F10 SElinux issues

Steve zephod at cfl.rr.com
Tue Aug 4 15:11:50 UTC 2009


Daniel,

---- Daniel J Walsh <dwalsh at redhat.com> wrote: 
> On 08/03/2009 10:50 AM, Steve Blackwell wrote:
> > Ever since I upgraded from F9 to F10 when F9 went EOL I've been having
> > lots of SElinux warnings. Here's one. I get at seemingly random times,
> > ie not when I log in.
> > 
> > Aug  3 09:06:50 steve setroubleshoot: SELinux is preventing
> > polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:0-greeter.log
> > (xserver_log_t). For complete SELinux messages. run sealert -l
> > a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb
> > 
> This looks like a redirection of stdout to the log file.  You can add this rule using 
> 
> # grep polkit-read-aut /var/log/audit/audit.log | audit2allow -M mypolkit
> # semodule -i mypolkit.pp
>  
> I believe this is actually a bug in xdm. in that it should be passing append privs for its log versus write.

I can, and will, try this but it seems to me I have a more fundamental problem. 
As I said, this is just one of many alerts. They come in bunches every half hour or so. The latest group were all "SElinux is preventing certwatch from....". 7 of them. Before that it was system-config-s and polkit, about 25 different ones of those, some with multiple instances. In F9, I would only occasionally get an alert. Also, if this is really a bug in xdm, can I really be the first one to find it? F10 has been out for 7 or 8 months.

> If a relabel caused you to loose labels, then you need to add the labels via semanage fcontext instead of just executing a chcon.
> 
> For example, if I had web content under /myweb
> 
> # semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?'
> # restorecon -R -v /myweb
> 
> Would tell the SELinux system about my alternative labeling.

I don't really have alternative labelling. I just fixed a few of the things that got flagged. I guess a relabel put everything back to the default. IIUC what you are suggesting is to make those changes permanent. Would an rpm update to policy override that?

Thanks,
Steve






More information about the fedora-list mailing list