f10 vs selinux again.

Sat Feb 28 20:47:42 UTC 2009

On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> >> Greetings all;
> >> >>
> >> >> I have just upgraded then updated as much as possible, an F8
> >
> >install to
> >
> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
> >
> >F10 will
> >
> >> >> run without console-kit-daemon I find, but I went so far as to
> >
> >touch
> >
> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
> >
> >hour or
> >
> >> >> so as there is nearly 2TB of drives here.  Didn't help.
> >> >>
> >> >> So Now I have selinux disabled, and everything it working.  Can
> >
> >this be
> >
> >> >> addressed?
> >> >
> >> >Can you show use the avc denials related to your issues? avc denials
> >
> >are
> >
> >> >sent to /var/log/audit/audit.log and can be retrieved with the
> >
> >ausearch
> >
> >> >command. For example use: ausearch -m avc -ts today, to retrieve
> >
> >today's
> >
> >> >avc denials.
> >>
> >> None today, I turned it off, yesterdays is attached.
> >>
> >> >You state that you updated as much as possible. What did you not
> >
> >update?
> >
> >> About 70 packages are left, all the java stuff cuz I've installed from
> >
> >Sun,
> >
> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
> >
> >up by
> >
> >> hand and some of the menus are still fubar) and anytime I do a -devel,
> >
> >it
> >
> >> barfs over strigi.  What the heck does that thing do anywho?
> >>
> >> I also am not running the F10 kernel cuz I have to set stakes and call
> >
> >a
> >
> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
> >
> >and am
> >
> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees.  Now glxgears
> >
> >says
> >
> >> 275-300 fps and I can tolerate it.  Anyway, from the yumex screen:
> >>
> >> 14:05:14 : Error in Dependency Resolution
> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
> >
> >by
> >
> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >
> >(rpmfusion-free-
> >
> >> updates)
> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
> >
> >needed by
> >
> >> package
> >
> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >
> >> (rpmfusion-nonfree-updates)
> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
> >
> >strigi-
> >
> >> devel-0.5.11-1.fc10.i386 (fedora)
> >>
> >> I might be able to get a list of updates (if you need them) not done
> >
> >from yum.
> >
> >> I use yumex most of the time.
> >>
> >> Thanks Dominick
> >
> >No that is fine, thanks. Which version of selinux-policy is currently
> >installed?
> >
> >I picked a few of the denials out of there and both were allowed in the
> >rawhide policy.
> >
> >This leads me to think that either you are running a old version of the
> >selinux-policy or that the fixes in rawhide policy have not been pushed
> >to Fedora 10 policy yet.
> >
> I'll go for the latter as there isn't an update available.
> [root at coyote Documents]# rpm -qa|grep policy
> checkpolicy-2.0.16-3.fc10.i386
> selinux-policy-3.5.13-18.fc10.noarch
> policycoreutils-2.0.57-11.fc10.i386
> policycoreutils-gui-2.0.57-11.fc10.i386
> selinux-policy-targeted-3.5.13-18.fc10.noarch
> 
> >I either case you can create custom policies to allow these denials.
> >
> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
> >mydenials; /usr/sbin/semodule -i mydenials.pp
> 
> And that upchucks.  It generates mydenials.pp, then:
> [root at coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule:  Failed!
> 
> Looks like I may be missing something?

Can you give me to output of sestatus? 

you could try /usr/sbin/semodule -s targeted -i mydenials.pp

You might also consider /usr/sbin/semodule -b base.pp (this should
replace the base module)

man semodule

This looks like something that could have gone wrong during the upgrade.

It claims that a MLS base module is installed but you have installed
selinux-policy-targeted

you should really c.c. fedora-selinux-list so that knowledgeable people
like dwalsh can give suggestions as well.

> >caution: i did not review all denials in your list, however most look
> >like they should be allowed.
> >
> >You should not let issues like these persuade you to disable SELinux.
> >You can also run SELinux is permissive mode which will act as an
> >intrusion detection system but will not prevent policy violations.
> 
> I am not terribly paranoid about running selinux, Dominick, I have all my 
> local network behind an x86 version of dd-wrt & its locked up pretty tight.  
> selinux is last ditch.  In 2 years, no one has gotten past dd-wrt that I 
> didn't first give them the password to it.  I see my running it as more of the  
> playing of a role, that of the canary in the coal mine if you will.
> 
> >hth , Dominick
> 
> 