<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <meta name=ProgId content=Word.Document> <meta name=Generator content="Microsoft Word 9"> <meta name=Originator content="Microsoft Word 9"> <link rel=File-List href="cid:filelist.xml@01C44E11.2BC86360">  <style>  </style> </head> <body lang=EN-US style='tab-interval:.5in'> <div class=Section1> His guys,<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> First let me start off by saying that I’ve been running Fedora Core 2 with SELinux in permissive mode since a few days after it was released officially with no real system problems.<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> That being said, I’m trying to understand how to do things properly to maintain the integrity of the system and perform the auditing I desire. Is there a good place to look which documents the SELinux relevant commands? The Fedora Core 2 SELinux FAQ has some interesting info, but relatively few commands. A Gentoo related site gave me some command ideas. Perhaps this is on the documentation CD for Fedora Core 2, which I have yet to download? I expected to be able to hunt through the man pages starting with man selinux, but that didn’t pan out. I found some other references online called the Getting Started with SE Linux HOWTO and Gentoo SE Linux HOWTO, but these offered some commands not available in the Fedora Core 2 implementation. To be more specific, I have been able to type “id” and “newrole”, but not able to type “rlpkg” and “run_init”. Re-labeling a file system is something they do with “cd /etc/security/selinux/src/plicy; make relabel”, but I was unable to find the equivalent.<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> I have a very specific issue that I’m trying to figure out. For some reason, when a role violation (perhaps there’s a better phrase) occurs and a log message is produced in /var/log/messages, I would like see a user id and the context. For example in “Getting Started with SE Linux HOWTO (7. Explanation of log file messages) the example show the following scontext:<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> scontext: faye:user_r:user_t<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> This is great, as I would know to contact the user faye and ask about the situation. But on my Fedora Core 2 machine, my /var/log/messages produces:<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> scontext: user_u:user_r:user_t<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> This is not so useful. As I have no idea who user_u is. I am using NIS for this system. Typing “id” on my system produces:<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> uid=706(dan) gid=20(games) groups=20(games),501(test) context=user_u:user_r:user_t<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> So I guess everything is consistent with the log entry as far as the system is concerned. I just don’t want a generic user_u to get filled in for violations. I want the specific user id and name. Perhaps I need to configure some more stuff for use with NIS?<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> Daniel J. Levine<o:p></o:p> Section Supervisor<o:p></o:p> Johns Hopkins University<o:p></o:p> Applied Physics Laboratory<o:p></o:p> 443-778-3952 240-228-3952<o:p></o:p> <![if !supportEmptyParas]> <![endif]><o:p></o:p> </div> </body> </html>