SELinux userland utilities update
On Fri, Feb 24, 2012 at 04:58:00PM -0500, Alain Toussaint wrote:
> I'm running MCS on my server but it is still in permissive mode because I
> need to iron out a few things and haven't had the time but I'm preparing
> another server this week-end so I can try a new MCS install and report back
> problems and bugs.
I have each of my dual-active services (bind, openldap, mail, apache, ...)
running with MCS (one in strict, one in mcs) so I don't expect much
troubles. After all, as long as the application doesn't really known it is
in SELinux (and starts using categories) there is no difference in policy,
just some additional cruft that's added to labels and contexts.
> Regarding bugs, the documentation on page
> Recommend the installation of selinux modules before configuring the policy.
> I don't recommend that because all the policies get installed into the
> strict directory (/etc/selinux/strict) on a default installation and the
> /etc/selinux/mcs directory is empty. That's an easy fix but I can do a bug
> report if needed.
I'll keep it in mind, but I'll probably have users rebuild all from
sec-policy/ when they alter their supported policies ("strict" -> "strict
mcs"), then reset type, relabel system (+ those hidden beneith other mount
points), reboot, test and then - if they want - remove the older policy type
(so "strict mcs" -> "mcs").
I don't think I'll deprecate strict/targeted just yet. I like the simplicity
of strict. But I think it is better to start users with MCS. After all, much
of the online documentation already deals with categories & levels.