SElinux on upgraded machines

[Mike Cloaked]

I would like to raise an issue concerning the use of SElinux that has meant
that my decision to leave SElinux enabled and forcing in F9 and 10 for the
first time has taken up a significant amount of time to get things working.
It is very good to have the additional security that SElinux gives but it is
important to pland and manage the transition from non-SElinux systems to a
newer setup where the machines are all running with SElinux enabled.

For a machine that has a totally fresh install of F10 with all partitions
being created by the new system, and not needing to use nfs or analogous
links to other machines for everyday operation, seems to largely be free of
problems related to SElinux, except for a few minor tweaks that may be
necessary.

So complete novices to linux (apart from current problems with
dbus/PackageKit etc that are now resolved or being resolved) installing on a
new machine should have a relatively good experience with Fedora 10 for
most.

However for the older hacks (including myself) who have machines where the
root partition takes the new fresh install but in which other partitions are
not touched during install, and contain a myriad of programs, mail areas,
and other files that have been there since time immemorial and developed and
configured to work consistently across many Fedora upgrades, there are
likely to be wrong contexts littering those old partitions that have to be
manually set correctly even after a "restorecon -R" on those old partitions. 
Additionally when someone installs F10 on a laptop or desktop that gets some
of its files from an nfs server that is not running SElinux then there may
be significant issues to resolve unless the nfs server is also upgraded to
run SElinux.

I have not seen any complete guidance in a single place on how to make the
transition from all non-SElinux to a system where SElinux is enabled,
particularly where multiple machines are involved. Does anyone know of a
link to such guidance?  It would certainly be of value to a lot of people
who currently simply get frustrated and end up either turning SElinux to
permissive or simply disabling it.

I decided when I did my first F9 install to leave SElinux enabled and
enforcing... and it took me some time to go through the files and change
contexts whenever I got avc denials popping up, and in some cases I got help
from the lists, largely through Dan Walsh's help, and slowly got things
sorted out until the machine ran without avc denials. One example is that in
many cases using symlinks gave serious problems and I had to switch over to
using bind mounts instead.

However there is a residual issue in that with special configurations on
some partitions eg to store mail spools away from the root partition, then
the use of "semanage fcontext..." to create rules that will survive a
"restorecon -R" will be fine on the machine until it is next upgraded....
after a clean install of a newer Fedora then presumably a restorecon will
not remember the rules painstakingly created on the previous system?  Or is
there a way to copy those rules from a backup of the previous system?

I wonder if anyone else on this list may have had thoughts about these and
similar issues?
-- 
View this message in context: http://www.nabble.com/SElinux-on-upgraded-machines-tp20973024p20973024.html
Sent from the Fedora Test List mailing list archive at Nabble.com.