Fedora Core 2 Test 2

Fedora Core 2 Test 2

[Nick Gray]

What is the strategy with Fedora Core 2 Test 2. I loaded it on my test
server in order to make a first stab at transitioning to a 2.6 Kernel.

My observations so far:

1: I was a little surprised to find that SELinux was installed by
default and that there didn't seem to be a way to avoid it. This said,
the kernel did come up properly and the system booted.

2: I was a little bit more than surprised to find that the policy src
and policy tools (i.e. checkpolicy) were not on the system anywhere.
They also seem to be missing from the DVD ISO that I downloaded.

3: Not to be daunted by this, I downloaded the New release and installed
it. My first attempt has gone down in flames. I get a system which trys
to load X and gives me a couple of warnings in the top left portion of
the screen (which I cant read) and hangs.

 I am going to make another stab at it and see if I can control the
install a little bit better. Then I will guess making the system come up
in permissive mode and then try re-installing SEL from source.

Another thing I find sort of odd is, I needed to add packages to the
install of SELinux on Core1. I did this by modifying the comps.xml to
create an SELinux group which included:

<packagereq type="mandatory">sharutils</packagereq>
<packagereq type="mandatory">linuxdoc-tools</packagereq>
<packagereq type="mandatory">netpbm-progs</packagereq>
<packagereq type="mandatory">tetex-latex</packagereq>
<packagereq type="mandatory">autoconf213</packagereq>
<packagereq type="mandatory">elfutils-devel</packagereq>
<packagereq type="mandatory">libcroco-devel</packagereq>

On Core2, It looks as if elfutils, and libcroco have been updated but
the DVD ISO is missing the development RPMs. I guess these were not
needed for the SELinux kernel install when the system was building, but
they seem to still be needed for the after installation build of the
system.

I am interested in hearing others experience on this. In particular
anyone who is running core 2 with added users/programs.

I am attempting to setup JBOSS as a daemon. With Core1 at least I was
able to get it running in permissive. I couldn't even do that with
Core2.

Nix

-- 
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray@austin.rr.com
(512) 331-7998

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 2 Test 2

[Kerry Thompson]

Nick Gray said:
> What is the strategy with Fedora Core 2 Test 2. I loaded it on my test
> server in order to make a first stab at transitioning to a 2.6 Kernel.
>
> My observations so far:
>
> 1: I was a little surprised to find that SELinux was installed by
> default and that there didn't seem to be a way to avoid it. This said,
> the kernel did come up properly and the system booted.
> [snip]

I haven't tried FC2t2 yet so I can't comment on the details, but the
feedback and hits I'm seeing against the FAQ page indicate many people are
having problems. By far the most common google query is "disable selinux",
and the hit rate has quadrulped since FC2t2 came out. A few people have
commented that the desktop doesn't come up similar to Nick's comments.

I'm advising people that if they're not interested in SELinux or are
installing a desktop for their granny then disable with selinux=0. If
they're interested in SELinux, then go with enforcing=0 and be prepared
for some messages and maybe enable enforcing later.

I too would like to hear from the FC2 developers (Russell?) about what the
install options will be (there really needs to be one), and if the
policies will be clean enough for an install into enforcing mode.

I'm thinking of writing an introductory document for Fedora users new to
SELinux about what to do during and after installation ( a bit like Faye's
HOWTO but shorter and at a more basic level ) to help people when the FC2
release comes out. So the strategy for the release would be greatly
appreciated.

Kerry

-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry@crypt.gen.nz

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 2 Test 2

[John Reuning]

I'll offer my limited experience with fc2t2.  I've done two installs,
both onto clean systems with reformatted partitions.  There was an
option to disable selinux in the installer click-through choices.

The first install resulted in an almost unusable system.  I think
something hiccuped because the fs labeling was messed up.  For example,
I couldn't create user accounts as root because the root user didn't
have access to write /etc/shadow or /etc/passwd.  A manual relabeling of
the file systems fixed the problem.  After that, everything was fine.

The second install was smooth.  No labeling or policy problems yet. 
Although, I haven't used the system except as a headless test server.

I haven't tried upgrading a fc1 system to fc2t2.  Maybe that's a source
of trouble?

Thanks,

-John R.

> > 1: I was a little surprised to find that SELinux was installed by
> > default and that there didn't seem to be a way to avoid it. This said,
> > the kernel did come up properly and the system booted.
> > [snip]



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 2 Test 2

[Daniel J Walsh]

John Reuning wrote:

>I'll offer my limited experience with fc2t2.  I've done two installs,
>both onto clean systems with reformatted partitions.  There was an
>option to disable selinux in the installer click-through choices.
>
>The first install resulted in an almost unusable system.  I think
>something hiccuped because the fs labeling was messed up.  For example,
>I couldn't create user accounts as root because the root user didn't
>have access to write /etc/shadow or /etc/passwd.  A manual relabeling of
>the file systems fixed the problem.  After that, everything was fine.
>
>The second install was smooth.  No labeling or policy problems yet. 
>Although, I haven't used the system except as a headless test server.
>
>I haven't tried upgrading a fc1 system to fc2t2.  Maybe that's a source
>of trouble?
>
>Thanks,
>
>-John R.
>
>  
>
First off there is a Mailing list for discussing Fedora SELinux issues.

http://www.redhat.com/mailman/listinfo/fedora-selinux-list
As well as fedora-test-list and fedora-devel-list (Discussions are going 
on all three lists).

1.  Upgrading to Fedora Core 2/SELinux requires a relabel of the file 
system, so people
who have done this have gotten into trouble.
2.  We have had tons of fixes to policy over the past few weeks that 
have cleaned up a lot of
problems.  So if you install FC2, make sure you update to the latest 
policy off of rawhide.
3.  Overall the number of bugs being reported has dropped dramatically, 
either we have fixed
a lot of the problems or people have figured out how to turn off SELinux 
(Probably a combination
of both.)
4.  Red Hat will be announcing our strategy for SELinux support in 
FC2/Test3  and Final shortly.

>>>1: I was a little surprised to find that SELinux was installed by
>>>default and that there didn't seem to be a way to avoid it. This said,
>>>the kernel did come up properly and the system booted.
>>>[snip]
>>>      
>>>
>
>  
>
The installer has three options currently Enforcing (Default), 
Permissive, Disabled.
There is also a FAQ explaining how to use SELinux within FC2.
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/

Comments welcome.

>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>  
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 2 Test 2

[Russell Coker]

On Fri, 9 Apr 2004 10:11, "Kerry Thompson" <kerry@crypt.gen.nz> wrote:
> I'm advising people that if they're not interested in SELinux or are
> installing a desktop for their granny then disable with selinux=0.

I think that a granny's desktop system is an ideal machine for SE Linux.  Such 
machines often don't get upgraded as often as you might like and you want as 
many security options as possible!

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 2 Test 2

[Tom]

On Mon, Apr 12, 2004 at 05:28:59PM +1000, Russell Coker wrote:
> On Fri, 9 Apr 2004 10:11, "Kerry Thompson" <kerry@crypt.gen.nz> wrote:
> > I'm advising people that if they're not interested in SELinux or are
> > installing a desktop for their granny then disable with selinux=0.
> 
> I think that a granny's desktop system is an ideal machine for SE Linux.  Such 
> machines often don't get upgraded as often as you might like and you want as 
> many security options as possible!

Plus granny is unlikely to fool around and thus can comfortably live in
a restricted environment.

I know that for me, my own machines are the ones with the most relaxed
security settings, because I constantly install, tweak, tune, and
generally mess with stuff.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 2 Test 2

[Wesley Parish]

On Wed, 14 Apr 2004 21:02, Tom wrote:
> On Mon, Apr 12, 2004 at 05:28:59PM +1000, Russell Coker wrote:
> > On Fri, 9 Apr 2004 10:11, "Kerry Thompson" <kerry@crypt.gen.nz> wrote:
> > > I'm advising people that if they're not interested in SELinux or are
> > > installing a desktop for their granny then disable with selinux=0.
> >
> > I think that a granny's desktop system is an ideal machine for SE Linux. 
> > Such machines often don't get upgraded as often as you might like and you
> > want as many security options as possible!
>
> Plus granny is unlikely to fool around and thus can comfortably live in
> a restricted environment.

Precisely, someone should get on the blower to the Lindash (formerly known as 
Lindows) people and suggest it to them.  It would be one of their strongest 
selling points, after all - give it to your granny and forget about the 
script-kiddies and digital intruders.

>
> I know that for me, my own machines are the ones with the most relaxed
> security settings, because I constantly install, tweak, tune, and
> generally mess with stuff.

-- 
Wesley Parish
* * *
Clinersterton beademung - in all of love.  RIP James Blish
* * *
Mau e ki, "He aha te mea nui?"
You ask, "What is the most important thing?"
Maku e ki, "He tangata, he tangata, he tangata."
I reply, "It is people, it is people, it is people."


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 2 Test 2

[Stephen Smalley]

On Thu, 2004-04-08 at 17:27, Nick Gray wrote:
> 1: I was a little surprised to find that SELinux was installed by
> default and that there didn't seem to be a way to avoid it. This said,
> the kernel did come up properly and the system booted.

You can disable it on the firewall setup screen, but it is easy to miss
the checkbox.  I think that they plan on making it more distinctive, and
they might end up disabling it by default for the final release, forcing
people to explicitly enable it if they want SELinux, as things are still
rather rough.

> 2: I was a little bit more than surprised to find that the policy src
> and policy tools (i.e. checkpolicy) were not on the system anywhere.
> They also seem to be missing from the DVD ISO that I downloaded.

I was also surprised by the initial absence of checkpolicy and
policy-sources, but from a strict dependency perspective, it does make
sense - you only need the binary policy and policycoreutils for basic
operation of the system.  RH wants to support minimal installs, where
policy-sources and its dependencies may be excessive.  However, I did
mention to Dan that I thought that checkpolicy and policy-sources should
be installed by default unless you explicitly select a minimal install. 
I installed them after the fact from the CD ISOs; you can always install
the latest versions via yum.  

> 3: Not to be daunted by this, I downloaded the New release and installed
> it. My first attempt has gone down in flames. I get a system which trys
> to load X and gives me a couple of warnings in the top left portion of
> the screen (which I cant read) and hangs.

Try fixfiles relabel from single-user mode.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.