[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Not good

From: Daniel J Walsh <dwalsh redhat com>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: Not good
Date: Sat, 03 Apr 2004 08:29:58 -0500

Gene Czarcinski wrote:

On Saturday 03 April 2004 00:46, Daniel J Walsh wrote:

First off you should never have to do a relabel, Or only under extreme circumstances. The problem here was the movement of the .Xauthority file out to /tmp. The new policy should fix your problem.

When we get to the end point (FC2 gold) this system is going to be very stable and secure. However, the transition with its large number of daily updates sure make things "interesting" ... I have managed to screw things up on one system so that I am on my third install.

Unfortunately, discovering all of the different nuances necessary in a security policy supporting real people, real systems, and real situations is a lot more difficult than having a policy in a controlled experiment. Well, we are all here trying to pound this into something that works and I believe it will work pretty well when FC2 gold comes out but a wole lot better in FC2 gold. This is going to take time.

One big gripe I do have is up2date: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119538

When rpm fails to (properly) install a package because of some selinux policy thing, this is not handled well by up2date. In fact, up2date reports that the package was installed properly when it was not installed. My latest experience with that is when I tried updating gdm ... old package removed but new package not installed. I only found this because I am manually querying rpm after every update. When I tried to manually install the package, I saw the errors. I then did "setenforce 0", manually installed the old package, manually installed the new package, and "setenforce 1". Update now complete.

This rpm/up2date problem needs to be addressed. Unfortuantely, it is not clear that my bugzilla report is being addressed.

I have written the steps in the bug report on how to get up2date fixed. The final fix for the up2date package has not been released yet.

Fixing up2date is a multi step process.

One update to latest policy.
restorecon /usr/sbin/up2date

update to latest usermode

Add ROLE=sysadm_r TYPE=rpm_t to

/etc/security/console.apps/up2date.

Gene

-- fedora-selinux-list mailing list fedora-selinux-list redhat com http://www.redhat.com/mailman/listinfo/fedora-selinux-list

Follow-Ups:
- Re: Not good
  - From: Gene Czarcinski

References:
- Not good
  - From: Gene Czarcinski
- Re: Not good
  - From: Daniel J Walsh
- Re: Not good
  - From: Gene Czarcinski

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]