitylevel and I liked the 
warning that the system would relabel on next boot. Also, on the system 
when rebooted, I liked the warning that relabeling might take some time. 
Checking the log for avc errors after the system was relabled shows no 
avc errors.

I'll keep in mind that strict policy is more current within rawhide. I 
was not aware that the strict policy within FC3 would not be current. 
Since FC3 was setup for targeted policy as default, I'll stay clear of 
strict policy for awhile.

>> After relabeling my filesystem again in runlevel 1, I seem to get the 
>> same type of errors as experienced before. .mozilla related files 
>> seemed to be the major files that content was tried to be changed, 
>> when  relabeling for strict. See attached avc for today.
>> In order to bring up X, running setenforce 0 at a root shell was 
>> needed, in order to launch X successfully. If there is  some 
>> lingering config file, either systemwide or hanging out in the per 
>> user directory that is blocking X, I don't know.
>>
> The strict policy you are running 1.17.30 is way out of date.  If you 
> want to run strict policy you need to grab the one off of Rawhide or 
> my people page and update and relabel.  Upgrades from not SELinux 
> boxes are not supported for SELinux for the simple reason that 
> relabeling is required.  So your machine ended up in a rather strange 
> state.
>
I have another computer with rawhide repositories. I'll try strict on 
this system later on down the road. Rawhide was a little bit mongrelized 
on the day after FC3 came out. In a week, it might be a little more in 
tune. Regarding the need for relabeling being a roadblock for 
non-selinux systems. It might allow the system to choose this at either 
anaconda for install, but not activate selinux until either questions at 
firstboot or when selecting policy from s-c-securitylevel.

Thanks for the helpful information.

Jim

>> Dan
>>

-- 
A prohibitionist is the sort of man one wouldn't care to drink with
-- even if he drank.
		-- H.L. Mencken

More information about the fedora-selinux-list mailing list