[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

converting between strict and targeted



When I install FC4T2 and convert it to strict policy I get a huge number of 
AVC messages related to setfiles running in domain initrc_t.

It seems that the solution to this problem when converting from targeted to 
strict is to have the following in setfiles.te:

ifdef(`distro_redhat', `
domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
')

We already have can_setenforce(initrc_t) in initrc.te so this isn't really 
granting any extra access.

In the targeted policy we need to have definitions of all the types that are 
used before /.autorelabel is checked.  I have attached an archive of the 
policy necessary in targeted to make the conversion to strict run smoothly.  
Note that it only adds 9 aliases and 46 lines of file context so it won't 
have any noticable overhead when using targeted policy, but it will make 
things quite a bit nicer when converting from targeted to strict.

While the AVC messages don't really do any harm, it will give less annoyance 
and confusion for users to have them gone.  Incidentally for my testing I've 
relabeled the system in enforcing mode and had it work fine.  We can't do 
this in production because in some situations a relabel operation will be 
because of the configuration of the machine being badly messed up, enough so 
that it may not be possible to relabel in enforcing mode.


Incidentally I've just filed a bugzilla requesting that there be a 
"autorelabel" option for the kernel command line to give the same results as 
a /.autorelabel file.  That saves booting a messed up machine in permissive 
mode for the purpose of creating the file.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154496

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Attachment: t.tgz
Description: application/tgz


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]