Still SELinux-Boot-errors after todays update
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 27 17:32:27 UTC 2006
On Fri, 2006-01-27 at 15:18 +0100, Roger Grosswiler wrote:
> Thanks, look this:
>
> [roger at niobe ~]$ sudo rpm -qa | grep selinux-policy-targeted
> [roger at niobe ~]$ sudo rpm -qa | grep selinux-policy
> [roger at niobe ~]$
>
> ...seems i did not have ANY policy installed??????
Seems unlikely, given that you are getting AVC denials.
Just do a rpm -q selinux-policy-targeted; you don't have to be root to
query. If you were running strict policy, I'd have guessed that your
sudo command was failing due to a SELinux denial (possibly just on the
output stream to the pipe, thereby silencing it) but if targeted, sudo
shouldn't be in its own domain at all.
> btw. can somebody explain me the difference between
>
> -targeted
> -mls
> -strict
-targeted vs. -strict is explained in the Fedora Core SELinux FAQ:
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2764488
Note that since the time of that FAQ (which was for FC3), the targeted
policy has expanded to cover many more system programs/processes and
certain user programs, but still leaves users unconfined by SELinux.
Targeted policy is the default in Fedora and RHEL.
The -mls policy is for Multi-Level Security. See:
http://james-morris.livejournal.com/5020.html
MLS policy is specifically for LSPP certification.
In Fedora and the -targeted policy, the same infrastructure being
developed for the MLS policy is being used for what Red Hat is calling
Multi-Category Security, described in:
http://james-morris.livejournal.com/5583.html
and
http://james-morris.livejournal.com/8228.html
MCS is enabled in the FC5 devel -targeted policy already.
--
Stephen Smalley
National Security Agency
More information about the fedora-test-list
mailing list