; out what 'types' are available 'in this OS' so that I issue the 'appropriate
> commands'.
>
> How can I find out what 'types' are available'?
seinfo -t
--
Stephen Smalley
National Security Agency
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
or by rc scripts that
would fork+exec short-lived restorecon processes to fix up labels.
Ways to improve the situation for systemd would include:
- Only load a subset of file_contexts entries, similar to udev.
- Only load the file contexts entries temporarily, using selabel_open +
selabel_close to bracket entire blocks where files are created or
relabeled.
--
Stephen Smalley
National Security Agency
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
can bracket the usage of the mapping with a
selabel_open();...;selabel_close();, then you'll only be consuming the
memory when using the file contexts mapping. You don't want to do that
around every file creation / relabel, of course.
--
Stephen Smalley
National Security Agenc
ined by Dan.
Yes, agreed. This does require updating various scripts that directly
reference /selinux though, including anaconda, dracut, puppet, etc. I'm
guessing that some of these direct references are due to scripts that
need to be able to run before /usr is mounted, so if we moved
XMNT in
libselinux/src/policy.h, used by selinux_init_load_policy() to mount
selinuxfs for initial policy load. And it may break rc scripts and
other scripts/programs that have become accustomed to /selinux.
--
Stephen Smalley
National Security Agency
--
devel mailing list
devel@lists.f
On Thu, 2011-01-13 at 18:21 -0200, Paulo Cavalcanti wrote:
>
>
> On Thu, Jan 13, 2011 at 12:47 PM, Stephen Smalley
> wrote:
> On Thu, 2011-01-13 at 09:12 -0500, Stephen Smalley wrote:
> > On Thu, 2011-01-13 at 11:51 -0200, Paulo Cavalcanti wrote:
>
On Thu, 2011-01-13 at 09:12 -0500, Stephen Smalley wrote:
> On Thu, 2011-01-13 at 11:51 -0200, Paulo Cavalcanti wrote:
>
> > Here it goes:
>
> >
> > type=SYSCALL msg=audit(01/13/2011 07:31:09.287:39) : arch=x86_64
> > syscall=lstat success=no exit=-13(P
On Thu, 2011-01-13 at 11:51 -0200, Paulo Cavalcanti wrote:
>
>
> On Thu, Jan 13, 2011 at 11:28 AM, Stephen Smalley
> wrote:
>
> On Thu, 2011-01-13 at 08:14 -0500, Stephen Smalley wrote:
> > On Wed, 2011-01-12 at 21:03 +, Paul Howarth wrote:
ext=
mount option? What does 'mount' show for /home and/or /home/packages
(if a separate mount)?
--
Stephen Smalley
National Security Agency
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Thu, 2011-01-13 at 08:14 -0500, Stephen Smalley wrote:
> On Wed, 2011-01-12 at 21:03 +, Paul Howarth wrote:
> > On Wed, 12 Jan 2011 13:02:21 -0500
> > Daniel J Walsh wrote:
> > > On 01/12/2011 06:29 AM, Paulo Cavalcanti wrote:
> > > > Hi,
> > >
pd to read user content on rhel5 (files
> labelled user_home_t, I guess),
> I still get some warnings from selinux troubleshooter. Does this flag
> really work on rhel5?
Can you show the actual messages from setroubleshoot or from the output
of /sbin/ausearch -m AVC -ts today -i?
> Does anyone think that using nfs_t (and setsebool -P use_nfs_home_dirs
> 1) would make any difference?
> Also, does anyone know whether rhel6 will be more "Fedora like", from
> an selinux point of view?
RHEL-6 includes a version of SELinux that is far more modern than
RHEL-5, naturally, and thus will look more like a modern Fedora (circa
Fedora 12/13, I think). RHEL-5 was forked from Fedora 6 IIRC.
--
Stephen Smalley
National Security Agency
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
; setsebool -P use_nfs_home_dirs 1
>
> What happens with newly-created files whilst booted in RHEL-5 in this
> case? What will Fedora 14 see them as?
Not sure what the RHEL-5 kernel does; in modern kernels, it won't set a
context on disk when creating new files in a filesystem mounted with
context= and thus they will show up as unlabeled if mounted without a
context= mount option in Fedora-14. You could mount it with a context=
option in both, or run restorecon on it when booting Fedora-14.
--
Stephen Smalley
National Security Agency
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
possible? Is there a better solution for not having tons of
> denials in rhel5?
When mounting /home under rhel5, add the context= option to your list of
mount options, e.g.
context=user_u:object_r:user_home_t:s0
Then your rhel5 system will treat all inodes under /home as if they were
labeled w
led is usually the first
> thing I kill when I install Fedora on my desktop too ...)
You don't need setroubleshoot to see SELinux denials.
/sbin/ausearch -m AVC -ts today -i (if running auditd) or
grep avc /var/log/messages (if not).
--
Stephen Smalley
National Security Agency
--
14 matches
Mail list logo
