setsebool sandbox error on FC6
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 6 20:33:10 UTC 2006
Stephen Smalley wrote:
> (please disable html mail at least when posting to public lists)
>
> On Thu, 2006-11-02 at 03:02 -0800, Arthur M. Kang wrote:
>
>> On a fresh install of FC6, I'm getting errors when trying to use the
>> setsebool command.
>>
>> # setsebool httpd_disable_trans 1
>> libsemanage.semanage_commit_sandbox: Error while
>> renaming /etc/selinux/targeted/modules/active
>> to /etc/selinux/targeted/modules/previous.
>> Could not change policy booleans
>>
>
> This usually means that there is a labeling problem with /etc/selinux.
> Run /sbin/restorecon -R /etc/selinux/targeted/modules. Then try again.
> Check for audit messages in /var/log/messages
> or /var/log/audit/audit.log (the latter if running auditd).
>
>
>
>> Has anyone else experienced similar problems? Is there a problem on
>> my end? Is there a fix?
>>
>> Although the error message is generated, the boolean does get set.
>> However, the -P switch doesn't work and the boolean won't stick across
>> reboots.
>>
>> Is there an alternate method to remotely configure booleans that stick
>> across reboots?
>>
>> Any help is appreciated.
>>
>
>
I have seen this happen on a couple of machines. We are missing a
transition from initrc_t to semanage_t for targeted policy which could
result in a init script that calls setsebool (ypbind) or one of the
other apps to screw up the file context. Also if you run in permissive
mode and did not transition properly when updated rpm's this could
happen. If there is an application that uses libsemanage that is not
labeled semanage_exec_t, or an unconfined_domain that runs semanage
without the transition.
Not sure of any other situations that could cause this.
Dan
More information about the fedora-selinux-list
mailing list