1 |
I've already done some searching on these, to no avail. I have several |
2 |
years experience with Linux, but only about a week, part-time with SELinux. |
3 |
|
4 |
1: Probably most severe... I'm used to syslog-ng, but for some reason |
5 |
decided to do my SELinux install with metalog. After using it a little, |
6 |
I decided to remove it and install syslog-ng. That appeared to work at |
7 |
first. But as far as I can tell, nothing has been logged since the first |
8 |
time I put the systeminto enforcing mode. At shutdown I still get a |
9 |
little piece of hatemail about metalog, and I suspect I should have shut |
10 |
down metalog during the emerge -C - I suspect there are some droppings |
11 |
of it left over in /var. But I don't see why syslog-ng wouldn't work, |
12 |
when ps shows it's in there and running. |
13 |
|
14 |
2: Can't ssh in when the system is enforcing. I've checked the sestatus |
15 |
-v results, and everything looks ok. I've never seen a bogus console or |
16 |
log message, but then again, see (1). Here's what I get: |
17 |
user1@here ~ $ ssh -v user2@there |
18 |
OpenSSH_4.2p1, OpenSSL 0.9.7e 25 Oct 2004 |
19 |
debug1: Reading configuration data /etc/ssh/ssh_config |
20 |
debug1: Connecting to there [192.168.154.38] port 22. |
21 |
debug1: Connection established. |
22 |
debug1: identity file /home/user1/.ssh/identity type -1 |
23 |
debug1: identity file /home/user1/.ssh/id_rsa type -1 |
24 |
debug1: identity file /home/user1/.ssh/id_dsa type -1 |
25 |
ssh_exchange_identification: Connection closed by remote host |
26 |
user1@here ~ $ |
27 |
|
28 |
3: There isn't much about "standard practice". |
29 |
What kinds of admin tasks can I perform while the system is enforcing? |
30 |
What kinds of admin tasks do I have to drop out of enforcing for? |
31 |
I presume emerging a new policy requres "make load". What requires "make |
32 |
relabel"? |
33 |
What about things that don't have a policy? Like dovecot, leafnode, etc? |
34 |
On my old system I ran things chroot'ed. Can I still, under SELinux? |
35 |
|
36 |
Thanks, |
37 |
Dale Pontius |
38 |
-- |
39 |
gentoo-hardened@g.o mailing list |