avc_toggle and avc_enforcing

avc_toggle and avc_enforcing

[Carlos Anísio Monteiro]

[-- Attachment #1: Type: text/plain, Size: 123 bytes --]

Hi.

Please, where I find the commands: *avc_toggle* and *avc_enforcing*. 
What are it the packages where it are?

Thanks.

[-- Attachment #2: Type: text/html, Size: 279 bytes --]

Re: avc_toggle and avc_enforcing

[Stephen Smalley]

On Tue, 2003-10-14 at 08:15, Carlos Anísio Monteiro wrote:
> Please, where I find the commands: avc_toggle and avc_enforcing. What
> are it the packages where it are?

They no longer exist as programs.  With the new SELinux API, you can
simply 'cat /selinux/enforce' to see the current enforcing value,
'echo 1 > /selinux/enforce' to switch into enforcing mode, and
'echo 0 > /selinux/enforce' to switch into permissive mode (if permitted
by the policy).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc_toggle and avc_enforcing

[Dale Amon]

On Tue, Oct 14, 2003 at 10:15:33AM -0200, Carlos An?sio Monteiro wrote:
> Please, where I find the commands: *avc_toggle* and *avc_enforcing*. 
> What are it the packages where it are?

Gone. You just echo 1 or 0 to /selinux/enforcing (I think that is
the right name, I haven't got my testbox onlne at the moment) to
set or clear it.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc_toggle and avc_enforcing

[Kerry Thompson]

Speaking of which, I'd like to assemble a quick list of userland ( or more
accurately, adminland ) changes between the current release and the
previous non-/selinux release to update the documentation I've got, like
the U-FAQ. The ones I've noticed so far :

- avc_enforcing, avc_toggle replaced by /selinux/enforcing
- id command requires -c to display context
- ps command uses -Z to display context
- initrd now mandatory
- selinux kernel boot option
- multiple changes to installation procedure
- SRPMs added to installation image
- new tools added ( Tresys tools, star )
- binary RPMs available ( thanks Daniel )

I've looked into the ChangeLog files, but there really isn't much info
there, so I'd like to hear of any other changes that have been made which
need to be documented.

I'm still working on getting my test system up to the new 2.4 and 2.6,
unfortunately I rendered it unbootable last night so it will take a little
longer than expected ( note to self : make sure kernel can build an initrd
before removing /boot/initrd* ).

Kerry


Stephen Smalley said:
> On Tue, 2003-10-14 at 08:15, Carlos Anísio Monteiro wrote:
>> Please, where I find the commands: avc_toggle and avc_enforcing. What
>> are it the packages where it are?
>
> They no longer exist as programs.  With the new SELinux API, you can
> simply 'cat /selinux/enforce' to see the current enforcing value,
> 'echo 1 > /selinux/enforce' to switch into enforcing mode, and
> 'echo  > /selinux/enforce' to switch into permissive mode (if permitted
> by the policy).
>
> --
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc_toggle and avc_enforcing

[Stephen Smalley]

On Tue, 2003-10-14 at 17:21, Kerry Thompson wrote:
> Speaking of which, I'd like to assemble a quick list of userland ( or more
> accurately, adminland ) changes between the current release and the
> previous non-/selinux release to update the documentation I've got, like
> the U-FAQ. The ones I've noticed so far :

There is a summary of changes at the beginning of the selinux-doc README
and there is a longer discussion of porting issues in the selinux-doc
PORTING file.

> - avc_enforcing, avc_toggle replaced by /selinux/enforcing
> - id command requires -c to display context

Not on my systems.  id should display the context after the uid, gid,
and groups information without any options.  id -c displays just the
context.  Perhaps this is a defect in the port of the coreutils selinux
patch to your distribution?

> - ps command uses -Z to display context

ps and ls still support the long options, but -Z was also taken as a
short option for consistency with TrustedBSD.  Also, ps already has -Z
reserved for MAC, so this is a reasonable use of it.  It appears that -z
(lowercase) is also already reserved by ps for MAC, so we should likely
support it as well.

> - initrd now mandatory

Preferred, but it is possible to replace or modify /sbin/init instead.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc_toggle and avc_enforcing

[Bastian Blank]

On Wed, Oct 15, 2003 at 10:21:48AM +1300, Kerry Thompson wrote:
> - initrd now mandatory

i hope you know, that initrd support is not available on some
architectures?
it may be better to rename /sbin/init to /sbin/init.real (yes, some
packaging system supports that) and use a script as /sbin/init. this
script loads the policy and executes the real init.

bastian

-- 
You can't evaluate a man by logic alone.
		-- McCoy, "I, Mudd", stardate 4513.3

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.