SELinux Troubleshooter messages from upgrade from F7->F8

Andy Green andy at warmcat.com
Mon Nov 12 12:37:49 UTC 2007 

Somebody in the thread at some point said:

> Things seem to be working OK but there are a couple of glitches that I
> am trying to track down yet.
> 
> So here are the setroubleshoot errors that appeared in my logs for the
> complete yum upgrade:
> 
> Nov  9 02:39:19 localhost setroubleshoot:      SELinux is preventing
> /sbin/ldconfig (ldconfig_t) "write" to ldconfig (var_t).      For
> complete SELinux messages. run sealert -l
> 1594b6a8-1f16-44c9-b7ee-f5ef4621257f

I think this is a mislabelled /var/cache/ldconfig.  Check if yours is
like this

# ll /var/cache/ldconfig -Zd
drwx------  root root system_u:object_r:ldconfig_cache_t /var/cache/ldconfig

If not:

# fixfiles relabel /var/cache/ldconfig

After that

# ldconfig

will find any new libs.

> Nov  9 02:41:56 localhost setroubleshoot:      SELinux is preventing
> /sbin/restorecon (restorecon_t) "write" to pipe:[50470] (rpm_t).
> For complete SELinux messages. run sealert -l
> 6caaa2ac-84bb-4962-a78e-b10e24f8fef0
> Nov  9 02:51:46 localhost setroubleshoot:      SELinux is preventing
> /usr/sbin/nscd (nscd_t) "write" to pipe:[50470] (rpm_t).      For
> complete SELinux messages. run sealert -l
> e7ace06a-0a4b-4832-bdac-1f538535f5a3
> Nov  9 02:51:46 localhost setroubleshoot:      SELinux is preventing
> semanage (semanage_t) "write" to pipe:[50470] (rpm_t).      For
> complete SELinux messages. run sealert -l
> e2c86088-44f8-4e9b-b71c-d1ea72a2b3d3
> Nov  9 02:52:14 localhost setroubleshoot:      SELinux is preventing
> /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).
>  For complete SELinux messages. run sealert -l
> de30be19-d51b-482e-b112-6fa9954a70e9
> Nov  9 03:04:27 localhost setroubleshoot:      SELinux is preventing
> /usr/sbin/semodule (semanage_t) "write" to pipe:[50470] (rpm_t).
> For complete SELinux messages. run sealert -l
> e2c86088-44f8-4e9b-b71c-d1ea72a2b3d3

Dunno.

> Nov  9 03:09:36 localhost setroubleshoot:      SELinux prevented
> /sbin/setfiles from using the terminal 0.      For complete SELinux
> messages. run sealert -l 74507fc1-6b02-4285-92d9-d0123f0cea60

Dunno.

> Nov  9 03:09:42 localhost setroubleshoot: [rpc.ERROR] exception
> DBusException: org.freedesktop.DBus.Error.NoServer: Failed to connect
> to socket /var/run/dbus/system_bus_socket: Connection refused

Is dbus running?

service messagebus status

> There were multiple repetitons of each of them (particularly the
> ldconfig_t one).
> 
> My questions:
> 1) Should SELinux stay out of the way for a yum upgrade in
> enforcing/targetted mode?

Yep.

> 2) Is there a straightforward way to go back and reinstall all the
> currently installed rpms (while not in enforcing mode) so that some of
> these blocked pre-post script activities are allowed to do their
> thing? There are just too many affected packages to do this manually.

ldconfig can be straightened out just be re-running it.  The libs from
the packages were already installed okay.

> 3) Are these bugzilla-worthy?

Up to you...

You might want to force a whole filesystem relabel...

touch /.autorelabel

and reboot.  But if there are no more funnies after fixing ldconfig I
probably wouldn't bother.

-Andy

More information about the fedora-devel-list mailing list