All of lore.kernel.org
 help / color / mirror / Atom feed
* selinux-policy-mls is now available for your testing pleasure.
@ 2005-04-15 21:04 Daniel J Walsh
  2005-04-19 21:25 ` Paul Moore
  2005-04-21 20:33 ` Paul Moore
  0 siblings, 2 replies; 14+ messages in thread
From: Daniel J Walsh @ 2005-04-15 21:04 UTC (permalink / raw)
  To: SELinux

Based off STRICT policy.

ftp://people.redhat.com/dwalsh/SELinux/Fedora/selinux-policy-mls-*

It is not in Rawhide, yet but I will provide it via my people page.

This has not been tested. 

I have not got an MLS machine up and running yet.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 14+ messages in thread
* Re: selinux-policy-mls is now available for your testing pleasure.
@ 2005-04-20 12:54 Paul Moore
  0 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2005-04-20 12:54 UTC (permalink / raw)
  To: SELinux

James Morris wrote:
> On Tue, 19 Apr 2005, Paul Moore wrote:
> 
> 
>>  5 Enabled the MLS policy via the Fedora GUI tool and ensured that the
>>    relabel option was selected
>>  6 Rebooted with the new MLS policy only to have the machine lock,
>>    it wasn't able to execute something related to init (I should have
>>    taken better notes here - sorry)
> 
> 
> You still need to perform the manual mointpoint relabeling per the MLS 
> readme.
> 

Yup, figured that one out the hard way ... ;) ... just figured I would
mention it here since Dan's original post didn't make any reference to
having to do any manual relabel operations.

>>10 Rebooted with 'single' and noticed lots of permission denied
>>    messages pertaining to '/dev/.udevdb/*' files
>  
> Odd, I haven't seen that.

Taking a bit of a closer look, the files with a permission denied error
seem to be missing a SELinux context as well as any permission flags as
well as an owner and group (ls -Z fills the fields in with a '?').

I'll try fixing them manually (or maybe just deleting them since it
looks like udev recreates them on boot anyway) and see what happens.

> Did you update to all of the new SELinux packages in Dan's FTP directory?

Not originally no, but looking at them this morning all the versions I
have installed are the same versions as Dan's or newer.  I also noticed
that Dan setup that directory as a YUM repository so I added it to my
list and did a yum update - no new/updated packages.

>>12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
> 
> 
> Haven't tried X yet, not sure it's supposed to work.
> 
> 
> - James

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore@hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 14+ messages in thread
* Re: selinux-policy-mls is now available for your testing pleasure.
@ 2005-04-20 18:12 jrdesai18-tech
  2005-04-20 18:44 ` Paul Moore
  0 siblings, 1 reply; 14+ messages in thread
From: jrdesai18-tech @ 2005-04-20 18:12 UTC (permalink / raw)
  To: Paul Moore, Stephen Smalley; +Cc: James Morris, SELinux, Daniel J Walsh


--- Paul Moore <paul.moore@hp.com> wrote:
> Paul Moore wrote:
> > Stephen Smalley wrote:
> > 
> >> On Tue, 2005-04-19 at 18:29 -0400, James Morris wrote:
> >>
> >>>> 12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start
> >>>
> >>>
> >>> Haven't tried X yet, not sure it's supposed to work.
> >>
> >>
> >> Works for me.  Of course, you do need to have the allow_execmem=1
> >> boolean enabled for X to run, but that is independent of
> >> MLS.  /usr/sbin/setsebool -P allow_execmem=1.  Did the RPM include
> a
> >> booleans file?
> >>
> > 
> > Yes it did, however, the allow_execmem entry was missing.  I added
> it 
> > via setsebool and verified that it was in the booleans.local file
> and 
> > rebooted to see gdm startup this time but I could not login -
> according 
> > to the xsession-errors file Xlib failed to connect to the display,
> which 
> > was running on ":0.0".
> > 
> 
> I was playing with this some more and a regular user was allowed to 
> login via gdm - just not root.
> 

Hi Paul,

I saw a similar problem. In my case /tmp/gconfd-root had a type
other than tmp_t (I think it was sysadm_tmp or something like
that). It is possible that it was there from a previous login
of root when MLS was not active. Try removing that directory 
and see if you can login as root.

-Janak




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 14+ messages in thread
end of thread, other threads:[~2005-04-21 21:41 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-15 21:04 selinux-policy-mls is now available for your testing pleasure Daniel J Walsh
2005-04-19 21:25 ` Paul Moore
2005-04-19 22:29   ` James Morris
2005-04-20 12:07     ` Stephen Smalley
2005-04-20 13:11       ` Paul Moore
2005-04-20 17:04         ` Paul Moore
2005-04-20 17:50           ` Stephen Smalley
2005-04-20 14:29   ` Daniel J Walsh
2005-04-20 17:47     ` Paul Moore
2005-04-21 20:33 ` Paul Moore
2005-04-21 21:41   ` Paul Moore
  -- strict thread matches above, loose matches on Subject: below --
2005-04-20 12:54 Paul Moore
2005-04-20 18:12 jrdesai18-tech
2005-04-20 18:44 ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.