f10 vs selinux again.

Dominick Grift domg472 at gmail.com
Sat Feb 28 21:15:43 UTC 2009 

On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> >> >> Greetings all;
> >> >> >>
> >> >> >> I have just upgraded then updated as much as possible, an F8
> >> >
> >> >install to
> >> >
> >> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
> >> >
> >> >F10 will
> >> >
> >> >> >> run without console-kit-daemon I find, but I went so far as to
> >> >
> >> >touch
> >> >
> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
> >> >
> >> >hour or
> >> >
> >> >> >> so as there is nearly 2TB of drives here.  Didn't help.
> >> >> >>
> >> >> >> So Now I have selinux disabled, and everything it working.  Can
> >> >
> >> >this be
> >> >
> >> >> >> addressed?
> >> >> >
> >> >> >Can you show use the avc denials related to your issues? avc denials
> >> >
> >> >are
> >> >
> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
> >> >
> >> >ausearch
> >> >
> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve
> >> >
> >> >today's
> >> >
> >> >> >avc denials.
> >> >>
> >> >> None today, I turned it off, yesterdays is attached.
> >> >>
> >> >> >You state that you updated as much as possible. What did you not
> >> >
> >> >update?
> >> >
> >> >> About 70 packages are left, all the java stuff cuz I've installed from
> >> >
> >> >Sun,
> >> >
> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
> >> >
> >> >up by
> >> >
> >> >> hand and some of the menus are still fubar) and anytime I do a -devel,
> >> >
> >> >it
> >> >
> >> >> barfs over strigi.  What the heck does that thing do anywho?
> >> >>
> >> >> I also am not running the F10 kernel cuz I have to set stakes and call
> >> >
> >> >a
> >> >
> >> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
> >> >
> >> >and am
> >> >
> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees.  Now glxgears
> >> >
> >> >says
> >> >
> >> >> 275-300 fps and I can tolerate it.  Anyway, from the yumex screen:
> >> >>
> >> >> 14:05:14 : Error in Dependency Resolution
> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
> >> >
> >> >by
> >> >
> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >> >
> >> >(rpmfusion-free-
> >> >
> >> >> updates)
> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
> >> >
> >> >needed by
> >> >
> >> >> package
> >> >
> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >> >
> >> >> (rpmfusion-nonfree-updates)
> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
> >> >
> >> >strigi-
> >> >
> >> >> devel-0.5.11-1.fc10.i386 (fedora)
> >> >>
> >> >> I might be able to get a list of updates (if you need them) not done
> >> >
> >> >from yum.
> >> >
> >> >> I use yumex most of the time.
> >> >>
> >> >> Thanks Dominick
> >> >
> >> >No that is fine, thanks. Which version of selinux-policy is currently
> >> >installed?
> >> >
> >> >I picked a few of the denials out of there and both were allowed in the
> >> >rawhide policy.
> >> >
> >> >This leads me to think that either you are running a old version of the
> >> >selinux-policy or that the fixes in rawhide policy have not been pushed
> >> >to Fedora 10 policy yet.
> >>
> >> I'll go for the latter as there isn't an update available.
> >> [root at coyote Documents]# rpm -qa|grep policy
> >> checkpolicy-2.0.16-3.fc10.i386
> >> selinux-policy-3.5.13-18.fc10.noarch
> >> policycoreutils-2.0.57-11.fc10.i386
> >> policycoreutils-gui-2.0.57-11.fc10.i386
> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
> >>
> >> >I either case you can create custom policies to allow these denials.
> >> >
> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
> >>
> >> And that upchucks.  It generates mydenials.pp, then:
> >> [root at coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> >> libsemanage.semanage_link_sandbox: Link packages failed
> >> /usr/sbin/semodule:  Failed!
> >>
> >> Looks like I may be missing something?
> >
> >Can you give me to output of sestatus?
> >
> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
> 
> Fails exactly the same.  Does selinux=disabled screw with that?

Well you should have SELinux enabled when you install the module.
Enable it first.

> >
> >You might also consider /usr/sbin/semodule -b base.pp (this should
> >replace the base module)
> 
> Are you sure I want to do that?

Not totally sure. No. First enable SELinux. Then try to install the
policy module again. If that does not work consider replacing base.pp.

The error suggests that base.pp is for MLS policy. This should not be
the case.

> >man semodule
> >
> >This looks like something that could have gone wrong during the upgrade.
> 
> It won't be the first time.  When I went from f6 to f8, lots of stuff was 
> busted, stuff the guru's said could not happen, but did to me.  One whole 
> section of the install was skipped & I had to go pull in about 200 packages by 
> hand.
> 
> >It claims that a MLS base module is installed but you have installed
> >selinux-policy-targeted
> 
> And that is how I'm normally configured.
> 
> >you should really c.c. fedora-selinux-list so that knowledgeable people
> >like dwalsh can give suggestions as well.
> 
> Duh, sorry.  Your reply showed up in the list folder so I didn't hit reply-
> all, added now.
> 
> >> >caution: i did not review all denials in your list, however most look
> >> >like they should be allowed.
> >> >
> >> >You should not let issues like these persuade you to disable SELinux.
> >> >You can also run SELinux is permissive mode which will act as an
> >> >intrusion detection system but will not prevent policy violations.
> >>
> >> I am not terribly paranoid about running selinux, Dominick, I have all my
> >> local network behind an x86 version of dd-wrt & its locked up pretty
> >> tight. selinux is last ditch.  In 2 years, no one has gotten past dd-wrt
> >> that I didn't first give them the password to it.  I see my running it as
> >> more of the playing of a role, that of the canary in the coal mine if you
> >> will.
> >>
> >> >hth , Dominick
> 
>

More information about the fedora-selinux-list mailing list