I have never really supported strict policy and the move to a merge, I felt gave us the best bang for the buck.

Mt. Everest, standing mightily at 8848m. Are the World’s highest peak and the ultimate Himalayan dream for many trekkers. Everest trek (with more time for acclimatization) enables you not only to witness Mount Everest but also the 4th & 5th highest peaks. Lhote at 8516m., Makalu 8467m., as well as numerous other giant peaks. This region is truly the roof of the World.
Besides, trek goes through the heartland of the Sherpa (Mountain peoples) who are of Tibet origin and passes numerous charming villages, many with picturesque gompas that are spectacularly set amidst its mountainous surrounding. Before reaching the Everest Base camp, the trail follows the Khumbu Glacier with huge ice pinnacles soaring to unbelievable height.
Fly to Lukla and following the Dhuda Koshi river valley through beautiful pine and rhododendron trees. The jagged, Icy & snow capped peaks of Thamseku 6623m. & Kushum Kanguru 6369m, tower above the trail. A steep climb then leads us to Namche Bazaar 3345m. Were we taking our first stop for rest (Acclimatization). Get way of Everest Base camp or Everest region for adventure trekking or climbing any peaks.
On the trail to Thyanboche, those with a keen eye will be rewarded with sightings of musk deer, thar (Mountain goat) Impeyan Pheasant. Thyangboche monastery is set in a beautiful location with chortens adorned with player flags and mani walls a constant remainder of the local Buddhist cultural. Views of Mt. Everest 8848m., Lhotse 8516m.,Ama Dablam 6856m, Thamserku 6623m., Kangtenga 6779m., as well as many tiny mountain in this region.

Ganesh Neupane
Monterosa Treks and Expedition
mail: monte@mos.com.np
http://www.monterosa-nepal.com

“So in Fedora 8 you can setup login users to be user_t, staff_t and they can reach sysadm_t, just like in strict policy. The default user account will remain unconfined. If you want to remove the ability to run unconfined processes you can just remove the unconfined module. “semodule -r unconfined”.”

I didn’t get the memo that it is no longer kosher in Fedora 9.

The fact is, it’s very hard to scrap together consistent knowledge about changes in SELinux in consecutive Fedora releases.

It’s extremely difficult to track all those changes that break backward compatibility with my custom SELinux modules. I have to gather it from all around the web (your LJ blog, interviews and Red Hat magazine articles, the mailing list and so on). The object permission macros are changing (e.g. r_file_perms -> read file perms), domains come and go, tools change in behaviour, and there’s no single place to track those - only by trial and error (when something breaks).

Ideally it should be in the release notes for Fedora, but the SELinux section usually contains some canned information that comprises only links to trivial, incomplete or outdated information, e.g.:

http://docs.fedoraproject.org/release-notes/f8/en_US/sn-Security.html#SELinux

http://docs.fedoraproject.org/release-notes/f9/en_US/sn-Security.html#SELinux

Note that these release notes sections are identical; the last link leads to documentation that has stopped being updated in the FC5 era.

I tried running screen from sysadm_r:sysadm_t on Fedora 9 and it seems to work.

# screen
-bash: /usr/bin/screen: Permission denied

What’s funny, nothing is logged even when I disable dontaudit globally using “semodule -DB”. When I “setenforce 0″, screen launches fine.

What’s even funnier, I were able to get screen working for unprivileged users after mapping them to user_u using _default_.

So now, although I have the most privileged context of root:system_r:sysadm_t, I cannot launch screen like the unprivileged users can.

# semanage login -m -s user_u -r s0 __default__

__default__ currently has an MCS/MLS range of s0-s0:c0.c1023
but the user_u SELinux user is only allowed to use s0.

Any idea why it fails?