Humpty Dumpty - some successes
Bob Gustafson
bobgus at rcn.com
Wed May 5 06:12:45 UTC 2004
Thanks much for all your replies.
I did what you recommended and at the end of it all I rebooted with
grub parameters 'selinux=1 enforcing=1'
It does seem to be working and securely (I cannot telnet in from another
system and my sound does not work ..)
[I really shouldn't mention telnet on this list..]
----- I do have a few questions though - some may be OT -----
Yum must have a different header cache as the command line below refetched
a lot of header files. The sources file for my up2date contains 'yum' lines
- why is it not the same cache.
[root at hoho2 user1]# yum install setools*
...
unarj-debuginfo-0-2.63a-5 100% |=========================| 1.5 kB 00:00
pidentd-debuginfo-0-3.0.1 100% |=========================| 4.6 kB 00:00
commons-modeler-debuginfo 100% |=========================| 2.3 kB 00:00
VFlib2-debuginfo-0-2.25.6 100% |=========================| 5.6 kB 00:00
radvd-debuginfo-0-0.7.2-7 100% |=========================| 3.6 kB 00:00
Cannot find a package matching setools-1.3-2.i386.rpm
Cannot find a package matching setools-gui-1.3-2.i386.rpm
No actions to take
[root at hoho2 user1]#
I did it again with the '-t' option - got less output lines, but the Cannot
find lines were still there.
[root at hoho2 user1]# yum -t install setools*
Gathering header information file(s) from server(s)
Server: Fedora Core 1.92 - Development Tree
Finding updated packages
Downloading needed headers
Cannot find a package matching setools-1.3-2.i386.rpm
Cannot find a package matching setools-gui-1.3-2.i386.rpm
No actions to take
[root at hoho2 user1]#
Setools is installed on my system though. (Maybe the yum default sources
file is not pointed correctly?)
[root at hoho2 user1]# rpm -q -i setools | more
Name : setools Relocations: /usr
Version : 1.3 Vendor: Red Hat, Inc.
Release : 2 Build Date: Mon 19 Apr 2004
07:50:44 PM CDT
Install Date: Mon 03 May 2004 01:50:24 PM CDT Build Host:
tweety.devel.redhat.com
[root at hoho2 user1]# rpm -q -i setools-gui | more
Name : setools-gui Relocations: /usr
Version : 1.3 Vendor: Red Hat, Inc.
Release : 2 Build Date: Mon 19 Apr 2004
07:50:44 PM CDT
Install Date: Mon 03 May 2004 01:50:38 PM CDT Build Host:
tweety.devel.redhat.com
Then I did:
fixfiles relabel
One supposes (me at least) that once 'fixfiles relabel' has been run, then
a second run of that program will not find any files to fix.
This was not the case for me. I actually did 'fixfiles relabel' three
times and even on the last one I got diagnostic output.
A typical bunch of diagnostics looked like this:
Cleaning out /tmp
/usr/sbin/setfiles: conflicting specifications for
/lib/modules/2.6.3-2.1.253.2.1custom/modules.dep and
/lib/modules/2.6.5-1.327/build/include/config/MARKER, using
system_u:object_r:modules_dep_t.
/usr/sbin/setfiles: conflicting specifications for
/usr/src/redhat/BUILD/ooo-build-1.1.53pre/build/OOO_1_1_1/setup2/
unxlngi4.pro/bin/tplx64533.res and
/var/tmp/openoffice.org-1.1.1-root/usr/lib/ooo-1.1/program/
resource/tplx64533.res, using system_u:object_r:src_t.
/usr/sbin/setfiles: conflicting specifications for
/usr/src/redhat/BUILD/ooo-build-1.1.53pre/build/OOO_1_1_1/
setup2/unxlngi4.pro/bin/tplx64590.res and
/var/tmp/openoffice.org-1.1.1-root/usr/lib/ooo-1.1/program/resource/
tplx64590.res, using system_u:object_r:src_t.
There is a pattern here, but I can't express it in fixable terms.
------
This is my new virgin login after the fixfiles and with
grub parameters 'selinux=1 enforcing=0'
Fedora Core release 1.92 (FC2 Test 3)
Kernel 2.6.5-1.327custom on an i686
hoho2 login: user1
Password:
Your default context is user_u:user_r:user_t.
Do you want to choose a different one? [n]
Last login: Tue May 4 11:05:30 from TZ
[user1 at hoho2 user1]$ date
Tue May 4 16:45:14 CDT 2004
[user1 at hoho2 user1]$
System Tools -> Sound Card Detection -> play sound
May 4 19:43:51 hoho2 udev[3472]: creating device node '/udev/audio'
May 4 19:43:51 hoho2 udev[3479]: creating device node '/udev/adsp'
May 4 19:43:51 hoho2 kernel: audit(1083717831.232:0): avc: denied
relabelfrom } for pid=3485 exe=/sbin/restorecon name=mixer dev=sda2
ino=5374112 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:device_t tclass=lnk_file
May 4 19:43:51 hoho2 kernel: audit(1083717831.232:0): avc: denied {
relabelto } for pid=3485 exe=/sbin/restorecon name=mixer dev=sda2
ino=5374112
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:sound_device_t
tclass=lnk_file
Seems to be a problem with the sound card stuff - even though it is not
enforcing at the moment. It worked before SELinux.
----- Now the acid test - reboot with grub parameters 'selinux=1 enforcing=1'
Fedora Core release 1.92 (FC2 Test 3)
Kernel 2.6.5-1.327custom on an i686
hoho2 login: audit(1083719173.508:0): avc: denied { getattr } for pid=2035
exe=/bin/bash path=/etc/hotplug dev=sda2 ino=1458282
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:hotplug_etc_t
tclass=dir
audit(1083719173.508:0): avc: denied { search } for pid=2035
exe=/bin/bash
name=hotplug dev=sda2 ino=1458282 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
audit(1083719173.508:0): avc: denied { search } for pid=2035
exe=/bin/bash
name=hotplug dev=sda2 ino=1458282 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
audit(1083719173.512:0): avc: denied { search } for pid=2035
exe=/bin/bash
name=hotplug dev=sda2 ino=1458282 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
audit(1083719173.513:0): avc: denied { search } for pid=2035
exe=/bin/bash
name=log dev=sda2 ino=720918 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:var_log_t tclass=dir
audit(1083719173.514:0): avc: denied { search } for pid=2035
exe=/bin/bash
name=log dev=sda2 ino=720918 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:var_log_t tclass=dir
user1
Password:
Your default context is user_u:user_r:user_t.
Do you want to choose a different one? [n]
Last login: Tue May 4 20:27:17 from TZ
[user1 at hoho2 user1]$
Lots of diagnostic messages between the login: and the 'user1' response!!
--- Note that it really is enforcing ---
[user1 at hoho2 user1]$ od -c /selinux/enforce
0000000 1
0000001
[user1 at hoho2 user1]$
--- However the /etc/sysconfig/selinux file still says 'disabled'
[root at hoho2 user1]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcinfg - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
[root at hoho2 user1]# date
Tue May 4 20:35:31 CDT 2004
[root at hoho2 user1]#
(Note typo in the enforcing line of this file)
Maybe the grub kernel line overrides whatever is in this file? Perhaps the
information in this file controls the boot situation when there is no
additional boot grub parameter?
Here is a try at rsync to a machine without SELinux
[root at hoho2 user1]# vim nextboot.bug
[root at hoho2 user1]# rsync nextboot.bug hoho0:/home/bobg
root at hoho0's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
Server is very old version of rsync, upgrade recommended.
[root at hoho2 user1]#
It seems to say that it has faked it, but no file was transfered.
up2date does not work with enforcing=1
I noticed that there were a bunch more update files available, so I
installed all (including the 349 kernel), and then rebooted with enforcing=1
It actually does boot - and I can also 'su'
bedtime
More information about the fedora-selinux-list
mailing list