This time the adventure turned to the Selinux system switching to SELinux MLS.
Let's test the SELinux Fedora 31 from default targeted to mls.
First let's see the users:
To use the MLS you need to change this file:
[root@desk mythcat]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r
The changes are:
[root@desk mythcat]# vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Is need to install these packages:
#SELINUX=enforcing SELINUX=permissive ... #SELINUXTYPE=targeted SELINUXTYPE=mls
These commands will relabel and start the MLS.
[root@desk mythcat]# dnf search mls | grep selinux Last metadata expiration check: 2:45:09 ago on Sun 02 Feb 2020 01:28:54 PM EET. selinux-policy-mls.noarch : SELinux mls base policy [root@desk mythcat]# dnf install selinux-policy-mls.noarch ... Installed: mcstrans-2.9-2.fc31.x86_64 policycoreutils-newrole-2.9-5.fc31.x86_64 selinux-policy-mls-3.14.4-45.fc31.noarch Complete!
[mythcat@desk ~]$ setenforce 0 [mythcat@desk ~]$ getenforce Permissive ... [root@desk mythcat]# touch /.autorelabel [root@desk mythcat]# reboot
If you have problems on boot the add selinux=0 on boot kernel.
After I boot and relabel all files I got errors about Gtk-Messages.
I remove my old Cinnamon with this command:
I list all my group with dnf tool:
[root@desk mythcat]# dnf groupremove -y "Cinnnamon"
I install the MATE environment:
[root@desk mythcat]# dnf grouplist -v
After that the only way to start the environement is this command:
dnf groupinstall -y "MATE Desktop" --allowerasing
Another issue comes from SELinux Alert Browser, where I get multiple alerts and these need to fix manually.
[mythcat@desk ~]$ sudo systemctl restart lightdm.service
First, these alerts are more than 250.
After I fix some of these now I see only 50.
I think this problem with changing the SELinux type can be improved.