Pretty unbelievable !!
Bob Gustafson
bobgus at rcn.com
Thu May 6 19:51:37 UTC 2004
On Thu, 06 May 2004 14:05:21 -0400 Stephen Smalley wrote:
>On Thu, 2004-05-06 at 10:14, Bob Gustafson wrote:
>> I was just able to upgrade 'yum update \*' my whole system (kernel 351smp)
>> and reboot and startx and Soundcard Detection (with sound).
>>
>> This was all with boot params 'selinux=1 enforcing=1'
>>
>> Congratulations on a pretty smooth transition.
>
>Not to be paranoid, but could you run /usr/sbin/sestatus -v as root?
>
>--
[root at hoho2 user1]# date
Thu May 6 14:14:53 CDT 2004
[root at hoho2 user1]# /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Policy version: 17
Policy booleans:
user_ping inactive
Process contexts:
Current context: root:sysadm_r:sysadm_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: root:object_r:sysadm_devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Do copy and paste into file from screen
[root at hoho2 user1]# vim small.bug
[root at hoho2 user1]# rsync small.bug hoho0:/home/bobg
root at hoho0's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
As expected (???), but see log lines at bottom of this message.
Target machine does not have rsync with selinux.
Server is very old version of rsync, upgrade recommended.
Uptime on the target machine (lots of things have happened in 84 days):
[root at hoho0 root]# uptime
2:28pm up 84 days, 4 min, 2 users, load average: 0.00, 0.00, 0.00
[root at hoho0 root]#
OK, now delicately step around the wall.
[root at hoho2 user1]# setenforce 0
[root at hoho2 user1]# rsync small.bug hoho0:/home/bobg
root at hoho0's password:
Server is very old version of rsync, upgrade recommended.
And lock the door afterwards
[root at hoho2 user1]# setenforce 1
[root at hoho2 user1]#
=====================
So, is it bullet-proof?
What doc would help to interpret the output of sestatus?
[I was reading this morning - I have about an inch of paper to go]
----
Some added info
Last night, I downloaded the upgraded setools. When I installed it/them, I
noticed that the policy files were recompiled as part of the 'make install'.
Since the policy files had been recompiled, I figured that it would not
hurt to do another 'fixfiles relabel', which was done before this morning's
success with yum.
BobG
Also, I noticed that when I have a gnome terminal window open and do 'su',
the following lines appear in /var/log/messages.
Is this an unneeded artifact coming from the X window system? The fact that
it was denied does not seem to affect the rootness of tasks after doing the
'su'
May 6 14:37:31 hoho2 su(pam_unix)[3755]: session opened for user root by
user1(uid=500)
May 6 14:37:31 hoho2 kernel: audit(1083872251.894:0): avc: denied {
add_name } for pid=3755 exe=/bin/su name=.xautholimVP
scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t
tclass=dir
May 6 14:37:31 hoho2 kernel: audit(1083872251.894:0): avc: denied {
create } for pid=3755 exe=/bin/su name=.xautholimVP
scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t
tclass=file
May 6 14:37:31 hoho2 kernel: audit(1083872251.895:0): avc: denied {
setattr } for pid=3755 exe=/bin/su name=.xautholimVP dev=sda2 ino=7290886
scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t
tclass=file
More information about the fedora-selinux-list
mailing list