1 |
On Fri, Feb 24, 2012 at 04:58:00PM -0500, Alain Toussaint wrote: |
2 |
> I'm running MCS on my server but it is still in permissive mode because I |
3 |
> need to iron out a few things and haven't had the time but I'm preparing |
4 |
> another server this week-end so I can try a new MCS install and report back |
5 |
> problems and bugs. |
6 |
|
7 |
I have each of my dual-active services (bind, openldap, mail, apache, ...) |
8 |
running with MCS (one in strict, one in mcs) so I don't expect much |
9 |
troubles. After all, as long as the application doesn't really known it is |
10 |
in SELinux (and starts using categories) there is no difference in policy, |
11 |
just some additional cruft that's added to labels and contexts. |
12 |
|
13 |
> Regarding bugs, the documentation on page |
14 |
> |
15 |
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&c |
16 |
> hap=1 |
17 |
> |
18 |
> Recommend the installation of selinux modules before configuring the policy. |
19 |
> I don't recommend that because all the policies get installed into the |
20 |
> strict directory (/etc/selinux/strict) on a default installation and the |
21 |
> /etc/selinux/mcs directory is empty. That's an easy fix but I can do a bug |
22 |
> report if needed. |
23 |
|
24 |
I'll keep it in mind, but I'll probably have users rebuild all from |
25 |
sec-policy/ when they alter their supported policies ("strict" -> "strict |
26 |
mcs"), then reset type, relabel system (+ those hidden beneith other mount |
27 |
points), reboot, test and then - if they want - remove the older policy type |
28 |
(so "strict mcs" -> "mcs"). |
29 |
|
30 |
I don't think I'll deprecate strict/targeted just yet. I like the simplicity |
31 |
of strict. But I think it is better to start users with MCS. After all, much |
32 |
of the online documentation already deals with categories & levels. |
33 |
|
34 |
Wkr, |
35 |
Sven Vermeulen |