On Tue, 2009-07-07 at 13:48 +0100, Marko Vojinovic wrote: > Hello folks! > > On this freshly installed F11 machine (from the KDE Live CD) I often > get selinux alerts similar to the one below. It's not just openvpn, > but also mv (dhcpc_t) and ifconfig (ifconfig_t). I don't feel anything > to be non-functional (aside from openvpn, but that's a different > problem), but these alerts are confusing to me. I did a yum list > selinux* and it replied with: > > Installed Packages > selinux-policy.noarch > selinux-policy-targeted.noarch > Available Packages > selinux-doc.noarch > selinux-policy-doc.noarch > selinux-policy-minimum.noarch > selinux-policy-mls.noarch > > Here I can see that selinux-policy-mls is not installed, while all the > alerts are related to mls. yum info selinux-policy-mls gives the > description "SELinux Reference policy mls base module" which is not > very informative (for me). > > So, five questions: > 1) what is mls? > 2) is installing selinux-policy-mls going to help with these alerts? > 3) if yes, why wasn't it installed automatically? > 4) is any of this actually related to the alerts I get? > 5) are the alerts important, or is it safe to ignore them? You can ignore, and I think they are silenced by a policy update. A libselinux constructor probes for /selinux/mls to initialize internal state used later by the library functions, and unfortunately all of the net-tools are getting linked against libselinux now just because of netstat -Z support. No, you don't need selinux-policy-mls. There is a patch pending for libselinux that will make such probing happen lazily and thus avoid such denials. -- Stephen Smalley National Security Agency -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
