From: "Justin P. Mattock" <justinmattock@gmail.com>
To: erahul29@yahoo.com
Cc: selinux@tycho.nsa.gov, sds@tycho.nsa.gov, dwalsh@redhat.com
Subject: Re: Problem Setting Policy To Enforcing Mode
Date: Sat, 22 Nov 2008 09:18:47 -0800 [thread overview]
Message-ID: <1227374327.3205.14.camel@LiNuX> (raw)
In-Reply-To: <674101.15460.qm@web50212.mail.re2.yahoo.com>
On Sat, 2008-11-22 at 03:09 -0800, Rahul Jain wrote:
> Thankyou all for your kind help.
>
> Finally I was able to boot my policy. As suggested, I removed
> dontaudit rules from my policy by doing "make enableaudit". Then I did
> some quick fixes and was finally able to boot the policy. However I am
> still facing some issues:
> Firstly - My syslog daemon takes too long to start almost 10 min.
> Please note my test systems are high end multiprocessor express
> servers with 8 GB of RAM.
> Secondly: I am not able to come back to permissive mode, not even
> by login as sysadm_r role. My file system is read only and so I am not
> able to edit the /etc/selinux/config file. "setenforce" command
> temperoraly puts the policy in permissive mode but still config file
> could not be edited. I even tried it in linux single user mode,
> but the problem persists. Is it the property of the tresys reference
> policy or my policy is still not behaving properly?
> I reallly appreciate your kind help
>
> Thanks
> Rahul
>
Cool, glad to hear you're up and running.
Like what Stephen had mentioned, you should check and
make sure the files are labeled correctly. before doing a
make enable audit.(this way you don't strip down you're policy);
With the syslog either you have it installed incorrectly, or
there still is denials showing up causing syslog to partially
work. i.g. I usually do a "rm /var/log/syslog, touch /var/log/syslog,
reboot, audit2allow -i /var/log/syslog", to see any dbus avc's
(that is if dbus is running correctly); most likely if
you are booting into permissive and syslog start's right up, as opposed
to enforcing, then there's a denial floating around that needs to be
allowed. As for setting permissive mode,
what is you're initial context?
(i.g. id -Z once you've started up.);
regards;
--
Justin P. Mattock <justinmattock@gmail.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-11-22 17:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-22 11:09 Problem Setting Policy To Enforcing Mode Rahul Jain
2008-11-22 17:18 ` Justin P. Mattock [this message]
2008-11-24 13:47 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2008-11-24 17:37 Rahul Jain
2008-11-24 18:23 ` Justin P. Mattock
2008-11-21 14:59 Rahul Jain
2008-11-21 15:45 ` Justin P. Mattock
2008-11-21 18:37 ` Stephen Smalley
2008-11-21 19:41 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1227374327.3205.14.camel@LiNuX \
--to=justinmattock@gmail.com \
--cc=dwalsh@redhat.com \
--cc=erahul29@yahoo.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.