Re: [luv-main] SELinux
Thanks for the advice. It turns out that the red hat documentation itself wasn't too bad, and our teacher was pretty good, for the limited scope of selinux things we were required to know for the exam. I've got a question though: I installed Adobe's Flash plugin, and the file now looks like this: -rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0 libflashplayer.so object_r and lib_t both match other libraries in the same directory, so I think those are right. Everything else says 'system_u' in that directory, which I think means that system users are meant to be able to access it. And I think I've got unconfined_u in there because I created the file as root. Is there a semanage command to set which users can access this file? I can't figure it out from the man page.
Sorry to reply to myself, but perhaps this is relevant: I notice that /etc/selinux/targeted/modules/active/file_contexts.local contains the line: /usr/lib64/mozilla/plugins/libflashplayer.so system_u:object_r:lib_t:s0 and yet restorecon does not change unconfined_u to system_u.
Hi Andrew, In targeted mode (the default), SELinux does not stop users from accessing any file. Only daemons are effected by SElinux, your user could be in a special SElinux user I suppose...check the default user is unconfined by running the following. sudo semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 Notice the __default__ is the same as root. However I don't have your original question as I only just joined the list (not much lurking and now first post?) and can't find a list archive. Do you have an issue with flash in some way? Cheers, Jamie On 20 September 2011 22:29, Andrew Spiers <7andrew@gmail.com> wrote:
Sorry to reply to myself, but perhaps this is relevant: I notice that /etc/selinux/targeted/modules/active/file_contexts.local contains the line:
/usr/lib64/mozilla/plugins/libflashplayer.so system_u:object_r:lib_t:s0
and yet restorecon does not change unconfined_u to system_u. _______________________________________________ luv-main mailing list luv-main@lists.luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Hi Jamie and Russell, thanks for your advice. Russell, the page you linked explains the relationship between users, roles, and domains/types better than anything I'd read elsewhere. Flash works fine! I was just asking about how to learn about Selinux, because a few weeks ago I had absolutely no idea. I've pasted my original question below. The server the mailing list sits on broke down a couple of weeks ago, and so
The list archives are not yet available on the new system, but rest assured these archives were backed up properly and are not lost. You'll be notified when they come back online. Regards, Andrew.
Hi, I've got the RHCSA coming up and I'm a bit nervous about SELinux as I really don't know much about it. I need to be able to: 1/ Set enforcing and permissive modes for SELinux 2/ List and identify SELinux file and process context 3/ Restore default file contexts 4/ Use boolean settings to modify system SELinux settings 5/ Diagnose and address routine SELinux policy violations I can kind of manage the first couple of items, although I'm very vague about the contexts. Can anyone recommend a good resource for learning this stuff? I'm not terribly satisfied with the textbook I've got, as far as SELinux is concerned.
On Tue, 20 Sep 2011, Andrew Spiers <7andrew@gmail.com> wrote:
Is there a semanage command to set which users can access this file? I can't figure it out from the man page.
You don't "set which users can access a file". You set the context of the file which then determines (according to the policy database) whether a process of a given context is permitted to access it. http://doc.coker.com.au/computers/se-linux-terminology/ The context of a process for the user shell is determined by the SE Linux "identity" assigned to their account and the "role" assigned to that identity. See the above URL for some background. On Tue, 20 Sep 2011, Andrew Spiers <7andrew@gmail.com> wrote:
and yet restorecon does not change unconfined_u to system_u.
Try with the -F option. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
participants (3)
-
Andrew Spiers -
Jamie Moore -
Russell Coker