setroub;eshoot problem

[max]

Steve wrote:
> 
>> ---- max <maximilianbianco at gmail.com> wrote: 
> 
>>> 2 - The only other sane thing I could advise you too do is bounce your 
>>> question off the fedora-selinux list. I would include a reference to 
>>> this thread and all the relevant details. The kernel your running, the 
>>> policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot 
>>> version, the error messages below , and that you run in permissive and 
>>> used preupgrade to go from f8 to f9.
>>> This will ensure that the right people see your message, this list is 
>>> also monitored but I think when they get busy fedora-selinux is likely 
>>> to still get checked more often than fedora-list.
>> I was trying to avoid this. I already get several hundred e-mails per day  and I would guess that the selinux list is pretty busy too. Oh well, I'll just have to deal with it for a while.
> 
> I found this in the SELinux list archives:
> 
> http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm
> 
> which appears to say there was a problem but it was fixed in a patch. I wonder if it has not made it to F9 yet?
> 
> Steve
It could be related but they seem to have been running mls policy which 
is not the default policy in f9. I think the patch would have made it 
into F9 by now, the thread dates back to January and F9 released in May 
if memory serves. I think in the end you will have to rebuild the 
policy. The only way that I know of to change the handle_unknown=deny to 
allow is at policy build time. This is set to allow in F8 and F9. Why 
yours is not this way is something I don't understand, unless mine is 
screwed up somehow but I doubt it. I have looked at two f9 boxes and an 
f8 box. All of them have the handle_unknown=allow. Maybe a third party 
could confirm this :

dmesg | grep -i selinux


Use the Force,

Max