Humpty Dumpty

Karl MacMillan kmacmillan at tresys.com
Wed May 5 13:58:35 UTC 2004 

> > The application 'seuser' did not seem to be able to find the policy.conf
> > file. I found the .tcl file and hacked a bit on that, but tcl is not a
> > native language for me. (Today I found the
> /usr/share/setools/seuser.conf
> > file with the missing 'policy' in the policy.conf path)
> >
> I believe this has been fixed in the most recent setools update.
> 

Yes - Dan Walsh incorporated the fix into setools-1.3-2. Also, we are going
to release 1.3.1 soon with this and another critical bug fixed.

Karl

Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134

> <snip>
> 
> > ------
> >
> > Then I found an application 'System Settings -> Security Level'  With
> > this tool, I could turn my firewall on and also turn on something in
> > SELinux.  The SELinux button said 'Active'.  I clicked on it and
> > saw options 'Warn' and 'Disabled'.  Then I went back to the Firewall
> > settings and decided not to do anything there. Clicking the OK button at
> > the bottom
> > gave me a dialog box - something about 'do you want security to be on'.
> > Since I thought security was already on, I clicked on yes...
> >
> this SELinux feature of system-config-securitylevel has been taken out
> for the FC2 release. IMHO, it needs some work to differentiate between
> setting the current state of enforcing and setting the state for the
> next boot of the system.
> The init will still use /etc/sysconfig/selinux.
> <snip>
> 
> 
> > Fortunately, I had printed out some of the SELinux documentation
> > (printed out, not read as yet).  I noticed an email message from Hannes
> > Mayer saying to pass 'selinux=0' to grub at boot time.
> Careful here, kernel-2.6.5-1.349 has the selinux bootparam turned off
> ( I think they will reenable it) so be sure your /etc/sysconfig/selinux
>    is set correctly when using that kernel.
> >
> > This I did, and wonderfully my system booted up. It did not even have
> > the pesky extra error messages which I had noticed for awhile when
> > booting my running system - 'avc denied', etc.
> >
> 
>   snip
> >
> > A lesser goal would be to dynamically set and (hopefully) unset the
> > enforcing parameter as mentioned later in Tom Mitchell's timely and very
> > helpful email message - and then see what problems develop -  in a
> > (hopefully) controlled environment.
> >
> getenforce and setenforce commands allow for dynamic changes of mode.
> 
> > (I would like to creep up on the concept of SecurityEnabled with lots of
> > log messages, but not too many.. :-) )
> 
> not quite "creep up on", Looks like you jumped right in. Welcome
> 
> It looks like Stephen Smalley has answered your major questions in his
> reply.
> 
> > The human path/process is important for newbie testers though.  Too many
> > rocks and the extra eyeballs get discouraged.
> There are several HOWTOs and FAQ around but you probably already knew
> that.
> Richard Hally
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list