SELinux Attack!
Karl Larsen
k5di at zianet.com
Sat Oct 13 15:42:21 UTC 2007
Matthew Saltzman wrote:
> On Sat, 2007-10-13 at 06:41 -0600, Karl Larsen wrote:
>
>> Vinayak Mahadevan wrote:
>>
>>> On 10/13/07, Karl Larsen <k5di at zianet.com> wrote:
>>>
>>>
>>>>>
>>>>>
>>>> I have had all those problems in the past years. But this problem
>>>> yesterday was in fact caused by SELinux. I say that because different
>>>> from your experience when I turned off SELinux all the problems went away.
>>>>
>>>>
>>> let the machine run for some days and then let us know your
>>> experience with the machine.
>>>
>>> Vinayak
>>>
>>>
>>>
>> So far so good. But I would like to know why SELinux did this. And
>> what do I need to do to to make SELinux work on this machine? There seem
>> to be others that use it and it works without a problem.
>>
>
> Karl-
>
> As I recall, you said earlier in the thread that you had disabled
> SELinux for a while when you were experimenting with spinning a custom
> distribution.
>
> SELinux checks the contexts of files (their SELinux security
> information) to see if programs are violating their restrictions, but it
> also updates the contexts when files are created and updated. If you
> turn SELinux off, file contexts stop getting updated. When you turn it
> back on, the files may suddenly not have contexts that allow their
> applications to access them. You'll see the things going wrong
> in /var/log/messages (grep for AVC and look for "denied" messages) or
> you'll get that star icon in your notification area when a program. And
> of course, the programs that use incorrectly labeled files will not
> work.
>
> You also said at some point that you followed instructions to relabel
> your filesystem and things started to work. That is exactly the
> solution to the problems introduced by turning SELinux off. So if you
> turn SELinux back on and relabel one more time, you should be OK after
> that (as long as you leave SELinux on).
>
> Most people don't see (too many) SELinux problems because most people
> don't ever turn it off. So it maintains itself.
>
>
>>
>>
Well I did get a whole lot of messages like this, every ten seconds
or so:
Oct 11 02:31:08 k5di dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=2) : exe="/bin/dbus-daemon"
(sauid=500, hostname=?, addr=?, terminal=?)
I'm not sure what this means but it seems to mean that /bin/dbus-daemon
has a problem with my hostname ect.
I looked at man dbus-daemon and it is a library that any device can
access. It appears it doesn't have what SELinux wants. How do I fix this
I wonder?
--
Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
More information about the fedora-list
mailing list