Humpty Dumpty

Richard Hally rhally at mindspring.com
Tue May 4 20:58:04 UTC 2004 

Bob Gustafson wrote:
> I have newly arrived at the dangerous stage of SElinux testing - and have a
> few questions.
snip
> 
> I was able to get the apol application up and running (but I think I
> need glasses - font size is a bit small) [- rich, thin, big enough screen]
> 
There is a .apol file in your /home (or /root) that controls the font size.
> The application 'seuser' did not seem to be able to find the policy.conf
> file. I found the .tcl file and hacked a bit on that, but tcl is not a
> native language for me. (Today I found the /usr/share/setools/seuser.conf
> file with the missing 'policy' in the policy.conf path)
> 
I believe this has been fixed in the most recent setools update.

<snip>

> ------
> 
> Then I found an application 'System Settings -> Security Level'  With
> this tool, I could turn my firewall on and also turn on something in
> SELinux.  The SELinux button said 'Active'.  I clicked on it and
> saw options 'Warn' and 'Disabled'.  Then I went back to the Firewall
> settings and decided not to do anything there. Clicking the OK button at
> the bottom
> gave me a dialog box - something about 'do you want security to be on'.
> Since I thought security was already on, I clicked on yes...
> 
this SELinux feature of system-config-securitylevel has been taken out 
for the FC2 release. IMHO, it needs some work to differentiate between 
setting the current state of enforcing and setting the state for the 
next boot of the system.
The init will still use /etc/sysconfig/selinux.
<snip>


> Fortunately, I had printed out some of the SELinux documentation
> (printed out, not read as yet).  I noticed an email message from Hannes
> Mayer saying to pass 'selinux=0' to grub at boot time.
Careful here, kernel-2.6.5-1.349 has the selinux bootparam turned off
( I think they will reenable it) so be sure your /etc/sysconfig/selinux 
   is set correctly when using that kernel.
> 
> This I did, and wonderfully my system booted up. It did not even have
> the pesky extra error messages which I had noticed for awhile when
> booting my running system - 'avc denied', etc.
> 

  snip
> 
> A lesser goal would be to dynamically set and (hopefully) unset the
> enforcing parameter as mentioned later in Tom Mitchell's timely and very
> helpful email message - and then see what problems develop -  in a
> (hopefully) controlled environment.
> 
getenforce and setenforce commands allow for dynamic changes of mode.

> (I would like to creep up on the concept of SecurityEnabled with lots of
> log messages, but not too many.. :-) )

not quite "creep up on", Looks like you jumped right in. Welcome

It looks like Stephen Smalley has answered your major questions in his 
reply.

> The human path/process is important for newbie testers though.  Too many
> rocks and the extra eyeballs get discouraged.
There are several HOWTOs and FAQ around but you probably already knew that.
Richard Hally

More information about the fedora-selinux-list mailing list