Fedora Core 2 Test 2 - delayed
John Ellson
ellson at research.att.com
Fri Feb 27 21:56:15 UTC 2004
Stephen Smalley wrote:
>On Fri, 2004-02-27 at 15:34, John Ellson wrote:
>
>
>>Do I do that before or after rebooting with selinux enabled?
>>
>>
>
>It should work even with selinux=0, as the xattr handlers will still be
>present in the kernel. The only issue is that a file might get left
>unlabeled if it is created after the 'make relabel' would have touched
>it but before you've rebooted with selinux enabled, e.g. files that get
>created on shutdown. I think that Dan may have plans to catch common
>cases of that situation using restorecon in init scripts, but I'm not
>sure.
>
>
>
OK. A progress indicator and/or a warning that "make relabel" takes
a long long time would be nice! Also a warning that nothing else
works while it is running would be good. (I tried to fire up another
gnome-terminal, but
nothing happened. )
>>If after, do I log in as a conventional root user, or do I need a
>>different login procedure?
>>
>>
>
>You'll also need to be in the sysadm_r role. Login should prompt you
>for a context, and you can also login as a regular user and then su as
>usual (su should also prompt for a context).
>
>
So I ran "make relabel" with selinux=0, and then immediately rebooted
with selinux=1
There are thousands of "avc denied" messages in /var/log/message.
Should I be worried?
gdm didn't prompt me for any role information for my regular userid.
Running "su -" in a gnome terminal got me to root also without any request
for role information. Is this right for the default Fedora config, or is
something not working?
Logging in as root from a text console did offer an opportunity to
select a different
role, but it allowed me to accept a default.
John
More information about the fedora-devel-list
mailing list