[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Enabling SELinux (was Re: How to make SELinux in Fedora work?)



I decided to give this a try on a FC2 machine that was installed with 'everything' but without enabling 'selinux' on the install. It had policy-1.11.3-3 (and policy-sources) installed.

Following the attached advice, here's what I did:
  1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive'
  2. Rebooted single-user and ran 'fixfiles relabel'
  3. Rebooted multi-user

The machine booted up in permissive mode fine, with only a few 'avc' messages to examine.

There were a couple of quickly noticed issues:
1. The 'swapon' command in the boot sequence failed:
swapon: /dev/hda3: Invalid argument
(entry from /var/log/messages: May 27 10:15:54 fedora kernel: Unable to find swap-space signature)
I ran 'mkswap /dev/hda3; swapon -a' and all worked:
May 27 10:17:47 fedora kernel: Adding 1502068k swap on /dev/hda3. Priority:-1 extents:1


2. Sound no longer worked, but I could find no obvious avc or other messages.
(No sound from gain, xine, ...)
I ran 'System Settings->Soundcard Detection', clicked OK in the popup, but nothing appeared to happen (also, no messages in /var/log/messages). BUT, sound started working, at least I can now hear music from 'xine'.


After fixing the above, I set 'setenforce 1' and all appeared working well.

I then edited /etc/sysconfig/selinux, changing 'SELINUX=permissive' to 'SELINUX=enforcing', and rebooted. Swap now got added correctly, and the system came up as expected. Even mozilla, including the added plugins worked! (This is quite impressive!!!!!)

Sound didn't work again. I tried as normal user:
1. cd /usr/share/sounds
aplay warning.wav
Playing WAVE 'warning.wav' : Signed 16 bit Little Endian, Rate 44100 Hz, Mono
But no sound.
2. play warning.wav
Got sound!
3. aplay warning.wav
Playing WAVE 'warning.wav' : Signed 16 bit Little Endian, Rate 44100 Hz, Mono
Got Sound!


I see nothing in /var/log/messages about this...

Anyway, this exercise got me to convert this machine to SELinux/enforcing ( :-D )

Any thoughts on what happened to swap?   Something I did?
   tom

------------------------------------------------------------------------

   * /From/: Stephen Smalley <sds epoch ncsc mil>
   * /To/: "Fedora SELinux support list for users & developers."
     <fedora-selinux-list redhat com>
   * /Subject/: Re: How to make SELinux in Fedora work?
   * /Date/: Thu, 27 May 2004 08:16:03 -0400

------------------------------------------------------------------------

On Thu, 2004-05-27 at 02:44, park lee wrote:
I've downloaded Fedora Core 2 from http://fedora.redhat.com/download/,
and have installed it successfully.

As noted in the release notes for FC2 (http://fedora.redhat.com/docs/release-notes/), you have to pass "selinux" to the installer to enable SELinux at install time.

Then , I want to ask how to run SELinux which is integrated into
Fedora Core? Is there some resources about what to do and how to do ?

If you didn't enable SELinux at install time, then you'll need to install a policy (yum install policy policy-sources), create or edit /etc/sysconfig/selinux and set SELINUX=permissive in it, and relabel your filesystems (via fixfiles relabel). Once you get your filesystems labeled and have verified that you can boot without avc denials in your logs, you can set SELINUX=enforcing in /etc/sysconfig/selinux.

And  Is there any differences between it and the SELinux from
http://www.nsa.gov/selinux/code/download5.cfm. As i know ,when we want
to run the SELinux from
ttp://www.nsa.gov/selinux/code/download5.cfm.we should first recompile
the kernel with certain options, then install some applications (such
as checkpolicy, libselinux) from the SELinux Full Userland Archive to
the system. Then , if we want to run the SELinux that is integrated
into Fedora Core, should we do the same steps?

Fedora Core 2 already includes the SELinux code in the kernel and applications, so you don't have to recompile anything. You just need to enable the SELinux support that is already there.

--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]