Still SELinux-Boot-errors after todays update
Roger Grosswiler
roger at gwch.net
Fri Jan 27 17:58:14 UTC 2006
Am Freitag, den 27.01.2006, 12:32 -0500 schrieb Stephen Smalley:
> On Fri, 2006-01-27 at 15:18 +0100, Roger Grosswiler wrote:
> > Thanks, look this:
> >
> > [roger at niobe ~]$ sudo rpm -qa | grep selinux-policy-targeted
> > [roger at niobe ~]$ sudo rpm -qa | grep selinux-policy
> > [roger at niobe ~]$
> >
> > ...seems i did not have ANY policy installed??????
>
> Seems unlikely, given that you are getting AVC denials.
> Just do a rpm -q selinux-policy-targeted; you don't have to be root to
> query. If you were running strict policy, I'd have guessed that your
> sudo command was failing due to a SELinux denial (possibly just on the
> output stream to the pipe, thereby silencing it) but if targeted, sudo
> shouldn't be in its own domain at all.
>
> > btw. can somebody explain me the difference between
> >
> > -targeted
> > -mls
> > -strict
>
> -targeted vs. -strict is explained in the Fedora Core SELinux FAQ:
> http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2764488
> Note that since the time of that FAQ (which was for FC3), the targeted
> policy has expanded to cover many more system programs/processes and
> certain user programs, but still leaves users unconfined by SELinux.
> Targeted policy is the default in Fedora and RHEL.
>
> The -mls policy is for Multi-Level Security. See:
> http://james-morris.livejournal.com/5020.html
> MLS policy is specifically for LSPP certification.
>
> In Fedora and the -targeted policy, the same infrastructure being
> developed for the MLS policy is being used for what Red Hat is calling
> Multi-Category Security, described in:
> http://james-morris.livejournal.com/5583.html
> and
> http://james-morris.livejournal.com/8228.html
>
> MCS is enabled in the FC5 devel -targeted policy already.
>
> --
> Stephen Smalley
> National Security Agency
>
Stephen,
Thanks for this information!
Roger
More information about the fedora-test-list
mailing list