FW: selinux enforcing

[Gene Czarcinski]

On Friday 26 March 2004 02:43, Richard Hally wrote:
> In reply to Gene C. on this list (his posting is on my other box),
> This message is being sent from  Mozilla  running on the current
> /development tree (at runlevel 5) in "enforcing mode". Below are the
> three avc denied messages from when I booted in enforcing mode.
> This is with the "as provided" policy with one change in the "users"
> file to add my username as an "admin".
> Once you have  installed  the policy and  policy-sources  and done
> "make reload"  in /etc/security/selinux/src/policy you must also do
> "make relabel" (it can take a while) to label all the files correctly.

OK, now we are cooking.

1.  I found that there are RELEASE-NOTES under development/i386 (I am using 
development/x86_64).  This provides much of the info I was lacking.

2. Your info above was just great.  After doing "make reload" and "make 
relabel", most of the error messages disappeared and most services started 
... also gdm now works.  Now I can start playing with things to see how they 
work.

A comment:  I had done a fresh nfs everything install using a development 
snapshot which is fairly current (Tuesday 24 March).  I believe that things 
should have worked the way they do now without my needing to run "make 
reload" (and possibly "make relabel").  I did originally come up in 
permissive mode so maybe that was my problem and everything would have worked 
if I came up in enforcing mode from the start ... I don't know.  I am going 
to play with this a bit more to see if I can just install and come up with 
nothing extra being done (except disabling kudzu until that problem is 
fixed).

Thanks to all who provided info.  I can already see that the selinux 
functionality as being delivered in FC2 is just a start ... there will need 
to be lots of experimenting to see just what to lock down to make this a more 
secure environment.

Gene