1. Install Squid in the normal fashion using yum or System -> Administration -> Add/Remove Software.
2. Open the Squid configuration file by executing the following command:

   sudo gedit /etc/squid/squid.conf

3. Change the value of the error_directory property so that it points to an actual directory. For example:

   error_directory /usr/share/squid/errors/English

   As opposed to

   error_directory /usr/share/squid/errors/en

   which didn’t exist on my system after the install had completed.

4. If your current SELinux enforcing mode is set to "Enforcing" you’ll also need to perform the following steps.
5. Create the following Type Enforcement file (the remaining steps assume the file name local.te):

   module local 1.0;
   
   require {
   	type var_run_t;
   	type unconfined_t;
   	type squid_t;
   	class file {open read getattr};
   	class process signal;
   }
   
   #============= squid_t ==============
   allow squid_t var_run_t:file {open read getattr};
   allow squid_t unconfined_t:process signal;

   N.B. The following steps will overwrite any existing module with the same name. To check if you already have a policy module called local go to System -> Administration -> SELinux Management, select "Policy Module" from the left-hand menu and enter "local" into the filter field. If you’ve already got a module called local simply edit the Type Enforcement file accordingly. For example:

   module mysquid 1.0;

6. Edit accordingly, then execute the following script:

   dir=<your-dir-path>;
   sudo checkmodule -M -m -o $dir/local.mod $dir/local.te;
   sudo semodule_package -o $dir/local.pp -m $dir/local.mod;
   sudo semodule -i $dir/local.pp;

   N.B. The checkmodule command takes the Type Enforcement file, local.te, created in step 5 as its input.

7. Got to System -> Administration -> Services. Start Squid.
8. Cleanup any unwanted files created in steps 5 and 6.

Nice, the epruption over Microsoft’’s “Black Screen of Death” seems to be that NO its not related to any Security Updates but YES, “we do know that ‘black screen’ behavior is associated with some malware families such as Daonol.” My mate Aiden had already reported that of the hundreds of Microsoft PC’s that have passed through the company he works for (poor lad) they have NEVER had the “Black Screen of Death” issue, unless caused by faulty graphics drivers.

Microsoft’s MSRC reveals there take on it.

So 1] PREVX when you dislike “proprietary” software as much as us please give us well researched facts,  ie; discuss Windows problems with MS first.
     2] Everyone Else Use a strong operating system in the first place and keep it updated, any version of SELinux should do.

Malware suspected of “Black Screen” issue

‘Black screen of death’ for some Windows users – Security- msnbc.com

Technorati Tags: Black Screen of Death, Microsoft, Security, Updates,

EnGarde Secure Linux

The Community Edition of EnGarde Secure Linux was designed to support features suitable for individuals, students, security enthusiasts, and those wishing to evaluate the level of security and ease of management available in Guardian Digital enterprise products. Its development is very much driven by not only the requests from the community, but also their continued participation.

The Community Edition is a dynamic, rapidly-evolving product that serves to exhibit the best-of-breed applications currently under development. Guardian Digital enterprise products provide greater levels of support, support for more advanced hardware, more sophisticated upgrade path, and features more suitable for enterprises, including support for our other enterprise applications.

* Simple & Secure Remote Administration
* Powerful Host Intrusion Detection
* Secure Network Services
* Built-in Support and Alerts
* Robust Network Intrusion Detection
* Quick and Secure Web, DNS email, FTP
* Network Gateway Firewall
* Monitor System Access
* Protect Against Data Loss
* Security Control Center
* Engineered to be Secure
* Significantly Reduces Support Costs

http://www.engardelinux.org

Bruce Schneier wrote today about a paper that describes something it calls laissez-faire security: the idea that tight role-based security (RBAC) will lead to situations where the security prevents people from doing what they need to do for their jobs, which subsequently leads to normal people finding ways to circumvent (and weaken) security.

The proposal presented in the paper Laissez-faire Security (by two researchers from Columbia University and two from Microsoft) suggests that rather than tightening things down, one should audit strongly instead. One of the authors, Steven M. Bellovin, is a luminary steeped in the history of the Internet, in the security arena, and one of the founders of Usenet.

The results of RBAC can be seen by every administrator sooner or later – many times, experienced personally. SELinux is a perfect example: despite its acknowledged security benefits, it is commonly disabled or left in an “advisory” state only because of the problems in implementing such a restrictive policy.

From a user perspective, there are numerous examples of people bypassing security in efforts to share data or to utilize tools to get work done.

Laissez-faire Security is about letting users select the appropriate security rules within a framework of policies – which they can ignore (after notification and auditing) – at their own peril. The policy violations can then be handled outside of the computing environment in other ways if needed.

The paper compares computer security to an economy and to the workings of the free-market economy in particular. This paper is very interesting reading and would be worth reading for any security-minded administrator.

I’ve been using Fedora since Fedora Core 6 back in 2006 when I was in my first year. I’ve wandered a lot in distroland, and since have stuck to Fedora since Fedora 9. I get kicks out of using the latest and greatest software available, so I downloaded the nightly build for Fedora 12 beta last weekend from http://alt.fedoraproject.org/pub/alt/nightly-composes/desktop/ and then installed it on my desktop last Sunday. The first thing that surprised me was the speed at which the live system loaded onto my desktop. I tried out the live system just for fun, and it was speedier than the previous versions and also Karmic Koala’s release candidate live CD. (It is faster than the Ubuntu 9.10 Final Live CD too!)

This excited me a lot, so I went ahead and installed the system onto my hard disk. Installation went really smooth, and there was not a single problem. So, I rebooted and went into my shiny new system. And God, I do love the default wallpaper! Light Blue and Light Green are my favorite colors, and this one has Light Blue as default!

Now, I wanted to do some work on this new machine. So I installed jdk, netbeans and eclipse to see if a few programs ran well. Then I installed gcc and all the other development tools. I’ve installed the multimedia codecs and many other essential software that could not be accomodated on the 653MB CD image.

GNOME 2.28 seems very stable and Empathy rocks! The Google Talk call feature is the real talking point of this GNOME IM client. I installed my own Eclipse from the IBM site, and had to change SELinux mode to permissive and execute

$ su -c 'chcon -t execmem_exec_t '/usr/local/eclipse/eclipse' '


to let SELinux allow eclipse to run.

I’ve copied over my Drupal installation on my laptop to this one, and the LAMP stack runs well, no issues at all. (The site is on localhost!)

I’ll upload the screenshots for the installation on my VM and other details in subsequent posts. The way this beauty seems to run, it makes me think twice of delaying the installation on my laptop till the final release!

Introduction to SELinux

Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel using the Linux Security Modules (LSM). It is a project of the United States National Security Agency (NSA) and the SELinux community. SELinux integration into Red Hat Enterprise Linux was a joint effort between the NSA and Red Hat.

SELinux Overview

SELinux provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel. Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user’s permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system.

SELinux defines the access and transition rights of every user, application, process, and file on the system. SELinux then governs the interactions of these entities using a security policy that specifies how strict or lenient a given Red Hat Enterprise Linux installation should be.

On a day-to-day basis, system users will be largely unaware of SELinux. Only system administrators need to consider how strict a policy to implement for their server environment. The policy can be as strict or as lenient as needed, and is very finely detailed. This detail gives the SELinux kernel complete, granular control over the entire system.

The SELinux Decision Making Process

When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object permissions are cached. If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix. Permission is then granted or denied, with an avc: denied message detailed in /var/log/messages if permission is denied. The security context of subjects and objects is applied from the installed policy, which also provides the information to populate the security server’s matrix.

The full title of this blog should really be ‘SELinux is preventing mysqld (mysqld_t) “search” to ./tmp (public_content_rw_t)’ as that is the problem I’ve been having with CentOS recently (and hence my searches on the web for a solution).

The cause of the problem

I use SugarCRM for customer and project management data – and very good it is too! (Gratuitous plug – I can help your company install and use this fine software ). Except that recently, when listing my Accounts within Sugar, I would not see all of the account context. Only the account data itself would be displayed and none of the subpanels/links. The query to retrieve more data was failing, with this error message displayed in the browser window:

mysqld: Can't create/write to file '/tmp/#08y2jw' (Errcode: 13)

In my system log (/var/log/messages), I also got multiple SELinux errors like this:

Oct 13 09:07:50 server setroubleshoot: SELinux is preventing mysqld (mysqld_t) "read" to ./tmp (public_content_rw_t). For complete SELinux messages. run sealert -l 1762c478-f3a2-4eeb-be09-bd3dc037d945

Clearly, the reason for “Errcode: 13″ was due to SELinux.

Incidentally. if you have seen a similar error on your web site, but with (Errcode: 28) instead, this is likely due to shortage of disk space. A great way of determining operating system errors like this, is to use ‘PError’, thus:

# perror 28
OS error code 28: No space left on device

# perror 13
OS error code 13: Permission denied

So there we are – two distinct and different issues.

With SELinux, resolving the permission issue can be difficult. By issuing # sealert -l 1762c478-f3a2-4eeb-be09-bd3dc037d945, as suggested above, I got the following output (trimmed and highlighted for clarity):

Summary:

SELinux is preventing mysqld (mysqld_t) “search” to ./tmp (public_content_rw_t).

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./tmp,

restorecon -v ‘./tmp’

Additional Information:

Source Context root:system_r:mysqld_t
Target Context system_u:object_r:public_content_rw_t

First things first: issuing # restorecon -v './tmp' didn’t fix it for me. I was also surprised to see that the path to /tmp was relative to the current working directory, so I tried a slightly modified # restorecon -v '/tmp', but to no avail. After restarting mysqld, the problem persisted: MySQL was simply being refused access to /tmp. Somewhere, a policy is disallowing this.

It’s a mistake to assume the the source context and target context should be the same; they don’t have to be, as it’s entirely policy-driven.  I made bold those aspects (the file Type) above to highlight this incorrect assumption (that I previously held).

Find and fix a policy?

Although finding the troublesome policy and analysing it is a Good Thing, it’s also time-consuming and requires significant knowledge of SELinux, chiefly to avoid creating security holes. A better way, I found, was simply to relocate where mysqld tries to store temporary data.

Thanks to Surachart Opun’s blog, I learned that you can specify a new location for temporary files. In /etc/my.cnf, add or edit the following:

[mysqld]
tmpdir=/tmp # <--- change this to a location that SELinux allows mysqld to write data.
# e.g.
tmpdir=/var/lib/mysql/tmp


Now do the legwork to set up the directory properly:

First, create directory with appropriate permissions
# cd /var/lib/mysql
# mkdir tmp
# chown mysql:mysql tmp
# chmod 1750 tmp

Now set the SELinux context up:
# chcon --reference /var/lib/mysql tmp

and make the SELinuiux context permanent:
# semanage fcontext -a -t mysql_db_t "/var/lib/mysql/tmp(/.*)?"

Finally, restart mysql:

SugarCRM - Open Source CRM system

# service mysqld restart

Closing thoughts: optimisation
The methods above fixed the particular problem I was having. They didn’t, however, actually pinpoint the cause. This is one of the good things about Linux and SELinux in particular: you are forced to rethink what the system is doing and work out a solution that sits within the predefined security context – or learn how to write SELinux policies. Personally, I prefer the former

There is an additional benefit to the solution above – namely, optimisation. Because we have specified the security context with semanage, we are free to mount an external file system and use that instead for MySQL’s temporary files. In other words, we can maintain the security but increase the performance.  One such filesystem could be tmpfs. tmpfs is actually a RAM Disk, uses a fixed amount of RAM to provide file storage. It is much quicker than an on-disk filesystem and thus perfectly optimised for storing temporary, caching data. There are many resources about tmpfs on the web. A good introduction to tmpfs can be at Planet Admon.

Following are the high level languages that have been investigated in past and present and they should serve as lessons learned from other efforts. These other efforts are “Experiances with higher levels” [1] from Tresys team. Then we have the Hitachi efforts on SEEDIT [2] for generating simple, non reference policy [13], selinux policies. Lately in SELinux 2008 summit we came across Shrimp and Lobster [3] followed by some policy management upgrades expected in [4] based on [5]. [4, 5] are yet to be presented so we are not clear exactly what to expect apart from an intermediate language on top of modular “Reference Policy” [13].

Next some of us want to be able to write SELinux policies and we are also expecting some workshops so I am pointing out the material that is expected to be prepared for the workshops. Some of you might want to look at it before time. [6] are the training modules that are definitely an attractive material for learning how to write policy and understand the working, design and implementation of policy infrastructure [13, 14, 15]. Then we have the “SELinux by Example” book for a solid reference. Another policy wrting tutorial that I liked was [7].

Updates on package management of SELinux policies is [8, 9, 10, 11]. I am not sure how this approach will be used with existing Policy Management Infra [12, 14, 15]?

Other works to be aware of for SELinux are work in progress on Labeled NFS [16], SEPostgre [17], SE-PHP [18], SE-Apache [19], and other object managers like Dbus [20] and Gconf [21]. Lately I came across MAC and Virtualization [23], which I have not read in detail to comment upon.

I will cover on more tools and literature as I remember and come across and will update.

[1] http://www.tresys.com/pdf/Experiences-With-Higher-Level.pdf
[2] http://seedit.sourceforge.net/
[3] http://selinuxproject.org/files/2008_selinux_developer_summit/2008_summit_white.pdf
[4] http://selinuxproject.org/page/Developer_Summit_2009/Abstracts/Brindle_Policy_1
[5] http://linuxplumbersconf.org/ocw/proposals/56
[6] Lost the link so I can email it to you on request. These are part of opensource material from Tresys Inc. educational team.
[7] http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html
[8] http://selinuxproject.org/page/Developer_Summit_2009/Abstracts/Brindle_Policy_2
[9] https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
[10] http://linuxplumbersconf.org/ocw/proposals/58
[11] http://fedoraproject.org/wiki/PackagingDrafts/SELinux
[12] http://www.tresys.com/pdf/Design-And-Implementation-of-PMS.pdf
[13] http://oss.tresys.com/projects/refpolicy
[14] http://oss.tresys.com/projects/policy-server/wiki/PolicyModules
[15] http://userspace.selinuxproject.org/trac/
[16] http://selinuxproject.org/page/Labeled_NFS
[17] http://wiki.postgresql.org/wiki/SEPostgreSQL
[18] http://pecl.php.net/package/selinux
[19] http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus
[20] http://www.redhat.com/magazine/003jan05/features/dbus/
[21] http://dbus.freedesktop.org/doc/dbus-daemon.1.html#lbAG
[22] http://docs.huihoo.com/selinux/gconf07.pdf
[23] http://www.tresys.com/pdf/Tresys_RethinkSecurity.pdf

Google Earth, like many Google products, is also available for Linux platform. In many cases installation is very simple:

wget http://dl.google.com/earth/client/current/GoogleEarthLinux.bin

sudo sh GoogleEarthLinux.bin

There are, however, at least two ‘catches’, which are worth mentioning. First of all depending on how you run the bin file (root or non-root privileges) you’ll have different install locations available (obviously). Running the above example will install Google Earth for all users.

There’s also a problem with the (lack of) security polices on SELinux enabled distributions (like Fedora). Some guides gives a hint how to resolve this issue, but they fail to provide flexible algorithm, which takes into account changes made by Google Earth developers (i.e. included *.so libraries). The easiest way to make Google Earth work with SELinux is to simply run Google Earth and check SELinux Troubleshooter (Applications -> System Tools in Fedora 11) for possible solution (Allowing access section).

Example SELinux Troubleshooter log

Remember to type both commands provided in Allowing access section (it’s generally safe to do so for Google Earth) to avoid problems in the future. Repeat until Google Earth launches successfully .

Further reading

• Fedora 11 SELinux user guide
• Anatomy of Security-Enhanced Linux (SELinux)

GRRAS – An apex center for promotion and development of Linux operating system operating for imparting education on Linux, open source and open source-based value-added applications. We are the partner of Rajasthan Knowledge Corporation limited. We strive to spread awareness in people about computer with this program and promote IT in every area in Rajasthan.

GRRAS has been training the corporate houses and students Linux technologies like RHCE, RHCSS, System & network administration, SELINUX, Firewall security, Shell Scripting. For a very long time we have been engaged in offering foremost Linux related training courses which is tremendously lucrative for the IT organizations & Students involved in Software Development, System & Network Administration, SELinux & Firewall security.

contact detail–

219, Himmat Nagar,Behind Kiran Sweets,
Gopalpura Turn, Tonk Road, Jaipur(Raj.)
Tel: +91-141-3136868, +91- 9887789124, +91-9352767438
Email: info@grras.com
RHCE Certification

Red Hat Certified Security Specialist (RHCSS) is a security certification that proves advanced skills in using Red Hat Enterprise Linux, SELinux, and Red Hat Directory Server to meet the security requirements of today’s enterprise environment.

join GRRAS institute for Red Hat Certified Security Specialist (RHCSS) and Red Hat Certified Engineer (RHCE).

* GRRAS is the only institute in jaipur(India) which has first network and security specialists.
* It’s an admiration to be a part of an institute which has best Linux professionals.
* All the GRRAS faculties are technocrats and have much experience of Linux teaching.
* GRRAS provides doubt solving sessions which tend to effective training.
* We became the renowned leader and did set the benchmark for the IT market in training of Linux since the very beginning of our foundation.
* We empower our Linux trainees with unique core competencies for exploiting the untouched jobs in Linux field.

Administering Linux 2.6.x (particularly Red Hat). Installation, initial configuration, using the bash command shell, managing files, managing software, and granting rights to users. DNS, FTP, Apache, send mail, Samba, and other services are covered with live training and full dedication.

Advantage of the COURSE

The Linux Networking & System Administration course provides knowledge and skills for Linux- and/or UNIX- systems administrators who want to build proficiency at configuring common network services and security administration using Linux. This course is updated for building skills on Linux Administration.

you can contact for Red Hat Certified Security Specialist (RHCSS) and Red Hat Certified Engineer (RHCE) batches.

contact detail–
219, Himmat Nagar,Behind Kiran Sweets,
Gopalpura Turn, Tonk Road, Jaipur(Raj.)
Tel: +91-141-3136868, +91- 9887789124, +91-9352767438
Email: info@grras.com

Website Source

На сегодняшний день в основную ветку ядра Linux коммитят несколько тысяч разработчиков. При этом, очень большой вклад в развитие ядра вносят такие компании, как IBM, Novell, RedHat.

Существуют различные методы повышения безопасности ОС, одним из таких методов является создание системы безопасности уровня ядра. Именно такой системой является SELinux, о котором я уже упоминал.

Как все в ядре задумывалось изначально? Были созданы некоторые системы безопасности уровня ядра, такие, как AppArmor, SELinux. Они использовали так называемые hook-функции в ядре, которые внедрялись повсюду. hook-функция, грубо говоря — указатель на некоторую функцию, в которой происходит решение относительно исполнения тех или иных действий ядром. Как правило, реализуется множество таких функций, принимающих решения на основании заранее определенной политики безопасности. Позднее был создан Linux Security Modules Framework, который предоставлял набор хуков для подобных систем безопасности. При этом такие СБ можно (и нужно) реализовывать в виде модулей ядра, реализующих некоторый набор хуков, реализующих некоторую логику принятия решений.

Как все есть на сегодняшний день? SELinux собирается непосредственно в ядро, при этом, собирается по умолчанию.  LSM собирается и работает также по умолчанию. SELinux в своей логике работы полностью отвергает возможность компрометации ядра. Это значит, что от руткитов защиты нет.  А теперь представим, каким инструментом в руках создателя руткита является набор разнообразных хуков в ядре, просто реализовав которые, он может делать, что ему вздумается. Теперь при разработке своих руткитов, люди могут “закладываться” на заранее определенные и экспортируемые из ядра функции-хуки! Благодать.

SELinux & co защитят? Нет, как это было недавно продемонстрировано разработчиком GRSecurity.

Является ли система LSM и построенные на ней СБ “серебряной пулей”? Нет.

В мире Linux словом обладают не академики ( в отличие от FreeBSD), а те, кто платит денежку. В итоге, в ядро попадает тот код, который туда попадать не должен, и обсуждать те или иные проблемы с этим связанные сообщество не особо желает. Все чаще начинает казаться, что Linux именно пишут, но не разрабатывают. Кроме этого, что касатеся /linux/security я не вижу никакого планирования развития безопасности в ядре, мне не ясны дальнейшие цели, будут ли появляться новые подходы (если все будет продолжаться как и сейчас, очевидно, — нет) и смогут ли они войти в ядро (глядя текущее положение дел с GRSecurity, очевидно, что нет, опять-же, если ничего не изменится).

Складывается ощущение, что тысячи людей что-то коммитят в ядро, а те, кто во главе всего этого процесса, с каждой новой версией просто судорожно пытаюся понять, как же все это вместе работает. Работает да и ладно.

Finish setting up SELinux on my production server. I only add to make some small changes to the policy to get things working. However I am getting the below warnings in my logs:

SELinux: WARNING: inside open_file_mask_to_av with unknown mode:

I am still researching the problem.

UPDATE:

Found the bug report and kernel needs to be patched but it look like Ubuntu is not going to release an update anytime soon so I just patched the latest kernel today.

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/357041

+ Installing selinux on debian lenney
+ ———————–
apt-get install selinux-basics selinux-policy-default
apt-get install selinux-policy-src
apt-get install libsepol*

+ Compiling the policy
+———————

cd /usr/src
setenforce 0
make conf
make policy
make install
make load
make relabel
make checklabels
make restorelabels

+ addind a new user
+ ——————-
semanage login -a -s staff_u setest

+ Resources
+ ———————————

http://wiki.debian.org/SELinux/Setup

1. Because the installer uses text relocations you’ll need to relax your SELinux settings. Go to System -> Administration -> SELinux Management -> Status and set the Current Enforcing Mode to Permissive.
2. Launch the installer and follow the wizard to completion (the remaining steps assume you accepted the default installation and workspace locations).
3. Rational Software Modeller also uses text relocations at runtime so you need to run the following command before setting your Current Enforcing Mode back to Enforcing:

   sudo chcon -R -t textrel_shlib_t /opt/IBM

4. If you try and launch the application at this point eclipse will crash and display an error dialog telling you to check <HOME>/IBM/rationalsdp/workspace/.metadata/.log. This bug is the result of a change in the xulrunner SDK which is required to display the eclipse welcome screen.
5. To disable the welcome screen run the following command:

   echo "org.eclipse.ui/showIntro=false" > /tmp/noWelcomeScreen.ini

   Now append the following option to the launch command:

   -pluginCustomization /tmp/noWelcomeScreen.ini

   For example:

   opt/IBM/SDP/eclipse -product com.ibm.rational.rsm.product.v75.ide -pluginCustomization /tmp/noWelcomeScreen.ini

6. Go to Application -> IBM Software Delivery Platform -> IBM Software Modeller
7. Happy modelling!

Selinux ( Security-Enhance Linux ) is a Linux mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a linux distribution, but it was build to provide variety of security policy.

SE Linux causes alot of headaches for me because I don’t truly understand how it works. But instead of disabling it at the first sign of trouble this week, I got some more info on troubleshooting and tweaking the policy.

I had compiled my own Bind RPMs to address the latest DoS issue. I’m running version 9.5 since it supports the “allow-query-cache” option and RHEL 5 only provides version 9.3. So after I installed my own RPM, of course SE Linux was preventing named from starting. This is how I fixed it:

Check the audit.log for AVC messages:

# cat /var/log/audit/audit.log |grep 'avc:' > /tmp/se.txt

edit the text file to include only the SE issues you want to address:

# vi /tmp/se.txt

create a policy module:

# cat /tmp/se.txt | audit2allow -M local

load the module:

# semodule -i local.pp

That’s all it took to get Bind working for me.

I’m not all that conversant with SELinux, and for the most part, disable it on systems that I configure simply because these days 99% of the systems I configure are within a lab and already heavily firewalled. When NetWorker 7.5 came out and the release notes explicitly stated that SELinux was not supported, it seemed inevitable that my involvement with SELinux would continue to decrease.

When SELinux was recently discussed on the NetWorker mailing list, I responded citing the release notes indicating it wasn’t supported. I was therefore surprised to discover there was a workaround. Responding to the thread, Rich Graves posted the following SELinux adjustments that are necessary to get NetWorker and SELinux working together. I present them unaltered, but can attest to having confirmed they do indeed work. Here’s what Rich had to say:

This has worked for me for about a year, on both client and server. The textrel_shlib change is fairly common for proprietary binaries.

semanage fcontext -a -t textrel_shlib_t “/usr/lib/nsr(/.*)?”
semanage fcontext -a -t var_log_t “/nsr/logs(/.*)?”
restorecon -R /usr/lib/nsr
restorecon -R /nsr/logs

Another approach for the logs is to edit syslog.conf and drop them in /var/log instead of /nsr/logs.

If you’re needing to work with NetWorker and SELinux, hopefully the above tips will help.

I started using Fedora back in the Fedora 8 days.  I’ve always tried to run SELinux in enforcing mode and back in the Fedora 8-9 days that seemed to mean I’d have some SELinux issue every few days.  It wasn’t a big deal, but it was annoying and very tempting to turn it off completely.

Starting with Fedora 10, at least for me, the SELinux hiccups seemed to only happen every few weeks and I was very impressed with the improvement.

I’ve now been running Fedora 11 for three weeks and haven’t had a single SELinux issue at all.  Maybe I am unique, but from what I can tell SELinux with Fedora 11 no longer has any annoying issues while running in enforcing mode.

Thanks a lot SELinux team!  I now feel a great degree of security without a hint of discomfort.