setroub;eshoot problem

Steve zephod at
Thu Jul 17 20:40:18 UTC 2008

---- max <maximilianbianco at> wrote: 
> > Where do I go from here?
> 0 - Well one option, that I don't generally encourage unless your in 
> hurry, is to do a fresh install of F9. You won't learn anything and 
> you've expressed interest in SELinux so I would encourage you to take 
> advantage of the learning oppurtunity, especially if your dual booting 
> and its a very minor inconvenience to reboot a desktop/laptop machine, 
> at least as far as I am concerned.

I think I may have to re-install in the end because I'm seeing some really weird things but until I totally destroy the emachine I might as well experiment.

I ran:
# restorecon -n -v -r
to see if it any file would need to be relabelled. It showed that all my shared library files were of type lib_t when the default was shlib_t so I went ahead and relabelled them. It didn't solve the setraoubleshoot problem though and now root does not appear to have access to init.

> 1 - Check for bugs against preupgrade that relate to SELinux and check 
> for bugs against SETroubleshoot. I'm pretty sure SEtroubleshoot is a 
> symptom not a cause of your problem but it doesn't hurt to check.

There are a couple of bug that might be related but are not quite the same. 439299 and 449176.

> 2 - The only other sane thing I could advise you too do is bounce your 
> question off the fedora-selinux list. I would include a reference to 
> this thread and all the relevant details. The kernel your running, the 
> policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot 
> version, the error messages below , and that you run in permissive and 
> used preupgrade to go from f8 to f9.
> This will ensure that the right people see your message, this list is 
> also monitored but I think when they get busy fedora-selinux is likely 
> to still get checked more often than fedora-list.

I was trying to avoid this. I already get several hundred e-mails per day  and I would guess that the selinux list is pretty busy too. Oh well, I'll just have to deal with it for a while.
> I don't have any other sane suggestions left. I feel like the answer is 
> right there but I can't quite put my finger on it. If you feel like 
> being a guinea pig and are willing to absolve me of all responsibility 
> then let me know:^)  My curiosity is peaked so I will try to dig up what 
> I can and I'll let you know if I feel like I have found a good answer.
> Take it easy,
> Max
> P.S. - this line from the output below :
> > SELinux: policy loaded with handle_unknown=deny
> Something about this is bugging me, I am checking with google but so far 
> I haven't found what I am looking for, try searching for this and see 
> what you come up with... I think it should be set to allow on fedora but 
> I am not sure of the circumstances under which it would be set to 
> allow/deny so I could be has to do, IIRC, with other 
> security checks in the kernel? I am not finding the same info I did 
> before on this and my memory isn't playing ball.

Yes, this doesn't seem right. From what I've read, the strict policy would have a default of deny but a targeted policy shoule be allow.

Thanks for the suggestions

More information about the fedora-list mailing list