Re: F20 System Wide Change: Enable SELinux Labeled NFS Support
On 7/26/2013 6:55 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/25/2013 06:45 PM, James Hogarth wrote: On 25 Jul 2013 19:55, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: snip The only provisos/additions I could suggest on the above then is to make it clear in the release notes that server and client should be matching for any additional fcontext rules to eliminate any server/client relabel discrepancies. In addition rather than defaulting to the file_t context might I suggest using the current/standard nfs_t context for unknown labels (unless overridden by mount options of course)? I am not sure we can do this. Eric do you know of a way to do something like this? I don't believe this is possible with our current implementation. I'd need to look again. The caveat for this operating mode in the IETF specification we wrote is the the policies are homogenous in this environment. The server is not really label aware. Its mostly supposed to be simple attribute storage. In our case here it is aware however because we don't currently have any policy translation infrastructure it is supposed to be a homogenous environment. Dave -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F20 System Wide Change: Enable SELinux Labeled NFS Support
On 7/28/2013 1:40 AM, Dave Quigley wrote: On 7/26/2013 6:55 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/25/2013 06:45 PM, James Hogarth wrote: On 25 Jul 2013 19:55, Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com wrote: snip The only provisos/additions I could suggest on the above then is to make it clear in the release notes that server and client should be matching for any additional fcontext rules to eliminate any server/client relabel discrepancies. In addition rather than defaulting to the file_t context might I suggest using the current/standard nfs_t context for unknown labels (unless overridden by mount options of course)? I am not sure we can do this. Eric do you know of a way to do something like this? I don't believe this is possible with our current implementation. I'd need to look again. The caveat for this operating mode in the IETF specification we wrote is the the policies are homogenous in this environment. The server is not really label aware. Its mostly supposed to be simple attribute storage. In our case here it is aware however because we don't currently have any policy translation infrastructure it is supposed to be a homogenous environment. Dave Also another tidbit of information. Currently the server has no idea what the security context of the process making the filesystem call to an NFS mount. The next phase of Labeled NFS is to work on implementing RPCSECGSSv3 which among other useful features allows us to assert the security context of the calling process from the client. So its not possible for the server to make truely informed decisions about NFS calls. Dave -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: /etc/default in Fedora
On 3/17/2012 7:17 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/17/2012 05:38 AM, Matej Cepl wrote: On 17.3.2012 10:18, Daniel J Walsh wrote: Here is the current httpd man page. http://people.fedoraproject.org/~dwalsh/SELinux/httpd_selinux.html OK, in the end it IS a wiki ... http://wiki.apache.org/httpd/DistrosDefaultLayout?action=diffrev1=46rev2=47 Suggestions for further edits are welcome. Matěj I would also suggest they use setroubleshoot. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9kctwACgkQrlYvE4MpobODGwCfaKgUBvbEBLALem3FnMo/yDJN lDYAn17aIAUIAvSmt8LD2tY4N33An+tF =uzJb -END PGP SIGNATURE- Suggesting setroubleshoot is fine but you need to also tell them how to set it up when they are running without X. One guy told me that setroubleshoot is fine and all but all his machines are headless so he doesn't have X and the nice little applet to notify him. I had to correct him and send him a reference to your page on how to set up setroubleshoot on headless machines so that the messages are sent to another box or to an email account. Dave -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: /etc/default in Fedora
On 3/6/2012 11:27 AM, Paul Wouters wrote: On Tue, 6 Mar 2012, Daniel J Walsh wrote: Why /etc/default dir is used instead of /etc/sysconfig? To be honest - it's not really user friendly from long time RH Linux user POV. Just disable SELinux in /etc/selinux/config. Or the more obvious place for people with /etc/sysconfig hardcoded in their brain, /etc/sysconfig/selinux :) Though to be honest, F17 is the first version where I have been working with selinux enabled for more then two days. In fact, I have left it enabled since I installed F17 weeks ago. I think the only somewhat valid reason to disabled selinux is if people are using special directories they made up, eg /vol or /opt or anything. (or when copying/dealing with /var/lib/libvirtd/images content in other locations :) Paul Alternatively you could look at Dan Walsh's 4 things SELinux is trying to tell you talk and in about 30 minutes figure out how to make those special directories work and not disable the security on your system. Dave -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel