enabling selinux

Daniel J Walsh dwalsh at redhat.com
Fri Dec 10 18:26:37 UTC 2004


David Hollis wrote:

>On Thu, 2004-12-09 at 18:10 -0500, David Hollis wrote:
>  
>
>>Doesn't drop in cleanly with the targeted policy.  It also wants the
>>ifconfig, which wants proc_net_t and run_init_t stuff that isn't in the
>>targeted policy.  I've wrapped the call to ifconfig_exec_t in an if
>>('ifconfig.te....') call so that it builds properly with the targeted
>>policy.  It builds, and labels the files, so thats a start!  Next
>>question is if it actually works :)
>> 
>>
>>    
>>
>
>A quick test turns up that I need to change the line for self:capability
>to:
>
>allow openvpn_t self:capability { net_admin setgid setuid };
>
>To allow the daemon to switch to the nobody user.
>
>  
>
I added this to the Rawhide policy.   If you are going to be 
experimenting with targeted policy, you might want to
grab the one in rawhide, since this would have the proc_net stuff in 
it.  Basically FC3 is somewhat frozen for stability
purposes.  The new experimental stuff is in rawhide (Rewrite of 
can_network patches, additional proc_*_t ...)

Dan




More information about the fedora-devel-list mailing list