Hi - I've experienced something weird with SeLinux. When I first installed FC3 I chose targeted & noticed loads of different options under the SELinux tab in system-config-securitylevel, basically a twisty-tie list of different apps that are targeted. But I think when I reinstalled FC3 the other day I chose to disable SELinux, and now none of those options appear. When I choose to enable, those options I first saw don't reappear. Have tried reinstalling the relevent rpm's with no luck. Anyone have any idea what might have happened, or at least some idea on how I can reconfigure it?
Having had a read of the SELinux FAQ for FC3, I should see a whole range of policies in "/etc/selinux/targeted/policy/", but when I go there I see only one policy
Any ideas?
cheers Daryn
Daryn Hanright wrote:
Hi - I've experienced something weird with SeLinux. When I first installed FC3 I chose targeted & noticed loads of different options under the SELinux tab in system-config-securitylevel, basically a twisty-tie list of different apps that are targeted. But I think when I reinstalled FC3 the other day I chose to disable SELinux, and now none of those options appear. When I choose to enable, those options I first saw don't reappear. Have tried reinstalling the relevent rpm's with no luck. Anyone have any idea what might have happened, or at least some idea on how I can reconfigure it?
Having had a read of the SELinux FAQ for FC3, I should see a whole range of policies in "/etc/selinux/targeted/policy/", but when I go there I see only one policy
Any ideas?
Not sure what you are asking. By default in FC3 with SELinux enabled, you get the following: rpm -q -l selinux-policy-targeted /etc/selinux/ /etc/selinux/targeted/ /etc/selinux/targeted/booleans # Booleans file containing list of overrides to policy booleans /etc/selinux/targeted/contexts/ # Contains a the context files that tell different apps how to transition to different contexts /etc/selinux/targeted/contexts/dbus_contexts /etc/selinux/targeted/contexts/default_contexts /etc/selinux/targeted/contexts/default_type /etc/selinux/targeted/contexts/failsafe_context /etc/selinux/targeted/contexts/files/ /etc/selinux/targeted/contexts/files/file_contexts # Regular expession File contexts used by restorecon, setfilescon, fixfiles to determine each files context. /etc/selinux/targeted/contexts/files/media # File contexts for special device files /etc/selinux/targeted/contexts/initrc_context /etc/selinux/targeted/contexts/removable_context /etc/selinux/targeted/contexts/userhelper_context /etc/selinux/targeted/contexts/users/ #directory contains override values for roles. IE If the root user logins in locally, give him this role. /etc/selinux/targeted/contexts/users/root /etc/selinux/targeted/policy /etc/selinux/targeted/policy/policy.18 # The actual compiled context.
If you install selinux-policy-targeted-sources you get an additional
directory tree under
/etc/selinux/targeted/src/
If you install selinux-policy-strict you get a similar tree under
/etc/selinux/strict/
system-config-securitylevel examines
/etc/selinux/config to determine which policy is running (targeted, strict or other future ones) and whether selinux is enabled, Permissive or disabled (/usr/sbin/getenforce tells you this).
system-config-securitylevel then lists all subdirectories of /etc/selinux/ as possible policies choices.
In order to put up the Modify SELinux Policy listbox, the tool lists all booleans using the tool getsebool -a and if the selinux-policy-*-sources directory is installed, it examines the /etc/selinux/SELINUXTYPE/src/policy/tunables/ directory for all tunable entries. It then uses the /usr/share/system-config-securitylevel/selinux.tbl to make translate the booleans/tunables into a more descriptive representation.
So depending on which policy is loaded and which policy and policy-sources are installed, the display of system-config-securitylevel will change.
I hope this helps.
Dan
cheers Daryn
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org