FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-08-2007, 12:47 PM
"Shintaro Fujiwara"
 
Default How enforcing and permissive differ on start-up

Hi, I have a question on differences between permissve and enforcing.

I installed courier-imap from source (as always), and configured
courier.te, courier.fc just to apply installation-path to souece installation.

There are two say, daemons, courier_$1_t, i.e. courier_authdaemon_t,
and I had to declair
domain_auto_trans(initrc_t, courier_exec_t, courier_t)
(courier_t was not declared in courier.te, so I did)
as I declared starting script in /etc/rc.d/rc.local.

I set selinux enforcing and found that courier_authdaemon_t started all-right,
but courier_t not.
When I set selinux permissive, it started all-right.

How should I fix this problem ?

Thanks in advance !



--
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-09-2007, 03:04 PM
"Shintaro Fujiwara"
 
Default How enforcing and permissive differ on start-up

I looked courier.fc again and found type courier_..._exec_t.
I set proper type courier_pop_exec_t, and others,
eliminated my own difinisitons.

And courier started up all-right in enforcing.

Thanks !

--
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-10-2007, 01:31 PM
Stephen Smalley
 
Default How enforcing and permissive differ on start-up

On Sat, 2007-12-08 at 22:47 +0900, Shintaro Fujiwara wrote:
> Hi, I have a question on differences between permissve and enforcing.
>
> I installed courier-imap from source (as always), and configured
> courier.te, courier.fc just to apply installation-path to souece installation.
>
> There are two say, daemons, courier_$1_t, i.e. courier_authdaemon_t,
> and I had to declair
> domain_auto_trans(initrc_t, courier_exec_t, courier_t)
> (courier_t was not declared in courier.te, so I did)
> as I declared starting script in /etc/rc.d/rc.local.
>
> I set selinux enforcing and found that courier_authdaemon_t started all-right,
> but courier_t not.
> When I set selinux permissive, it started all-right.
>
> How should I fix this problem ?

Just to clarify, there is a difference between permissive and enforcing
with regard to type transitions. In permissive, if the type transition
would yield an invalid context (e.g. role is not authorized for the new
type), it nonetheless is allowed to proceed, whereas in enforcing mode,
it fails.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-10-2007, 03:51 PM
"Shintaro Fujiwara"
 
Default How enforcing and permissive differ on start-up

2007/12/10, Stephen Smalley <sds@tycho.nsa.gov>:
> On Sat, 2007-12-08 at 22:47 +0900, Shintaro Fujiwara wrote:
> > Hi, I have a question on differences between permissve and enforcing.
> >
> > I installed courier-imap from source (as always), and configured
> > courier.te, courier.fc just to apply installation-path to souece installation.
> >
> > There are two say, daemons, courier_$1_t, i.e. courier_authdaemon_t,
> > and I had to declair
> > domain_auto_trans(initrc_t, courier_exec_t, courier_t)
> > (courier_t was not declared in courier.te, so I did)
> > as I declared starting script in /etc/rc.d/rc.local.
> >
> > I set selinux enforcing and found that courier_authdaemon_t started all-right,
> > but courier_t not.
> > When I set selinux permissive, it started all-right.
> >
> > How should I fix this problem ?
>
> Just to clarify, there is a difference between permissive and enforcing
> with regard to type transitions. In permissive, if the type transition
> would yield an invalid context (e.g. role is not authorized for the new
> type), it nonetheless is allowed to proceed, whereas in enforcing mode,
> it fails.

I had a same kind of problem on cron in F6.
I solved it somehow at the time, though.
Now I'm trying to configure bind and it does not start up even in permissive.
I think something is wrong with the application itself?
I will ask again if I have a question on SELinux related matters.
Thanks !

> --
> Stephen Smalley
> National Security Agency
>
>


--
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org