f10 vs selinux again.

Sat Feb 28 19:45:00 UTC 2009

On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> Greetings all;
> >>
> >> I have just upgraded then updated as much as possible, an F8
install to
> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
F10 will
> >> run without console-kit-daemon I find, but I went so far as to
touch
> >> /.autorelabel & reboot & leave it to contemplate its sins for an
hour or
> >> so as there is nearly 2TB of drives here.  Didn't help.
> >>
> >> So Now I have selinux disabled, and everything it working.  Can
this be
> >> addressed?
> >
> >Can you show use the avc denials related to your issues? avc denials
are
> >sent to /var/log/audit/audit.log and can be retrieved with the
ausearch
> >command. For example use: ausearch -m avc -ts today, to retrieve
today's
> >avc denials.
> >
> None today, I turned it off, yesterdays is attached.
> 
> >You state that you updated as much as possible. What did you not
update?
> 
> About 70 packages are left, all the java stuff cuz I've installed from
Sun,  
> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
up by 
> hand and some of the menus are still fubar) and anytime I do a -devel,
it 
> barfs over strigi.  What the heck does that thing do anywho?
> 
> I also am not running the F10 kernel cuz I have to set stakes and call
a 
> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
and am 
> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees.  Now glxgears
says 
> 275-300 fps and I can tolerate it.  Anyway, from the yumex screen:
> 
> 14:05:14 : Error in Dependency Resolution
> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
by 
> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
(rpmfusion-free-
> updates)
> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
needed by 
> package
kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686 
> (rpmfusion-nonfree-updates)
> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
strigi-
> devel-0.5.11-1.fc10.i386 (fedora)
> 
> I might be able to get a list of updates (if you need them) not done
from yum. 
> I use yumex most of the time.
> 
> Thanks Dominick
> 

No that is fine, thanks. Which version of selinux-policy is currently
installed?

I picked a few of the denials out of there and both were allowed in the
rawhide policy.

This leads me to think that either you are running a old version of the
selinux-policy or that the fixes in rawhide policy have not been pushed 
to Fedora 10 policy yet.

I either case you can create custom policies to allow these denials.

A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
mydenials; /usr/sbin/semodule -i mydenials.pp

caution: i did not review all denials in your list, however most look
like they should be allowed.

You should not let issues like these persuade you to disable SELinux.
You can also run SELinux is permissive mode which will act as an
intrusion detection system but will not prevent policy violations.

hth , Dominick