Issue with SELinux on FC3 - No policies

Daniel J Walsh dwalsh at redhat.com
Wed Nov 24 11:55:55 UTC 2004 

Daryn Hanright wrote:

>Hi - I've experienced something weird with SeLinux. When I first installed
>FC3 I chose targeted & noticed loads of different options under the SELinux tab
>in system-config-securitylevel, basically a twisty-tie list of different apps
>that are targeted. But I think when I reinstalled FC3 the other day
>I chose to disable SELinux, and now none of those options appear. When I choose
>to enable, those options I first saw don't reappear. Have tried reinstalling the
>relevent rpm's with no luck. Anyone have any idea what might have happened, or
>at least some idea on how I can reconfigure it?
>
>Having had a read of the SELinux FAQ for FC3, I should see a whole range of
>policies in "/etc/selinux/targeted/policy/", but when I go there I see only one
>policy
>
>Any ideas?
>
>  
>
Not sure what you are asking.   By default in FC3 with SELinux enabled, 
you get the following:
 rpm -q -l selinux-policy-targeted
/etc/selinux/
/etc/selinux/targeted/
/etc/selinux/targeted/booleans        # Booleans file containing list of 
overrides to policy booleans
/etc/selinux/targeted/contexts/        # Contains a the context files 
that tell different apps how to transition to different contexts
/etc/selinux/targeted/contexts/dbus_contexts
/etc/selinux/targeted/contexts/default_contexts
/etc/selinux/targeted/contexts/default_type
/etc/selinux/targeted/contexts/failsafe_context
/etc/selinux/targeted/contexts/files/ 
/etc/selinux/targeted/contexts/files/file_contexts   # Regular expession 
File contexts used by restorecon, setfilescon, fixfiles to determine 
each files context.
/etc/selinux/targeted/contexts/files/media  # File contexts for special 
device files
/etc/selinux/targeted/contexts/initrc_context
/etc/selinux/targeted/contexts/removable_context
/etc/selinux/targeted/contexts/userhelper_context
/etc/selinux/targeted/contexts/users/   #directory contains override 
values for roles.  IE If the root user logins in locally, give him this 
role.
/etc/selinux/targeted/contexts/users/root
/etc/selinux/targeted/policy
/etc/selinux/targeted/policy/policy.18   # The actual compiled context.

 >> If you install selinux-policy-targeted-sources you get an additional 
directory tree under

/etc/selinux/targeted/src/

 >> If you install selinux-policy-strict you get  a similar tree under

/etc/selinux/strict/

 >> system-config-securitylevel examines

/etc/selinux/config to determine which policy is running (targeted, 
strict or other future ones)  and whether selinux is enabled, Permissive 
or disabled (/usr/sbin/getenforce tells you this).

system-config-securitylevel then lists all subdirectories of 
/etc/selinux/  as possible policies choices.

In order to put up the Modify SELinux Policy listbox, the tool lists all 
booleans using the tool getsebool -a and if the selinux-policy-*-sources 
directory is installed, it examines the 
/etc/selinux/SELINUXTYPE/src/policy/tunables/  directory for all tunable 
entries.  It then uses the
/usr/share/system-config-securitylevel/selinux.tbl to make translate the 
booleans/tunables into a more descriptive representation.

So depending on which policy is loaded and which policy and 
policy-sources are installed, the display of system-config-securitylevel 
will change.

I hope this helps.

Dan




>cheers
>Daryn
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>

More information about the fedora-selinux-list mailing list