Message-ID: <3F8E9D94.5080909@redhat.com> Date: Thu, 16 Oct 2003 09:31:00 -0400 From: Daniel J Walsh User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20030927 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kerry Thompson Subject: Re: avc_toggle and avc_enforcing References: <3F8BE8E5.9050006@ipen.br> <1066145242.5054.213.camel@moss-spartans.epoch.ncsc.mil> <2544.202.27.185.71.1066166508.squirrel@www.crypt.gen.nz> In-Reply-To: <2544.202.27.185.71.1066166508.squirrel@www.crypt.gen.nz> Content-Type: multipart/alternative; boundary="------------000105070903010202000504" This is a multi-part message in MIME format. --------------000105070903010202000504 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Kerry Thompson wrote: >Speaking of which, I'd like to assemble a quick list of userland ( or more >accurately, adminland ) changes between the current release and the >previous non-/selinux release to update the documentation I've got, like >the U-FAQ. The ones I've noticed so far : > >- avc_enforcing, avc_toggle replaced by /selinux/enforcing >- id command requires -c to display context > > This has been converted to -Z in latest patches, for consistency. >- ps command uses -Z to display context >- initrd now mandatory > > We are working to remove this requirement. >- selinux kernel boot option >- multiple changes to installation procedure > > >- SRPMs added to installation image >- new tools added ( Tresys tools, star ) >- binary RPMs available ( thanks Daniel ) > > > Your welcome. >I've looked into the ChangeLog files, but there really isn't much info >there, so I'd like to hear of any other changes that have been made which >need to be documented. > > > We are working to eliminate root assumptions in the OS and replace them with ones based on security contexts. So config tools should be prompting for your password instead of root password. One goal of userland changes is that the average user should not have to know that he is running on a SELinux machine. A system administrator should be able to manage the machine with limited knowlege of the way policy works. >I'm still working on getting my test system up to the new 2.4 and 2.6, >unfortunately I rendered it unbootable last night so it will take a little >longer than expected ( note to self : make sure kernel can build an initrd >before removing /boot/initrd* ). > >Kerry > > >Stephen Smalley said: > > >>On Tue, 2003-10-14 at 08:15, Carlos AnĂ­sio Monteiro wrote: >> >> >>>Please, where I find the commands: avc_toggle and avc_enforcing. What >>>are it the packages where it are? >>> >>> >>They no longer exist as programs. With the new SELinux API, you can >>simply 'cat /selinux/enforce' to see the current enforcing value, >>'echo 1 > /selinux/enforce' to switch into enforcing mode, and >>'echo > /selinux/enforce' to switch into permissive mode (if permitted >>by the policy). >> >>-- >>Stephen Smalley >>National Security Agency >> >> > > >-- >This message was distributed to subscribers of the selinux mailing list. >If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >the words "unsubscribe selinux" without quotes as the message. > > --------------000105070903010202000504 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Kerry Thompson wrote:
Speaking of which, I'd like to assemble a quick list of userland ( or more
accurately, adminland ) changes between the current release and the
previous non-/selinux release to update the documentation I've got, like
the U-FAQ. The ones I've noticed so far :

- avc_enforcing, avc_toggle replaced by /selinux/enforcing
- id command requires -c to display context
This has been converted to -Z in latest patches, for consistency.
- ps command uses -Z to display context
- initrd now mandatory
We are working to remove this requirement.
- selinux kernel boot option
- multiple changes to installation procedure
  
- SRPMs added to installation image
- new tools added ( Tresys tools, star )
- binary RPMs available ( thanks Daniel )
Your welcome.
I've looked into the ChangeLog files, but there really isn't much info
there, so I'd like to hear of any other changes that have been made which
need to be documented.
We are working to eliminate root assumptions in the OS and replace them with ones based on
security contexts.  So config tools should be prompting for your password instead of root password. 

One goal of userland changes is that the average user should not have to know that he is running
on a SELinux machine.  A system administrator should be able to manage the machine with limited knowlege of the way policy works.
I'm still working on getting my test system up to the new 2.4 and 2.6,
unfortunately I rendered it unbootable last night so it will take a little
longer than expected ( note to self : make sure kernel can build an initrd
before removing /boot/initrd* ).

Kerry


Stephen Smalley said:
  
On Tue, 2003-10-14 at 08:15, Carlos Anísio Monteiro wrote:
    
Please, where I find the commands: avc_toggle and avc_enforcing. What
are it the packages where it are?
      
They no longer exist as programs.  With the new SELinux API, you can
simply 'cat /selinux/enforce' to see the current enforcing value,
'echo 1 > /selinux/enforce' to switch into enforcing mode, and
'echo  > /selinux/enforce' to switch into permissive mode (if permitted
by the policy).

--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
    


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
--------------000105070903010202000504--