preparing for selinux in FC3?

[Nifty Hat Mitch]

On Mon, Sep 20, 2004 at 02:38:56PM -0500, john bray wrote:
> 
> i noted the following in the FC3t3 announcement:

 Should be FC3t2 I think (test 2 of 3)

>     - SELinux enablement
> 
> it brings me to a fantasy about being locked out of my box and some
> other horror stories about not being able to or knowing how to fix
> things.
> 
> i wonder if we, as a community, should be doing a bit of thinking about
> how the enabling of selinux will affect us as we move from FC2 to FC3?

I just installed FC3T2 having saved /home as an untouched partition.
I had to run fixfiles to relabel /home so my old user could login.
Files in the old /home were not correctly labeled.

I will be inspecting my log files for more info.

Remember that at the grub command line you 
can turn off enforcing.

My /etc/sysconfig/selinux currently looks like this:

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #       enforcing - SELinux security policy is enforced.
    #       permissive - SELinux prints warnings instead of enforcing.
    #       disabled - SELinux is fully disabled.
    SELINUX=enforcing
    # SELINUXTYPE= type of policy in use. Possible values are:
    #       targeted - Only targeted network daemons are protected.
    #       strict - Full SELinux protection.
    SELINUXTYPE=targeted
    selinux (END)

So at any time it is possible to boot in rescue mode, single user mode
(init 1) and change "enforcing" to "permissive" if you think you have
locked yourself out.

Note that there is also a policy type.
That permits additional control.

In the install process the SELinux prompt was clear and well
described.  It is easy to pick permissive if you wish to.


So no worries as best I can tell.



-- 
	T o m  M i t c h e l l 
	Me, I would "Rather Not".