zephod at cfl.rr.com
Thu Jul 17 20:40:18 UTC 2008
---- max <maximilianbianco at gmail.com> wrote:
> > Where do I go from here?
> 0 - Well one option, that I don't generally encourage unless your in
> hurry, is to do a fresh install of F9. You won't learn anything and
> you've expressed interest in SELinux so I would encourage you to take
> advantage of the learning oppurtunity, especially if your dual booting
> and its a very minor inconvenience to reboot a desktop/laptop machine,
> at least as far as I am concerned.
I think I may have to re-install in the end because I'm seeing some really weird things but until I totally destroy the emachine I might as well experiment.
# restorecon -n -v -r
to see if it any file would need to be relabelled. It showed that all my shared library files were of type lib_t when the default was shlib_t so I went ahead and relabelled them. It didn't solve the setraoubleshoot problem though and now root does not appear to have access to init.
> 1 - Check for bugs against preupgrade that relate to SELinux and check
> for bugs against SETroubleshoot. I'm pretty sure SEtroubleshoot is a
> symptom not a cause of your problem but it doesn't hurt to check.
There are a couple of bug that might be related but are not quite the same. 439299 and 449176.
> 2 - The only other sane thing I could advise you too do is bounce your
> question off the fedora-selinux list. I would include a reference to
> this thread and all the relevant details. The kernel your running, the
> policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot
> version, the error messages below , and that you run in permissive and
> used preupgrade to go from f8 to f9.
> This will ensure that the right people see your message, this list is
> also monitored but I think when they get busy fedora-selinux is likely
> to still get checked more often than fedora-list.
I was trying to avoid this. I already get several hundred e-mails per day and I would guess that the selinux list is pretty busy too. Oh well, I'll just have to deal with it for a while.
> I don't have any other sane suggestions left. I feel like the answer is
> right there but I can't quite put my finger on it. If you feel like
> being a guinea pig and are willing to absolve me of all responsibility
> then let me know:^) My curiosity is peaked so I will try to dig up what
> I can and I'll let you know if I feel like I have found a good answer.
> Take it easy,
> P.S. - this line from the output below :
> > SELinux: policy loaded with handle_unknown=deny
> Something about this is bugging me, I am checking with google but so far
> I haven't found what I am looking for, try searching for this and see
> what you come up with... I think it should be set to allow on fedora but
> I am not sure of the circumstances under which it would be set to
> allow/deny so I could be wrong....it has to do, IIRC, with other
> security checks in the kernel? I am not finding the same info I did
> before on this and my memory isn't playing ball.
Yes, this doesn't seem right. From what I've read, the strict policy would have a default of deny but a targeted policy shoule be allow.
Thanks for the suggestions
More information about the fedora-list