SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: selinux-policy-mls is now available for your testing pleasure. This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Daniel J Walsh <dwalsh_at_redhat.com> Date: Wed, 20 Apr 2005 10:29:14 -0400 Paul Moore wrote: > Daniel J Walsh wrote: > >> Based off STRICT policy. >> >> ftp://people.redhat.com/dwalsh/SELinux/Fedora/selinux-policy-mls-* >> >> It is not in Rawhide, yet but I will provide it via my people page. >> >> This has not been tested. >> I have not got an MLS machine up and running yet. > > > Since I have been looking into this lately I figured I would give it a > whirl and report back my experiences, here they are: > > 1 Installed FC4T2 via the 'Workstation' option using two partitions, > one for '/' and one for swap > 2 Applied all of the related updates via YUM (done on April 19th) > 3 Installed the MLS policy (version 1.23-11-2) but continued to use > the default targeted policy > 4 Rebooted into kernel 2.6.11-1.1240_FC4smp to verify everything was > OK (it was) > 5 Enabled the MLS policy via the Fedora GUI tool and ensured that the > relabel option was selected > 6 Rebooted with the new MLS policy only to have the machine lock, > it wasn't able to execute something related to init (I should have > taken better notes here - sorry) > 7 Rebooted (the hard way, Ctrl-Alt-Del only resulted in more AVC > denial messages) with 'selinux=0 single' > 8 Unmounted '/proc' and '/sys' then relabeled them to > 'system_u:object_r:file_t:s0' and 'user_u:object_r:file_t:s0' > respectively; also relabeled '/var/lib/nfs/rpc_pipefs' to > 'user_u:object_r:var_lib_nfs_t:s0' > 9 Rebooted with 'enforcing=0 single' and this time the FS-wide > relabel happened as part of the boot process > 10 Rebooted with 'single' and noticed lots of permission denied > messages pertaining to '/dev/.udevdb/' files* udevdb/* files should be labeled udev_tbl_t Accordiung to policy > 11 Switched to runlevel 3 and saw a variety of AVC denial messages but > things went mostly to plan and I had a login prompt which appeared > to work as expected > 12 Rebooted normally, i.e. 'rhgb quiet 5', and X failed to start > > I'm going to keep playing with this system, but I thought some people > here might want to see a quick little report on how the MLS policy RPM > worked. > Could you clear you /var/log/messages or /var/log/audit/audit.log file. Reboot and then send the AVC messages. Dan -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 20 Apr 2005 - 10:40:42 EDT This message: [ Message body ] Next message: Paul Moore: "Re: selinux-policy-mls is now available for your testing pleasure." Previous message: James Carter: "Cleanup of chkpwd and su macros" In reply to: Paul Moore: "Re: selinux-policy-mls is now available for your testing pleasure." Next in thread: Paul Moore: "Re: selinux-policy-mls is now available for your testing pleasure." Reply: Paul Moore: "Re: selinux-policy-mls is now available for your testing pleasure." Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom