Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRe: Successful install
From: Stephen Smalley <sds_at_tislabs.com>
Date: Thu, 30 Aug 2001 09:08:28 -0400 (EDT)
On Wed, 29 Aug 2001, Conan Callen wrote:
> I finished the install this morning, selinux is up and runing. Good. Be sure to verify that none of your daemons were left in the initrc_t domain by checking the ps -e --context output. If so, then you'll need to define domains for those daemons or disable them if you don't want to use them. Also check your /var/log/messages file for 'avc: denied' messages to see if you need to add any permissions to the example policy for your particular system. When you think the policy is ready, you can toggle the system into enforcing mode with avc_toggle (or rebuild the kernel with CONFIG_FLASK_DEVELOP undefined).
> I read earlier that selinux had no support for x windows, is this still In the example policy released with the new prototype, I commented out some of the permissions needed by the X server because they are very dangerous. See the lines preceded by 'Commented out by default' in policy/domains/program/xserver.te. You can uncomment those permissions if you want, but the consequence is that a bug in the X server can be catastrophic to the security of your system. Also, this only allows you to run X via startx after a normal login - it doesn't deal with running an X display manager. Mark Westerman has made some modifications to gdm for this purpose and put them on the sourceforge site. The X server really needs to be partitioned up more, so that only a small section of code needs to be granted these highly sensitive permissions. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 30 Aug 2001 - 09:16:51 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |