| 1 |
On Fri, Feb 24, 2012 at 04:58:00PM -0500, Alain Toussaint wrote: |
| 2 |
> I'm running MCS on my server but it is still in permissive mode because I |
| 3 |
> need to iron out a few things and haven't had the time but I'm preparing |
| 4 |
> another server this week-end so I can try a new MCS install and report back |
| 5 |
> problems and bugs. |
| 6 |
|
| 7 |
I have each of my dual-active services (bind, openldap, mail, apache, ...) |
| 8 |
running with MCS (one in strict, one in mcs) so I don't expect much |
| 9 |
troubles. After all, as long as the application doesn't really known it is |
| 10 |
in SELinux (and starts using categories) there is no difference in policy, |
| 11 |
just some additional cruft that's added to labels and contexts. |
| 12 |
|
| 13 |
> Regarding bugs, the documentation on page |
| 14 |
> |
| 15 |
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&c |
| 16 |
> hap=1 |
| 17 |
> |
| 18 |
> Recommend the installation of selinux modules before configuring the policy. |
| 19 |
> I don't recommend that because all the policies get installed into the |
| 20 |
> strict directory (/etc/selinux/strict) on a default installation and the |
| 21 |
> /etc/selinux/mcs directory is empty. That's an easy fix but I can do a bug |
| 22 |
> report if needed. |
| 23 |
|
| 24 |
I'll keep it in mind, but I'll probably have users rebuild all from |
| 25 |
sec-policy/ when they alter their supported policies ("strict" -> "strict |
| 26 |
mcs"), then reset type, relabel system (+ those hidden beneith other mount |
| 27 |
points), reboot, test and then - if they want - remove the older policy type |
| 28 |
(so "strict mcs" -> "mcs"). |
| 29 |
|
| 30 |
I don't think I'll deprecate strict/targeted just yet. I like the simplicity |
| 31 |
of strict. But I think it is better to start users with MCS. After all, much |
| 32 |
of the online documentation already deals with categories & levels. |
| 33 |
|
| 34 |
Wkr, |
| 35 |
Sven Vermeulen |
Archives