setroub;eshoot problem [SOLVED]
zephod at cfl.rr.com
Sun Jul 20 02:14:58 UTC 2008
---- max <maximilianbianco at gmail.com> wrote:
> max wrote:
> > Steve wrote:
> >>> ---- max <maximilianbianco at gmail.com> wrote:
> >>>> 2 - The only other sane thing I could advise you too do is bounce
> >>>> your question off the fedora-selinux list. I would include a
> >>>> reference to this thread and all the relevant details. The kernel
> >>>> your running, the policy version (rpm -qa | grep
> >>>> selinux...setrouble) , setroubleshoot version, the error messages
> >>>> below , and that you run in permissive and used preupgrade to go
> >>>> from f8 to f9.
> >>>> This will ensure that the right people see your message, this list
> >>>> is also monitored but I think when they get busy fedora-selinux is
> >>>> likely to still get checked more often than fedora-list.
> >>> I was trying to avoid this. I already get several hundred e-mails per
> >>> day and I would guess that the selinux list is pretty busy too. Oh
> >>> well, I'll just have to deal with it for a while.
> >> I found this in the SELinux list archives:
> >> http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm
> >> which appears to say there was a problem but it was fixed in a patch.
> >> I wonder if it has not made it to F9 yet?
> >> Steve
> > It could be related but they seem to have been running mls policy which
> > is not the default policy in f9. I think the patch would have made it
> > into F9 by now, the thread dates back to January and F9 released in May
> > if memory serves. I think in the end you will have to rebuild the
> > policy. The only way that I know of to change the handle_unknown=deny to
> > allow is at policy build time. This is set to allow in F8 and F9. Why
> > yours is not this way is something I don't understand, unless mine is
> > screwed up somehow but I doubt it. I have looked at two f9 boxes and an
> > f8 box. All of them have the handle_unknown=allow. Maybe a third party
> > could confirm this :
> > dmesg | grep -i selinux
> > Use the Force,
> > Max
> Try semodule -B . It had completely slipped past me. It will force a
> rebuild and reload of policy.
> Checkout man semodule.
Well I tried that and it didn't appear to do anything. It immeditely return me to the pronpt.
However, there was an update to the policy made available yesterday afternoon. I installed it (I can't tell you exactly what it was because I'm on a different machine right now) and then ran the changes from the July 10th entry of Dan Walsh's blog, (http://danwalsh.livejournal.com/) and my problem has gone away. Yea! I can now start up setroubleshootd. I wonder if that problem I noted above just made it to F9?
Now on to my next selinux problem on a different machine. I'll start a different thread for that.
Thanks for the help, Max.
More information about the fedora-list