Selinux question

[Daniel J Walsh]

Mathew Pullar wrote:

>No i am not using the strict policy because the xserver will not start
>after applying the policy and rebooting for relabelling. I am
>currently enforcing the targetted policy.
>
>
>On 7/13/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
>  
>
>>Mathew Pullar wrote:
>>
>>    
>>
>>>Hi,
>>>I have just started to experiment with selinux and noticed the "User
>>>Privs" section in system-config-securitylevel-gui and unticked allow
>>>users to ping and allow users to read default system files. I then
>>>created a new normal user account to test the changes i had made.
>>>The new user was able to ping to and to read default system files such
>>>as /etc/inittab.
>>>I then thought perhaps relabelling was required so rebooted and
>>>relabeled. This however still allowed normal users to ping.
>>>My current selinux config is set to enabled and enforcing.
>>>Any help would be greatly appreciated.
>>>      
>>>
>
>  
>
Users are not transitioning to the ping domain, so they are staying in 
the unconfined domain.  So this boolean would
have no effect and should not be present in targeted policy.  I will 
remove. to prevent confusion.  Similarly the default
boolean should not be in targeted policy. 

In targeted policy we are protecting the user space from "targeted" 
system processes, usually daemons.  We allow users
to run in the same way they would run without SELinux.

Thanks for pointing out this problem.

Dan

>>Are you running strict policy?
>>
>>default system files are files that are marked with file context
>>default_t.  You should not
>>have many of them on the system.
>>Dan
>>    
>>
>
>  
>


--