I have been running FC6T3 plus updates and an even more recent install from FC6 development (selinux targeted and enforcing) and everything is looking very good. Since I follow the LSPP list and know that a lot of work has been done with the mls policy for RHEL 5 (and FC6), I thought I would give it a try.
Before I spend time putting in bugzilla reports since it going to take time to gather the documentation, I am hoping some of this is known. This testing was done with clean installs on hardware and using vmware.
1. install selinux-policy-mls and switch to it using the system-config-security tool ... then reboot and do the relabeling (enforcing=0). Then reboot again (enforcing=1) ... oops, an almost immediate kernel panic!
2. OK, get the system back up in targeted mode. I then thought I would try strict ... install selinx-policy-strict ... then reboot and do the relabeling (enforcing=0). Ten reboot again (enforcing=1) ... better ... no kernel panic ... but not much better since some services fail starting and, when I logon as root, I cannot do anything.
This is NOT GOOD!!!
3. While doing the above tests, I tried using the system-config-security gui tool to change the policy. I booted up with enforcing=0 and then tried the tool to change back to targeted. Since I run targeted with enforcing, I left the tool specification as enforcing. Unfortunately, the tool sets enforcing for the runtime system BEFORE it changes /etc/sysconfig/selinux file.
Folks, this does not look ready for prime time as close as we are to final! While I do not expect everything to work, I do expect a bit more than what I got. From what I saw, this should be easily repeatable by developers.
As I said, it is going to take me a bit of time to gather documentation for bugzilla reports. I hope that someone out there can give these policies a try to see if they can duplicate what I experienced.
On Wednesday 04 October 2006 17:09, Gene Czarcinski wrote:
Before I spend time putting in bugzilla reports since it going to take time to gather the documentation, I am hoping some of this is known. This testing was done with clean installs on hardware and using vmware.
- install selinux-policy-mls and switch to it using the
system-config-security tool ... then reboot and do the relabeling (enforcing=0). Then reboot again (enforcing=1) ... oops, an almost immediate kernel panic!
- OK, get the system back up in targeted mode. I then thought I would
try strict ... install selinx-policy-strict ... then reboot and do the relabeling (enforcing=0). Ten reboot again (enforcing=1) ... better ... no kernel panic ... but not much better since some services fail starting and, when I logon as root, I cannot do anything.
Grumble, grumble. Naturally, what did not work at work now works (sort of) when I try to reproduce it at home. I do believe that there are some problems but I need to "better" reproduce them.
I would still like to know if someone has installed something like fc6test3 and then installed and switched to the mls policy ... did it work? ... did it not work?
Gene
On Oct 4, 2006, at 5:27 PM, Gene Czarcinski wrote:
I would still like to know if someone has installed something like fc6test3 and then installed and switched to the mls policy ... did it work? ... did it not work?
Yes in permissive mode. X and friends don't work in enforcing mode yet. I'm running fc6t2 fully updated, with Eric Paris's kernel and Dan Walsh's latest MLS policy on several machines.
joe
On Wednesday 04 October 2006 18:27, Gene Czarcinski wrote:
On Wednesday 04 October 2006 17:09, Gene Czarcinski wrote:
Before I spend time putting in bugzilla reports since it going to take time to gather the documentation, I am hoping some of this is known. This testing was done with clean installs on hardware and using vmware.
- install selinux-policy-mls and switch to it using the
system-config-security tool ... then reboot and do the relabeling (enforcing=0). Then reboot again (enforcing=1) ... oops, an almost immediate kernel panic!
- OK, get the system back up in targeted mode. I then thought I would
try strict ... install selinx-policy-strict ... then reboot and do the relabeling (enforcing=0). Ten reboot again (enforcing=1) ... better ... no kernel panic ... but not much better since some services fail starting and, when I logon as root, I cannot do anything.
Grumble, grumble. Naturally, what did not work at work now works (sort of) when I try to reproduce it at home. I do believe that there are some problems but I need to "better" reproduce them.
I would still like to know if someone has installed something like fc6test3 and then installed and switched to the mls policy ... did it work? ... did it not work?
Well, at least one of the problems (kernel panic) appears to be hardware related ... does not work on old dual P4 (Dell 350 workstation) but does work on AMD X2 4400+ processor system. There are still some services that are not working but that will take a lot more work to track down.
Gene
Gene Czarcinski wrote:
On Wednesday 04 October 2006 18:27, Gene Czarcinski wrote:
On Wednesday 04 October 2006 17:09, Gene Czarcinski wrote:
Before I spend time putting in bugzilla reports since it going to take time to gather the documentation, I am hoping some of this is known. This testing was done with clean installs on hardware and using vmware.
- install selinux-policy-mls and switch to it using the
system-config-security tool ... then reboot and do the relabeling (enforcing=0). Then reboot again (enforcing=1) ... oops, an almost immediate kernel panic!
- OK, get the system back up in targeted mode. I then thought I would
try strict ... install selinx-policy-strict ... then reboot and do the relabeling (enforcing=0). Ten reboot again (enforcing=1) ... better ... no kernel panic ... but not much better since some services fail starting and, when I logon as root, I cannot do anything.
Grumble, grumble. Naturally, what did not work at work now works (sort of) when I try to reproduce it at home. I do believe that there are some problems but I need to "better" reproduce them.
I would still like to know if someone has installed something like fc6test3 and then installed and switched to the mls policy ... did it work? ... did it not work?
Well, at least one of the problems (kernel panic) appears to be hardware related ... does not work on old dual P4 (Dell 350 workstation) but does work on AMD X2 4400+ processor system. There are still some services that are not working but that will take a lot more work to track down.
Gene
MLS Policy is a server only policy. IE We don not support X-Windows. So if you want to change to MLS you need to remove all X-Windows software and relabel. Then it should work, but you need to understand how an MLS environment works.
Strict policy is not heavily tested in Fedora. Most people run targeted. We will look at any problems that you have with it, though.
There is not that much difference between strict and targeted policy at this point on the system space side and I want to work on adding Userspace confinement via targeted policy and booleans in the future. So people can begin to confine userspace if they so choose.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thursday 05 October 2006 10:29, Daniel J Walsh wrote:
MLS Policy is a server only policy. IE We don not support X-Windows. So if you want to change to MLS you need to remove all X-Windows software and relabel. Then it should work, but you need to understand how an MLS environment works.
OK, I can understand that. However, the release notes (or some other release documentation) should point this out. Given this situation and vmware, I will create some server-only guests to try things out.
Strict policy is not heavily tested in Fedora. Most people run targeted. We will look at any problems that you have with it, though.
Ditto on documentation. When I first tried SELinux in FC2, "strict" was it but everything more or less worked.
At this point, I have no idea as to the kernel panic cause on the Dell 350 and may not be able to address that given other circumstances. However, I did notice that a number of services did have startup and/or shutdown problems ... this occurred on both strict and mls although at this point I do not know if they are the same services.
There is not that much difference between strict and targeted policy at this point on the system space side and I want to work on adding Userspace confinement via targeted policy and booleans in the future. So people can begin to confine userspace if they so choose.
Given the same services, some do not work properly under strict but function just fine under targeted.
Gene Czarcinski wrote:
On Thursday 05 October 2006 10:29, Daniel J Walsh wrote:
MLS Policy is a server only policy. IE We don not support X-Windows. So if you want to change to MLS you need to remove all X-Windows software and relabel. Then it should work, but you need to understand how an MLS environment works.
OK, I can understand that. However, the release notes (or some other release documentation) should point this out. Given this situation and vmware, I will create some server-only guests to try things out.
Strict policy is not heavily tested in Fedora. Most people run targeted. We will look at any problems that you have with it, though.
Ditto on documentation. When I first tried SELinux in FC2, "strict" was it but everything more or less worked.
A lot has changed since FC2 :^)
At this point, I have no idea as to the kernel panic cause on the Dell 350 and may not be able to address that given other circumstances. However, I did notice that a number of services did have startup and/or shutdown problems ... this occurred on both strict and mls although at this point I do not know if they are the same services.
There is not that much difference between strict and targeted policy at this point on the system space side and I want to work on adding Userspace confinement via targeted policy and booleans in the future. So people can begin to confine userspace if they so choose.
Given the same services, some do not work properly under strict but function just fine under targeted.
Please get avc messages for any case where this happens.
On Thursday 05 October 2006 15:28, Daniel J Walsh wrote:
Given the same services, some do not work properly under strict but function just fine under targeted.
Please get avc messages for any case where this happens.
Will do. As soon as I set up things so I can get good documentation, I will bugzilla a report ... do you want one report for all of the avc messages or a separate report for each.
I am assuming you want bugzilla reports but I can also just send you the errors I find. Your call.
Gene Czarcinski wrote:
On Thursday 05 October 2006 15:28, Daniel J Walsh wrote:
Given the same services, some do not work properly under strict but function just fine under targeted.
Please get avc messages for any case where this happens.
Will do. As soon as I set up things so I can get good documentation, I will bugzilla a report ... do you want one report for all of the avc messages or a separate report for each.
One per daemon is easier to handle, but either way is fine.
I am assuming you want bugzilla reports but I can also just send you the errors I find. Your call.
Bugzillas do not get lost, emails do. :^(
On Thursday 05 October 2006 10:29, Daniel J Walsh wrote:
MLS Policy is a server only policy. IE We don not support X-Windows. So if you want to change to MLS you need to remove all X-Windows software and relabel. Then it should work, but you need to understand how an MLS environment works.
OK, I have setup something I consider to be server oriented (no X). I get a bunch of avc denied messages (permissive mode).
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209950
Strict policy is not heavily tested in Fedora. Most people run targeted. We will look at any problems that you have with it, though.
Most of the problems in mls mode seem to be the same in strict mode.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209949
I assume that strict mode should be capable of running X ... true or false?
On Sun, 2006-10-08 at 15:32 -0400, Gene Czarcinski wrote:
On Thursday 05 October 2006 10:29, Daniel J Walsh wrote:
Strict policy is not heavily tested in Fedora. Most people run targeted. We will look at any problems that you have with it, though.
Most of the problems in mls mode seem to be the same in strict mode.
That is not surprising since the mls policy is a subset of the strict policy with MLS policy enabled.
I assume that strict mode should be capable of running X ... true or false?
Strictly speaking (no pun intended) yes, since it does have the xserver module. In reality, it probably still has issues since very few desktop users want a strict policy, so it is untested.
On Monday 09 October 2006 10:05, Christopher J. PeBenito wrote:
I assume that strict mode should be capable of running X ... true or false?
Strictly speaking (no pun intended) yes, since it does have the xserver module. In reality, it probably still has issues since very few desktop users want a strict policy, so it is untested.
While a server may not have a good display directly attached, it would be useful to run X remotely since some of the system configuration tools are gui only ... for example, selinux.
Gene Czarcinski wrote:
On Monday 09 October 2006 10:05, Christopher J. PeBenito wrote:
I assume that strict mode should be capable of running X ... true or false?
Strictly speaking (no pun intended) yes, since it does have the xserver module. In reality, it probably still has issues since very few desktop users want a strict policy, so it is untested.
While a server may not have a good display directly attached, it would be useful to run X remotely since some of the system configuration tools are gui only ... for example, selinux.
running X apps that are exported to a remote machine isn't the same thing as running an Xserver on the local machine.
On Monday 09 October 2006 21:22, Joshua Brindle wrote:
Gene Czarcinski wrote:
On Monday 09 October 2006 10:05, Christopher J. PeBenito wrote:
I assume that strict mode should be capable of running X ... true or false?
Strictly speaking (no pun intended) yes, since it does have the xserver module. In reality, it probably still has issues since very few desktop users want a strict policy, so it is untested.
While a server may not have a good display directly attached, it would be useful to run X remotely since some of the system configuration tools are gui only ... for example, selinux.
running X apps that are exported to a remote machine isn't the same thing as running an Xserver on the local machine.
Yes, but I was told not to install X (it was not supported). If it is "only" the running of Xserver that is not supported with strict or mls policies, then I can live with that. However, running Xserver will need to be supported to be competitive with TSOL.
On Mon, 2006-10-09 at 21:57 -0400, Gene Czarcinski wrote:
On Monday 09 October 2006 21:22, Joshua Brindle wrote:
Gene Czarcinski wrote:
On Monday 09 October 2006 10:05, Christopher J. PeBenito wrote:
I assume that strict mode should be capable of running X ... true or false?
Strictly speaking (no pun intended) yes, since it does have the xserver module. In reality, it probably still has issues since very few desktop users want a strict policy, so it is untested.
While a server may not have a good display directly attached, it would be useful to run X remotely since some of the system configuration tools are gui only ... for example, selinux.
running X apps that are exported to a remote machine isn't the same thing as running an Xserver on the local machine.
Yes, but I was told not to install X (it was not supported). If it is "only" the running of Xserver that is not supported with strict or mls policies, then I can live with that. However, running Xserver will need to be supported to be competitive with TSOL.
I believe that you are confusing "supported" w.r.t. Red Hat and "supported" w.r.t. SELinux itself. I believe Red Hat only supports the strict policy on RHEL and only with a support contract. I'm guessing it will probably be same for the MLS/LSPP policy.
As for SELinux in general, X servers can work on the strict policy, it just hasn't had much testing with the 2.* (reference policy-based) policies.
Gene Czarcinski wrote:
On Thursday 05 October 2006 10:29, Daniel J Walsh wrote:
MLS Policy is a server only policy. IE We don not support X-Windows. So if you want to change to MLS you need to remove all X-Windows software and relabel. Then it should work, but you need to understand how an MLS environment works.
OK, I have setup something I consider to be server oriented (no X). I get a bunch of avc denied messages (permissive mode).
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209950
Strict policy is not heavily tested in Fedora. Most people run targeted. We will look at any problems that you have with it, though.
Most of the problems in mls mode seem to be the same in strict mode.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209949
I assume that strict mode should be capable of running X ... true or false?
Yes it should be allowed to run X.
selinux@lists.fedoraproject.org