setroub;eshoot problem [SOLVED]

Steve zephod at cfl.rr.com
Sun Jul 20 02:14:58 UTC 2008 

---- max <maximilianbianco at gmail.com> wrote: 
> max wrote:
> > Steve wrote:
> >>
> >>> ---- max <maximilianbianco at gmail.com> wrote: 
> >>
> >>>> 2 - The only other sane thing I could advise you too do is bounce 
> >>>> your question off the fedora-selinux list. I would include a 
> >>>> reference to this thread and all the relevant details. The kernel 
> >>>> your running, the policy version (rpm -qa | grep 
> >>>> selinux...setrouble) , setroubleshoot version, the error messages 
> >>>> below , and that you run in permissive and used preupgrade to go 
> >>>> from f8 to f9.
> >>>> This will ensure that the right people see your message, this list 
> >>>> is also monitored but I think when they get busy fedora-selinux is 
> >>>> likely to still get checked more often than fedora-list.
> >>> I was trying to avoid this. I already get several hundred e-mails per 
> >>> day  and I would guess that the selinux list is pretty busy too. Oh 
> >>> well, I'll just have to deal with it for a while.
> >>
> >> I found this in the SELinux list archives:
> >>
> >> http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm
> >>
> >> which appears to say there was a problem but it was fixed in a patch. 
> >> I wonder if it has not made it to F9 yet?
> >>
> >> Steve
> > It could be related but they seem to have been running mls policy which 
> > is not the default policy in f9. I think the patch would have made it 
> > into F9 by now, the thread dates back to January and F9 released in May 
> > if memory serves. I think in the end you will have to rebuild the 
> > policy. The only way that I know of to change the handle_unknown=deny to 
> > allow is at policy build time. This is set to allow in F8 and F9. Why 
> > yours is not this way is something I don't understand, unless mine is 
> > screwed up somehow but I doubt it. I have looked at two f9 boxes and an 
> > f8 box. All of them have the handle_unknown=allow. Maybe a third party 
> > could confirm this :
> > 
> > dmesg | grep -i selinux
> > 
> > 
> > Use the Force,
> > 
> > Max
> Steve,
> 
> Try semodule -B . It had completely slipped  past me. It will force a 
> rebuild and reload of policy.
> Checkout man semodule.

Well I tried that and it didn't appear to do anything. It immeditely return me to the pronpt.

However, there was an update to the policy made available yesterday afternoon. I installed it (I can't tell you exactly what it was because I'm on a different machine right now) and then ran the changes from the July 10th entry of Dan Walsh's blog, (http://danwalsh.livejournal.com/) and my problem has gone away. Yea! I can now start up setroubleshootd. I wonder if that problem I noted above just made it to F9?

Now on to my next selinux problem on a different machine. I'll start a different thread for that.

Thanks for the help, Max.

Steve

More information about the fedora-list mailing list