setroub;eshoot problem

max maximilianbianco at
Thu Jul 17 17:29:56 UTC 2008

Steve wrote:
> Max,
> To answer your question from yesterday, I had been getting the same errors even before I installed the policies yesterday which is strange because the messages indicate that a policy was loaded. 

>Is there a built-in default policy?

Yes there is a default policy that comes with fedora. You did however 
set SELinux in permissive so its going to be hard to tell when exactly 
the problem began, whether it started before or after the upgrade. You 
used preupgrade so its possible this screwed the pooch somehow, I used 
preupgrade on a box but all went smoothly, at least it appeared that 
way, I had other qualms with preupgrade so I blew that upgrade away and 
did a fresh install. However I don't run SELinux in permissive and this 
may be the deciding factor, I just don't know.

> Where do I go from here?

0 - Well one option, that I don't generally encourage unless your in 
hurry, is to do a fresh install of F9. You won't learn anything and 
you've expressed interest in SELinux so I would encourage you to take 
advantage of the learning oppurtunity, especially if your dual booting 
and its a very minor inconvenience to reboot a desktop/laptop machine, 
at least as far as I am concerned.

1 - Check for bugs against preupgrade that relate to SELinux and check 
for bugs against SETroubleshoot. I'm pretty sure SEtroubleshoot is a 
symptom not a cause of your problem but it doesn't hurt to check.

2 - The only other sane thing I could advise you too do is bounce your 
question off the fedora-selinux list. I would include a reference to 
this thread and all the relevant details. The kernel your running, the 
policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot 
version, the error messages below , and that you run in permissive and 
used preupgrade to go from f8 to f9.
This will ensure that the right people see your message, this list is 
also monitored but I think when they get busy fedora-selinux is likely 
to still get checked more often than fedora-list.

I don't have any other sane suggestions left. I feel like the answer is 
right there but I can't quite put my finger on it. If you feel like 
being a guinea pig and are willing to absolve me of all responsibility 
then let me know:^)  My curiosity is peaked so I will try to dig up what 
I can and I'll let you know if I feel like I have found a good answer.

Take it easy,


P.S. - this line from the output below :

> SELinux: policy loaded with handle_unknown=deny

Something about this is bugging me, I am checking with google but so far 
I haven't found what I am looking for, try searching for this and see 
what you come up with... I think it should be set to allow on fedora but 
I am not sure of the circumstances under which it would be set to 
allow/deny so I could be has to do, IIRC, with other 
security checks in the kernel? I am not finding the same info I did 
before on this and my memory isn't playing ball.

Fortune favors the BOLD

More information about the fedora-list mailing list