[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Humpty Dumpty

Bob Gustafson wrote:
I have newly arrived at the dangerous stage of SElinux testing - and have a
few questions.

I was able to get the apol application up and running (but I think I need glasses - font size is a bit small) [- rich, thin, big enough screen]

There is a .apol file in your /home (or /root) that controls the font size.
The application 'seuser' did not seem to be able to find the policy.conf
file. I found the .tcl file and hacked a bit on that, but tcl is not a
native language for me. (Today I found the /usr/share/setools/seuser.conf
file with the missing 'policy' in the policy.conf path)

I believe this has been fixed in the most recent setools update.



Then I found an application 'System Settings -> Security Level'  With
this tool, I could turn my firewall on and also turn on something in
SELinux.  The SELinux button said 'Active'.  I clicked on it and
saw options 'Warn' and 'Disabled'.  Then I went back to the Firewall
settings and decided not to do anything there. Clicking the OK button at
the bottom
gave me a dialog box - something about 'do you want security to be on'.
Since I thought security was already on, I clicked on yes...

this SELinux feature of system-config-securitylevel has been taken out for the FC2 release. IMHO, it needs some work to differentiate between setting the current state of enforcing and setting the state for the next boot of the system.
The init will still use /etc/sysconfig/selinux.

Fortunately, I had printed out some of the SELinux documentation
(printed out, not read as yet).  I noticed an email message from Hannes
Mayer saying to pass 'selinux=0' to grub at boot time.
Careful here, kernel-2.6.5-1.349 has the selinux bootparam turned off
( I think they will reenable it) so be sure your /etc/sysconfig/selinux is set correctly when using that kernel.

This I did, and wonderfully my system booted up. It did not even have the pesky extra error messages which I had noticed for awhile when booting my running system - 'avc denied', etc.


A lesser goal would be to dynamically set and (hopefully) unset the enforcing parameter as mentioned later in Tom Mitchell's timely and very helpful email message - and then see what problems develop - in a (hopefully) controlled environment.

getenforce and setenforce commands allow for dynamic changes of mode.

(I would like to creep up on the concept of SecurityEnabled with lots of
log messages, but not too many.. :-) )

not quite "creep up on", Looks like you jumped right in. Welcome

It looks like Stephen Smalley has answered your major questions in his reply.

The human path/process is important for newbie testers though.  Too many
rocks and the extra eyeballs get discouraged.
There are several HOWTOs and FAQ around but you probably already knew that.
Richard Hally

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]