Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Dale Pontius <DEPontius@××××××.net>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] SELinux n00b questions
Date: Mon, 24 Oct 2005 06:47:54
Message-Id: 435BCE52.2060503@edgehp.net
In Reply to: Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod? by solar
1 I've already done some searching on these, to no avail. I have several
2 years experience with Linux, but only about a week, part-time with SELinux.
3
4 1: Probably most severe... I'm used to syslog-ng, but for some reason
5 decided to do my SELinux install with metalog. After using it a little,
6 I decided to remove it and install syslog-ng. That appeared to work at
7 first. But as far as I can tell, nothing has been logged since the first
8 time I put the systeminto enforcing mode. At shutdown I still get a
9 little piece of hatemail about metalog, and I suspect I should have shut
10 down metalog during the emerge -C - I suspect there are some droppings
11 of it left over in /var. But I don't see why syslog-ng wouldn't work,
12 when ps shows it's in there and running.
13
14 2: Can't ssh in when the system is enforcing. I've checked the sestatus
15 -v results, and everything looks ok. I've never seen a bogus console or
16 log message, but then again, see (1). Here's what I get:
17 user1@here ~ $ ssh -v user2@there
18 OpenSSH_4.2p1, OpenSSL 0.9.7e 25 Oct 2004
19 debug1: Reading configuration data /etc/ssh/ssh_config
20 debug1: Connecting to there [192.168.154.38] port 22.
21 debug1: Connection established.
22 debug1: identity file /home/user1/.ssh/identity type -1
23 debug1: identity file /home/user1/.ssh/id_rsa type -1
24 debug1: identity file /home/user1/.ssh/id_dsa type -1
25 ssh_exchange_identification: Connection closed by remote host
26 user1@here ~ $
27
28 3: There isn't much about "standard practice".
29 What kinds of admin tasks can I perform while the system is enforcing?
30 What kinds of admin tasks do I have to drop out of enforcing for?
31 I presume emerging a new policy requres "make load". What requires "make
32 relabel"?
33 What about things that don't have a policy? Like dovecot, leafnode, etc?
34 On my old system I ran things chroot'ed. Can I still, under SELinux?
35
36 Thanks,
37 Dale Pontius
38 --
39 gentoo-hardened@g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] SELinux n00b questions Chris PeBenito <pebenito@g.o>
Report Message
Find on MARC Find on Google Groups