Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: SELinux

  1. #11

    Default Re: SELinux

    AHA! Yes, 'sestatus' gave me the same thing.

  2. #12
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,477

    Smile Re: SELinux

    Sorry but I simply LOVED the Aha thing......

  3. #13

    Default Re: SELinux

    rofl...thanks

  4. #14
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,477

    Question Re: SELinux

    Looked at the whole log messages but see no hint to the start or fail of SE linux. Anybody knows if SElinux is compatible with the PAE kernel?
    If yes, where can I see (log files) when SElinux should be loaded?

    /bin/mount /root/proc
    What am I telling in boot-sh exactly?
    I am "moving a device node". But what does this actually mean in this context?
    Thanks for sharing your knowledge.

    and actually at the end I do
    cd /root
    umount /proc

    So why do I first mount and then umount /root/proc???

  5. #15

    Default Re: SELinux

    idk if this helps at all, but through the power of Google I found an interesting tidbit from the changelog of the 2.6.29.5 kernel (http://www.kernel.org/pub/linux/kern...geLog-2.6.29.5):

    " SELinux: BUG in SELinux compat_net code

    This patch is not applicable to Linus's tree as the code in question has
    been removed for 2.6.30. I'm sending in case any of the stable
    maintainers would like to push to their branches (which I think anything
    pre 2.6.30 would like to do).

    Ubuntu users were experiencing a kernel panic when they enabled SELinux
    due to an old bug in our handling of the compatibility mode network
    controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
    Most distros have not used the compat_net code since the new code was
    introduced and so noone has hit this problem before. Ubuntu is the only
    distro I know that enabled that legacy cruft by default. But, I was ask
    to look at it and found that the above patch changed a call to
    avc_has_perm from if(send_perm) to if(!send_perm) in
    selinux_ip_postroute_iptables_compat(). The result is that users who
    turn on SELinux and have compat_net set can (and oftern will) BUG() in
    avc_has_perm_noaudit since they are requesting 0 permissions."

    I'm using kernel 2.6.27, so this patch wouldn't affect (or would it?) openSUSE 11.1 (what I'm using).

  6. #16
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,477

    Default Re: SELinux

    Noop. As it says: "Ubuntu is the only
    distro I know that enabled that legacy cruft by default."


    I do not think this is the issue. Maybe the config step (when we just paste what should be the content) is the problem. Maybe config "should" be already ok and no copy and paste should be necessary?

    In all cases, seen the low participation I would think that people openSUSE user have no big interest in security, or if they have, like us, only little preparation. I tried now for 6 month to make the howto for encrypted root work for my notebook (with /boot on usb-key). Not possible, not even a bit. And the participation to the thread was nil. 30000 very (in)active members.....I would say.

  7. #17
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: SELinux

    SELinux is quite a difficult subsystem to configure, even on distros where it's native, like Fedora and RHEL. It's useful for increasing security for servers, but it does little for desktop users. Desktop users would spend their time better making sure their packages are up-to-date, particularly for Mozilla products, and acroread. And of course, not much can be done in software about PEBKAC.

  8. #18
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,477

    Default Re: SELinux

    Quote Originally Posted by ken_yap View Post
    SELinux is quite a difficult subsystem to configure, It's useful for increasing security for servers, but it does little for desktop users. Desktop users would spend their time better making sure their packages are up-to-date, particularly for Mozilla products, and acroread. .
    You are correct, it IS difficult to configure. Guess what, that is why I am here. Surprised? I would rather write IMHO when you make such statements. And then, I am a desktopuser. So if we want our desktopuser to acquire the skills to get their sever one day (in safety) maybe we do better not think in this "classy" way, right? It's all about knowledge and the will of sharing IMHO. Am I wrong?


    Quote Originally Posted by ken_yap View Post
    And of course, not much can be done in software about PEBKAC.
    I guess you do speak here about yourself?

  9. #19
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: SELinux

    I'm only pointing out that most of the users here are desktop users which is why there is little interest in SELinux or Apparmor for that matter. People here are more likely to ask questions about getting wireless or sound or media playing working.

    If you want to learn to configure a server with SELinux, there are forums for that. Since SELinux is a feature of the kernel, it doesn't matter what distro you are using. So look further afield for the information you need, there is even a SELinux mailing list I'm sure. And of course nothing is stopping you from experimenting with your own machine.

    Sorry, but if you are frustrated that you don't know how to find the information you need, no need to be rude, don't take it out on me.

  10. #20

    Default Re: SELinux

    You will need to enable SELinux in kernel & recompile it since SUSE kernels, IIRC, have SELinux disabled

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •