[K12OSN] SELinux boot error issue

Eric Harrison eharrison at mail.mesd.k12.or.us
Mon Jun 20 06:47:29 UTC 2005 

On Mon, 20 Jun 2005, Gavin Chester wrote:

> On Sun, 2005-06-19 at 20:10 -0700, Eric Harrison wrote:
<snip>
>> I'm thinking about having K12LTSP 4.4.0 default to "permissive" mode.
>
> Looking more closely in my /var/log/messages it reports that is how
> SELinux is starting:
>
> etc
> etc
> Jun 19 21:49:56 local kernel: SELinux:  Initializing.
> Jun 19 21:49:56 local kernel: SELinux:  Starting in permissive mode
> Jun 19 21:49:56 local irqbalance: irqbalance startup succeeded
> Jun 19 21:49:56 local kernel: selinux_register_security:  Registering
> secondary module capability
> etc
> etc
> etc
> 	... however, the config file would have it otherwise:
>
> [root at local ~]# gedit /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #	enforcing - SELinux security policy is enforced.
> #	permissive - SELinux prints warnings instead of enforcing.
> #	disabled - SELinux is fully disabled.
> SELINUX=enforcing
> # SELINUXTYPE= type of policy in use. Possible values are:
> #	targeted - Only targeted network daemons are protected.
> #	strict - Full SELinux protection.
> SELINUXTYPE=targeted
>
>
>> Otherwise, I'm going to turn off SELinux for dhcpd, portmap, and mysql,
>> which is where I see the most trouble.
>>
>> All of these settings can be changed by running system-config-securitylevel
>> "System Settings" -> "Security Level" -> click on the SELinux tab.
>>
>
> 	... where the settings matched the config file that was set to
> "enforce" and "targeted".
>
> At a bit of a loss here :-\

Okay, I hope this is a simple explaination ;-)

SELinux uses policy files that define what different programs and
users can/cannot do. Fedora ships with two different policy configurations,
strict and targeted.

The strict policy is exactly that. Every user and every program is covered
by the strict policy.

The targeted policy covers specific (i.e. targeted) programs and users,
such as ftp, httpd, and samba. Everything that is not specificly included
in the targeted policy is not secured by SELinux. Targeted policy is
the default for Fedora.

This is the "SELINUXTYPE=targeted" entry in /etc/selinux/config


Independant of the policy, SELinux can be set in three different
states: disabled, permissive, and enforcing.

Disabled turns SELinux off completely.

Permissive turns on the selected SELinux policy (targeted or strict),
but only logs warnings when a security violation occurs (i.e. if the
policy says you can't run /bin/foo, it will let you run /bin/foo but
will log that you shouldn't be allowed to do that).

Enforcing turns on the selected SELinux policy (targeted or strict),
and enforces that policy (i.e. if the policy says you can't run
/bin/foo, you will not be able to run /bin/foo).

This is the "SELINUX=enforcing" entry in /etc/selinux/config


I hope that helps. This stuff gets real deep real fast once you
get beyond the basics.

-Eric

More information about the K12OSN mailing list