Hi List,
I read in a previous posting that upgrading to T2 through yum will not enforce the SELinux policies. Does this apply to upgrading through the iso's as well ? Do I have to do a clean install to use SELinux ?
Thanx
On Monday 29 March 2004 17:53, Efthym wrote:
I read in a previous posting that upgrading to T2 through yum will not enforce the SELinux policies. Does this apply to upgrading through the iso's as well ? Do I have to do a clean install to use SELinux ?
I would recommend a clean install. The differences (especialy relating to selinux) between Test1 and Test2 are significant and very easily screwed up. In addition, there is the whole business of Xfree86 -> xorg-x11 adds more complexity.
I've got FC2 test1 with all updates installed (including xorg). I'm doing a backup now (just in case) and I think I'll try the upgrade just for kicks. I'll post the results later.
On Mon, 29 Mar 2004 18:21:30 -0500, Gene C. czar@czarc.net wrote:
On Monday 29 March 2004 17:53, Efthym wrote:
I read in a previous posting that upgrading to T2 through yum will not enforce the SELinux policies. Does this apply to upgrading through the iso's as well ? Do I have to do a clean install to use SELinux ?
I would recommend a clean install. The differences (especialy relating to selinux) between Test1 and Test2 are significant and very easily screwed up. In addition, there is the whole business of Xfree86 -> xorg-x11 adds more complexity.
Just finished the upgrade. Unfortunately the installation process didn't do anything with SELinux (since it wasn't previously installed). I'm not sure if this is how it should be since FC2T2 is supposed to test SELinux. And by the way no problems from the CDs (downloaded with torrent) on an IBM T21.
I installed it manually afterwards following directions from another post :
checkpolicy, policy, policy-sources, policycoreutils reboot (lots of denied msgs) fixfiles relabel reboot
dmesg shows :
Linux version 2.6.3-2.1.253.2.1 (bhcompile@tweety.devel.redhat.com) (gcc version 3.3.3 20040216 (Red Hat Linux 3.3.3-2.1)) #1 Fri Mar 12 14:01:55 EST 2004 <snip> Security Scaffold v1.0.0 initialized SELinux: Initializing. SELinux: Starting in permissive mode There is already a security framework initialized, register_security failed. Failure registering capabilities with the kernel selinux_register_security: Registering secondary module capability Capability LSM initialized <snip> Freeing unused kernel memory: 148k freed security: 3 users, 5 roles, 1166 types security: 30 classes, 261889 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev , type selinuxfs), uses genfs_contexts SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev ram0, type ext2), uses xattr SELinux: initialized (dev , type hugetlbfs), not configured for labeling SELinux: initialized (dev , type devpts), uses transition SIDs SELinux: initialized (dev , type eventpollfs), uses genfs_contexts SELinux: initialized (dev , type pipefs), uses task SIDs SELinux: initialized (dev , type tmpfs), uses transition SIDs SELinux: initialized (dev , type futexfs), uses genfs_contexts SELinux: initialized (dev , type sockfs), uses task SIDs SELinux: initialized (dev , type proc), uses genfs_contexts SELinux: initialized (dev , type bdev), uses genfs_contexts SELinux: initialized (dev , type rootfs), uses genfs_contexts SELinux: initialized (dev , type sysfs), uses genfs_contexts
Shouldn't the system start in enforcing mode now ? Or do I have to set SELINUX=enforcing in /etc/sysconfig/selinux first? I guess its time to start reading up on SELinux ...
On Mon, 29 Mar 2004 19:05:33 -0500, Efthym efthym@gmx.net wrote:
I've got FC2 test1 with all updates installed (including xorg). I'm doing a backup now (just in case) and I think I'll try the upgrade just for kicks. I'll post the results later.
On Mon, 29 Mar 2004 18:21:30 -0500, Gene C. czar@czarc.net wrote:
On Monday 29 March 2004 17:53, Efthym wrote:
I read in a previous posting that upgrading to T2 through yum will not enforce the SELinux policies. Does this apply to upgrading through the iso's as well ? Do I have to do a clean install to use SELinux ?
I would recommend a clean install. The differences (especialy relating to selinux) between Test1 and Test2 are significant and very easily screwed up. In addition, there is the whole business of Xfree86 -> xorg-x11 adds more complexity.
On Mon, Mar 29, 2004 at 05:53:18PM -0500, Efthym wrote:
Hi List,
I read in a previous posting that upgrading to T2 through yum will not enforce the SELinux policies. Does this apply to upgrading through the iso's as well ? Do I have to do a clean install to use SELinux ?
Yes. This will be the case for the final FC2, also, I'm told. Upgrading to SELinux is too hard.
cra@WPI.EDU ("Charles R. Anderson") writes:
Upgrading to SELinux is too hard.
Not it's not. You install both policy and checkpolicy rpms, you reboot. You run "fixfiles relabel", you reboot one more time and you're done. And it's all in the FAQ whose url was given prior and in the release notes...
On Tue, 29 Mar 2004 netopml@newview.com wrote:
cra@WPI.EDU ("Charles R. Anderson") writes:
Upgrading to SELinux is too hard.
Not it's not. You install both policy and checkpolicy rpms, you reboot. You run "fixfiles relabel", you reboot one more time and you're done. And it's all in the FAQ whose url was given prior and in the release notes...
instlal reboot, change setting reboot, sounds more like windows every f'in day
res@ausics.net (Res) writes:
Not it's not. You install both policy and checkpolicy rpms, you reboot. You run "fixfiles relabel", you reboot one more time and you're done. And it's all in the FAQ whose url was given prior and in the release notes...
instlal reboot, change setting reboot, sounds more like windows every f'in day
To be frank, the last one is optional, it's just recommended (as per FAQ). I'm not even sure the first one is needed, it's just that I haven't look if there's a way to start selinux on any running system...
On Mon, Mar 29, 2004 at 06:25:06PM -0500, netopml@newview.com wrote:
cra@WPI.EDU ("Charles R. Anderson") writes:
Upgrading to SELinux is too hard.
Not it's not. You install both policy and checkpolicy rpms, you reboot. You run "fixfiles relabel", you reboot one more time and you're done. And it's all in the FAQ whose url was given prior and in the release notes...
I was referring to doing this from within Anaconda. This is what I heard a while back.
netopml@newview.com wrote, On 03/29/2004 06:25 PM:
cra@WPI.EDU ("Charles R. Anderson") writes:
Upgrading to SELinux is too hard.
Not it's not. You install both policy and checkpolicy rpms, you reboot. You run "fixfiles relabel", you reboot one more time and you're done. And it's all in the FAQ whose url was given prior and in the release notes...
From a clean install using the FC2 Test1 4-CD's I have kept updated with yum, including the xorg upgrade. When I boot, I see that I am at version 1.91. Are you saying I do not need to create 4 more FC2 T2 CD's and do another clean install to reach true FC2 T2? I can just obtain the "policy" rpms and install them per the FAQ? (I understand that testing the installer from scratch is beneficial, but right now I would rather not go that route if possible.) Tkx, -gene p/s: Only problem I am seeing is X lock-ups and running glxinfo crashes X as described in a previous post and bugzilla.
netopml@newview.com wrote:
Not it's not.
You install both policy ... and checkpolicy rpms, you reboot. You run "fixfiles relabel", you reboot one more time
No offense, but I'm hardly a newbie user and the only steps I understood above were "reboot". What's the difference between a policy and a checkpolicy? Why are the files broken? What's a label, and what was it set to before that was wrong?
Seriously, this is a major paradigm change being pushed with this release, and the documentation is awfully sparse. What's the rationale? What do we stand to gain? What old habits are we going to have to break? As it stands, it seems like Red Hat is feeding us something and telling us its good for us without, as it were, providing a nutition analysis label.
Andy
On Monday 29 March 2004 23:20, Andy Ross wrote:
Seriously, this is a major paradigm change being pushed with this release, and the documentation is awfully sparse. What's the rationale? What do we stand to gain? What old habits are we going to have to break? As it stands, it seems like Red Hat is feeding us something and telling us its good for us without, as it were, providing a nutition analysis label.
Did you read the SELinux FAQ posted earlier?
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
Jesse Keating wrote:
Andy Ross wrote:
Seriously, this is a major paradigm change being pushed with this release, and the documentation is awfully sparse. What's the rationale? What do we stand to gain? What old habits are we going to have to break?
Did you read the SELinux FAQ posted earlier?
Yes, and I tried to limit my sample questions to ones I felt were not covered well by the FAQ.
Previous releases have added software or change default configurations. But this is a new kind of feature addition. Administering a FC2 machine, it seems, is *different*. How? And why? I honestly don't know yet, and I fear what I do not understand. :)
Andy
andy@plausible.org (Andy Ross) writes:
No offense, but I'm hardly a newbie user and the only steps I understood above were "reboot".
Well, if you're hardly a newbie RTFM...
What's the difference between a policy and a checkpolicy?
These are 2 different rpms: Name : policy Relocations: /usr Version : 1.9 Vendor: Red Hat, Inc. Release : 15 Build Date: Wed 24 Mar 2004 11:28:55 AM EST Install Date: Mon 29 Mar 2004 11:55:29 AM EST Build Host: porky.devel.redhat.com Group : System Environment/Base Source RPM: policy-1.9-15.src.rpm Size : 6473774 License: GPL Signature : DSA/SHA1, Wed 24 Mar 2004 11:47:55 AM EST, Key ID da84cbd430c9ecf8 Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla Summary : SELinux example policy configuration Description : Security-enhanced Linux is a patch of the Linux® kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.
This package contains the SELinux example policy configuration along with the Flask configuration information and the application configuration files.
Name : checkpolicy Relocations: /usr Version : 1.8 Vendor: Red Hat, Inc. Release : 1 Build Date: Mon 15 Mar 2004 08:58:10 AM EST Install Date: Mon 29 Mar 2004 11:55:27 AM EST Build Host: tweety.devel.redhat.com Group : Development/System Source RPM: checkpolicy-1.8-1.src.rpm Size : 105574 License: GPL Signature : DSA/SHA1, Wed 17 Mar 2004 01:25:42 PM EST, Key ID da84cbd430c9ecf8 Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla Summary : SELinux policy compiler Description : Security-enhanced Linux is a patch of the Linux® kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.
This package contains checkpolicy, the SELinux policy compiler. Only required for building policies.
Why are the files broken? What's a label, and what was it set to before that was wrong?
The files are not broken but they don't have any roles associated to them (see a role as a kind of userid, it grants you rights). And for selinux to be working correctly, you need to set the roles on the filesystem, so when these files gets loaded the os knows which role to use (you see them by using the -Z option of ls).
Seriously, I just had to read the FAQ to deduce this, it's far from covering the whole selinux thing but it's a good beginning...
On Mon, 2004-03-29 at 18:25, netopml@newview.com wrote:
cra@WPI.EDU ("Charles R. Anderson") writes:
Upgrading to SELinux is too hard.
Not it's not. You install both policy and checkpolicy rpms, you reboot. You run "fixfiles relabel", you reboot one more time and you're done. And it's all in the FAQ whose url was given prior and in the release notes...
You forgot one step. After typing 'fixfiles relabel' and hitting Enter should be "Wait a long time and don't hit reset".
:-)
(I didn't, but I was little worried about how long it was taking.)