(no subject)

[Richard Mayo]

It's obvious to me how to configure my computer to boot only to SELinux,
but how do I force the computer into Enforcing mode?

Also, when a user logs on the system asks if he or she would like to switch
user contexts.  Is there an easy way to suppress this?



Thanks,
R.



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re:

[Russell Coker]

On Wed, 24 Jul 2002 15:37, Richard Mayo wrote:
> It's obvious to me how to configure my computer to boot only to SELinux,
> but how do I force the computer into Enforcing mode?

I am currently putting in a symlink from /usr/sbin/avc_toggle to 
/etc/rc.boot/avc_toggle, but I'll probably use an init script later on.

> Also, when a user logs on the system asks if he or she would like to switch
> user contexts.  Is there an easy way to suppress this?

It would be good to suppress the choice of role when the user is only 
authorised for one role though.  As for choice of domains, there is currently 
no way of automatically determining which domains might work (although in the 
current default policy only the main domain will work).


Russell Coker

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: your mail

[Stephen Smalley]

On Wed, 24 Jul 2002, Richard Mayo wrote:

> It's obvious to me how to configure my computer to boot only to SELinux,
> but how do I force the computer into Enforcing mode?

You need to specify enforcing=1 on the kernel command line, as noted in
selinux/README.  You can add an append="enforcing=1" line to the entry in
lilo.conf if using LILO or you can add enforcing=1 to the kernel line
in grub.conf if using GRUB.  If you want the kernel to always operate in
enforcing mode (i.e. never be able to toggle into permissive mode), you
can simply rebuild the kernel without the SELinux Development Module
option.  See step 20 of the README.

> Also, when a user logs on the system asks if he or she would like to switch
> user contexts.  Is there an easy way to suppress this?

You could change login.c to use get_default_user_sid rather than
get_user_sid if you want login to always use the default user SID.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE:

[Ed Street]

Hello,

One option is to pass the enforcing=1 (or 0) in lilo.conf

Ed

=> -----Original Message-----
=> From: owner-selinux@tycho.nsa.gov
[mailto:owner-selinux@tycho.nsa.gov] On
=> Behalf Of Richard Mayo
=> Sent: Wednesday, July 24, 2002 9:38 AM
=> To: SELinux@tycho.nsa.gov
=> Subject:
=> 
=> It's obvious to me how to configure my computer to boot only to
SELinux,
=> but how do I force the computer into Enforcing mode?
=> 
=> Also, when a user logs on the system asks if he or she would like to
=> switch
=> user contexts.  Is there an easy way to suppress this?
=> 
=> 
=> 
=> Thanks,
=> R.
=> 
=> 
=> 
=> --
=> You have received this message because you are subscribed to the
selinux
=> list.
=> If you no longer wish to subscribe, send mail to
majordomo@tycho.nsa.gov
=> with
=> the words "unsubscribe selinux" without quotes as the message.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.