setroub;eshoot problem
max
maximilianbianco at gmail.com
Fri Jul 18 14:24:56 UTC 2008
max wrote:
> Steve wrote:
>>
>>> ---- max <maximilianbianco at gmail.com> wrote:
>>
>>>> 2 - The only other sane thing I could advise you too do is bounce
>>>> your question off the fedora-selinux list. I would include a
>>>> reference to this thread and all the relevant details. The kernel
>>>> your running, the policy version (rpm -qa | grep
>>>> selinux...setrouble) , setroubleshoot version, the error messages
>>>> below , and that you run in permissive and used preupgrade to go
>>>> from f8 to f9.
>>>> This will ensure that the right people see your message, this list
>>>> is also monitored but I think when they get busy fedora-selinux is
>>>> likely to still get checked more often than fedora-list.
>>> I was trying to avoid this. I already get several hundred e-mails per
>>> day and I would guess that the selinux list is pretty busy too. Oh
>>> well, I'll just have to deal with it for a while.
>>
>> I found this in the SELinux list archives:
>>
>> http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm
>>
>> which appears to say there was a problem but it was fixed in a patch.
>> I wonder if it has not made it to F9 yet?
>>
>> Steve
> It could be related but they seem to have been running mls policy which
> is not the default policy in f9. I think the patch would have made it
> into F9 by now, the thread dates back to January and F9 released in May
> if memory serves. I think in the end you will have to rebuild the
> policy. The only way that I know of to change the handle_unknown=deny to
> allow is at policy build time. This is set to allow in F8 and F9. Why
> yours is not this way is something I don't understand, unless mine is
> screwed up somehow but I doubt it. I have looked at two f9 boxes and an
> f8 box. All of them have the handle_unknown=allow. Maybe a third party
> could confirm this :
>
> dmesg | grep -i selinux
>
>
> Use the Force,
>
> Max
Steve,
Try semodule -B . It had completely slipped past me. It will force a
rebuild and reload of policy.
Checkout man semodule.
Max
--
Fortune favors the BOLD
More information about the fedora-list
mailing list