View Full Version : How the heck do you modify selinux policy f7

2nd June 2007, 08:12 AM
Okay where is the advanced policy where you can disable selinux against individual services like ntpd, http, etc.

Now if you simply just want to disable selinux on say ntpd, you have to go to permissive rather than enforcing and change one item.

Now that is what I call an oversite and miss a major item!

2nd June 2007, 08:19 AM
Menu on Gnome -System, Admin, SELinux Management
A new tool.


# another tool

# getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> off
allow_daemons_use_tty --> off
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
allow_java_execstack --> off
allow_kerberos --> on
allow_mount_anyfile --> off
allow_mounton_anydir --> on
allow_nfsd_anon_write --> off
allow_polyinstantiation --> off
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_unconfined_execmem_dyntrans --> off
allow_unlabeled_packets --> on
allow_user_mysql_connect --> off
allow_ypbind --> off
allow_zebra_write_config --> on
cron_can_relabel --> off
fcron_crond --> off
ftp_home_dir --> off
global_ssp --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_ssi_exec --> off
httpd_tty_comm --> off
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
mail_read_content --> off
named_write_master_zones --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
pppd_can_insmod --> off
read_default_t --> on
read_untrusted_content --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_nfs --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> off
ssh_sysadm_login --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_direct_mouse --> off
user_dmesg --> off
user_rw_noexattrfile --> off
user_tcp_server --> off
user_ttyfile_stat --> off
write_untrusted_content --> off
xdm_sysadm_login --> off

2nd June 2007, 08:32 AM
I cant find it apart from the firewall/selinux in administration :(

I even looked at editing the menus, I dont have SELinux Management

2nd June 2007, 08:51 AM
what is the output of

rpm -qa se*


2nd June 2007, 08:55 AM
[root@~]# rpm -qa se*

Can you let me know the system command, I can always add it to my menu :)

I also note that the getsebool -a on a f7 server compared to a fc6 server its missing a LOT. Especially for my situation its a network time server using gpsd to sync ntpd. On FC6 there is a:
ntpd_disable_trans --> on

But not in f7 :(

Do you know can I somehow just modify the policy on ntpd file to just disable selinux on it?

2nd June 2007, 09:03 AM
Install setroubleshot and see if the menu for setroubleshoot and SELinux Management show up.
Make sure you have aduit installed also. (/var/log/audit/audit.log)

There is a new selLinux-policy in updates-testing but it has an error and also new a new policycoreutils which didn't show up so that should be out in a week or so.


2nd June 2007, 09:17 AM
Damn did nothing (for the selinux missing menu)! Can I force a reinstall so it will redo the menus?

Also the damn f7 i386 kernel does not have 1PPS in it :( All the fc6 kernels had 1pps support so your time is accurate. I filled out a bug for that.

2nd June 2007, 09:58 AM
Did you reboot? The daemons need to start before the gui tools work and they need to hook into audit.

But before that open services and make sure that audit and setroubleshoot servers are checked to start up on boot.

Use the control center to open alacart menu editor and see if they can be added (after rebooting, if still not there.)

Next would be to use the commands that allows you to do it on the cli.
man selinux
man getsebool
man setsebool
man toglsebool

finally - download the dvd with bittorrent and install the default desktop.


"Looks like I may have to do everything."

Lizzy Borden :)

2nd June 2007, 10:04 AM
I saw the new menu immediately. I will try a reboot

2nd June 2007, 10:11 AM
Nope :( Can you tell me the properties I will just recreate the menu.

Its a FC6 upgrade, its all perfect except for the missing selinux control from gnome. Maybe there is a gnome extra package needed?

2nd June 2007, 11:01 AM
System, Administration

SELinux Magement
Configure SELinux in a graphical setting

SELinux Troubleshooter
/usr/bin/sealert -b
Troubleshoot SELinux access denials

System , Perffences

Control Center

Make sure the services are checked for bootup time.


2nd June 2007, 11:05 AM
I cant find system-config-selinux anywhere :(
Can you tell me what package it belongs too, I bet I am missing the package...

Okay this has to be a major bug. I looked in package manager, ALL and there is no package anything system-config-selinux

I searched and found the answer in add remove software, by searching for selinux...

Its missing this package...
policycoreutils-gui selinux configuration gui