f10 vs selinux again.

Sat Feb 28 21:09:05 UTC 2009

On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> >> Greetings all;
>> >> >>
>> >> >> I have just upgraded then updated as much as possible, an F8
>> >
>> >install to
>> >
>> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
>> >
>> >F10 will
>> >
>> >> >> run without console-kit-daemon I find, but I went so far as to
>> >
>> >touch
>> >
>> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
>> >
>> >hour or
>> >
>> >> >> so as there is nearly 2TB of drives here.  Didn't help.
>> >> >>
>> >> >> So Now I have selinux disabled, and everything it working.  Can
>> >
>> >this be
>> >
>> >> >> addressed?
>> >> >
>> >> >Can you show use the avc denials related to your issues? avc denials
>> >
>> >are
>> >
>> >> >sent to /var/log/audit/audit.log and can be retrieved with the
>> >
>> >ausearch
>> >
>> >> >command. For example use: ausearch -m avc -ts today, to retrieve
>> >
>> >today's
>> >
>> >> >avc denials.
>> >>
>> >> None today, I turned it off, yesterdays is attached.
>> >>
>> >> >You state that you updated as much as possible. What did you not
>> >
>> >update?
>> >
>> >> About 70 packages are left, all the java stuff cuz I've installed from
>> >
>> >Sun,
>> >
>> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
>> >
>> >up by
>> >
>> >> hand and some of the menus are still fubar) and anytime I do a -devel,
>> >
>> >it
>> >
>> >> barfs over strigi.  What the heck does that thing do anywho?
>> >>
>> >> I also am not running the F10 kernel cuz I have to set stakes and call
>> >
>> >a
>> >
>> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
>> >
>> >and am
>> >
>> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees.  Now glxgears
>> >
>> >says
>> >
>> >> 275-300 fps and I can tolerate it.  Anyway, from the yumex screen:
>> >>
>> >> 14:05:14 : Error in Dependency Resolution
>> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
>> >
>> >by
>> >
>> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>> >
>> >(rpmfusion-free-
>> >
>> >> updates)
>> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
>> >
>> >needed by
>> >
>> >> package
>> >
>> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>> >
>> >> (rpmfusion-nonfree-updates)
>> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
>> >
>> >strigi-
>> >
>> >> devel-0.5.11-1.fc10.i386 (fedora)
>> >>
>> >> I might be able to get a list of updates (if you need them) not done
>> >
>> >from yum.
>> >
>> >> I use yumex most of the time.
>> >>
>> >> Thanks Dominick
>> >
>> >No that is fine, thanks. Which version of selinux-policy is currently
>> >installed?
>> >
>> >I picked a few of the denials out of there and both were allowed in the
>> >rawhide policy.
>> >
>> >This leads me to think that either you are running a old version of the
>> >selinux-policy or that the fixes in rawhide policy have not been pushed
>> >to Fedora 10 policy yet.
>>
>> I'll go for the latter as there isn't an update available.
>> [root at coyote Documents]# rpm -qa|grep policy
>> checkpolicy-2.0.16-3.fc10.i386
>> selinux-policy-3.5.13-18.fc10.noarch
>> policycoreutils-2.0.57-11.fc10.i386
>> policycoreutils-gui-2.0.57-11.fc10.i386
>> selinux-policy-targeted-3.5.13-18.fc10.noarch
>>
>> >I either case you can create custom policies to allow these denials.
>> >
>> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
>> >mydenials; /usr/sbin/semodule -i mydenials.pp
>>
>> And that upchucks.  It generates mydenials.pp, then:
>> [root at coyote Documents]# /usr/sbin/semodule -i mydenials.pp
>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>> libsemanage.semanage_link_sandbox: Link packages failed
>> /usr/sbin/semodule:  Failed!
>>
>> Looks like I may be missing something?
>
>Can you give me to output of sestatus?
>
>you could try /usr/sbin/semodule -s targeted -i mydenials.pp

Fails exactly the same.  Does selinux=disabled screw with that?
>
>You might also consider /usr/sbin/semodule -b base.pp (this should
>replace the base module)

Are you sure I want to do that?

>man semodule
>
>This looks like something that could have gone wrong during the upgrade.

It won't be the first time.  When I went from f6 to f8, lots of stuff was 
busted, stuff the guru's said could not happen, but did to me.  One whole 
section of the install was skipped & I had to go pull in about 200 packages by 
hand.

>It claims that a MLS base module is installed but you have installed
>selinux-policy-targeted

And that is how I'm normally configured.

>you should really c.c. fedora-selinux-list so that knowledgeable people
>like dwalsh can give suggestions as well.

Duh, sorry.  Your reply showed up in the list folder so I didn't hit reply-
all, added now.

>> >caution: i did not review all denials in your list, however most look
>> >like they should be allowed.
>> >
>> >You should not let issues like these persuade you to disable SELinux.
>> >You can also run SELinux is permissive mode which will act as an
>> >intrusion detection system but will not prevent policy violations.
>>
>> I am not terribly paranoid about running selinux, Dominick, I have all my
>> local network behind an x86 version of dd-wrt & its locked up pretty
>> tight. selinux is last ditch.  In 2 years, no one has gotten past dd-wrt
>> that I didn't first give them the password to it.  I see my running it as
>> more of the playing of a role, that of the canary in the coal mine if you
>> will.
>>
>> >hth , Dominick

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Let us be charitable, and call it a misleading feature  :-)
             -- Larry Wall in <2609 at jato.Jpl.Nasa.Gov>