setroubleshoot: Import error....

Daniel J Walsh dwalsh at redhat.com
Tue Aug 8 18:48:42 UTC 2006 

Tom London wrote:
> On 8/8/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> Tom London wrote:
>> > I tried relabeling everything in /usr/share/setroubleshoot to lib_t
>> > and restarting setroubleshoot service. Now get:
>> >
>> > type=AVC msg=audit(1155049018.305:33): avc:  denied  { write } for
>> > pid=4347 comm="python" name="auditd_sock" dev=dm-0 ino=2785383
>> > scontext=user_u:system_r:setroubleshootd_t:s0
>> > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
>> > type=SYSCALL msg=audit(1155049018.305:33): arch=40000003 syscall=102
>> > success=no exit=-13 a0=3 a1=bf9ce780 a2=2db118 a3=0 items=0 ppid=1
>> > pid=4347 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> > fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
>> > subj=user_u:system_r:setroubleshootd_t:s0 key=(null)
>> >
>> > tom
>> >
>> > --
>> > fedora-selinux-list mailing list
>> > fedora-selinux-list at redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Could you try to update to the policy available on
>> ftp://people.redhat.com:dwalsh/SELinux/Fedora
>>
> No joy.  Get this on the update:
>
> (1/2): selinux-policy-2.3 100% |=========================| 291 kB    
> 00:00
> (2/2): selinux-policy-tar 100% |=========================| 648 kB    
> 00:02
> Running Transaction Test
> Finished Transaction Test
> Transaction Test Succeeded
> Running Transaction
>  Updating  : selinux-policy               ######################### [1/4]
>  Updating  : selinux-policy-targeted      ######################### [2/4]
> libsemanage.semanage_install_active: Could not copy
> /etc/selinux/targeted/modules/active/netfilter_contexts to
> /etc/selinux/targeted/contexts/netfilter_contexts.
> libsemanage.semanage_install_active: Could not copy
> /etc/selinux/targeted/modules/active/netfilter_contexts to
> /etc/selinux/targeted/contexts/netfilter_contexts.
> semodule:  Failed!
>  Cleanup   : selinux-policy               ######################### [3/4]
>  Cleanup   : selinux-policy-targeted      ######################### [4/4]
>
> Updated: selinux-policy.noarch 0:2.3.5-1
> selinux-policy-targeted.noarch 0:2.3.5-1
> Complete!
>
Try to run the update in permissive mode.

setenforce 0
semodule -b /usr/share/selinux/targeted/base.pp
setenforce 1

There is a Chicken and  Egg situation with the netfiler_contexts problem 
above, which is not allowing
to update policy rules with the proper allows to eliminate this problem.

> And get this on 'service setroubleshoot start':
>
> type=AVC msg=audit(1155053599.312:40): avc:  denied  { getattr } for
> pid=3687 comm="python" name="__init__.py" dev=dm-0 ino=8589037
> scontext=user_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> type=SYSCALL msg=audit(1155053599.312:40): arch=40000003 syscall=195
> success=no exit=-13 a0=bf899217 a1=bf898d04 a2=8e4ff4 a3=21 items=0
> ppid=3686 pid=3687 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
> subj=user_u:system_r:setroubleshootd_t:s0 key=(null)
> type=AVC_PATH msg=audit(1155053599.312:40):
> path="/usr/share/setroubleshoot/plugins/__init__.py"
> type=AVC msg=audit(1155053599.312:41): avc:  denied  { getattr } for
> pid=3687 comm="python" name="__init__.pyc" dev=dm-0 ino=8587951
> scontext=user_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> type=SYSCALL msg=audit(1155053599.312:41): arch=40000003 syscall=195
> success=no exit=-13 a0=bf899217 a1=bf898d04 a2=8e4ff4 a3=21 items=0
> ppid=3686 pid=3687 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
> subj=user_u:system_r:setroubleshootd_t:s0 key=(null)
> type=AVC_PATH msg=audit(1155053599.312:41):
> path="/usr/share/setroubleshoot/plugins/__init__.pyc"
>
> 'chcon -t lib_t /usr/share/setroubleshoot/plugin/*'  followed by
> 'service setrobleshoot start' results in the same:
>
> type=AVC msg=audit(1155053762.417:42): avc:  denied  { write } for
> pid=3760 comm="python" name="auditd_sock" dev=dm-0 ino=2785383
> scontext=user_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> type=SYSCALL msg=audit(1155053762.417:42): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bfab15f0 a2=26a118 a3=0 items=0 ppid=3759
> pid=3760 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
> subj=user_u:system_r:setroubleshootd_t:s0 key=(null)
>
>
> tom

More information about the fedora-selinux-list mailing list