f10 vs selinux again.
Gene Heskett
gene.heskett at verizon.net
Sat Feb 28 23:18:05 UTC 2009
On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
>> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> >> >> Greetings all;
>> >> >> >>
>> >> >> >> I have just upgraded then updated as much as possible, an F8
>> >> >
>> >> >install to
>> >> >
>> >> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
>> >> >
>> >> >F10 will
>> >> >
>> >> >> >> run without console-kit-daemon I find, but I went so far as to
>> >> >
>> >> >touch
>> >> >
>> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
>> >> >
>> >> >hour or
>> >> >
>> >> >> >> so as there is nearly 2TB of drives here. Didn't help.
>> >> >> >>
>> >> >> >> So Now I have selinux disabled, and everything it working. Can
>> >> >
>> >> >this be
>> >> >
>> >> >> >> addressed?
>> >> >> >
>> >> >> >Can you show use the avc denials related to your issues? avc
>> >> >> > denials
>> >> >
>> >> >are
>> >> >
>> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
>> >> >
>> >> >ausearch
>> >> >
>> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve
>> >> >
>> >> >today's
>> >> >
>> >> >> >avc denials.
>> >> >>
>> >> >> None today, I turned it off, yesterdays is attached.
>> >> >>
>> >> >> >You state that you updated as much as possible. What did you not
>> >> >
>> >> >update?
>> >> >
>> >> >> About 70 packages are left, all the java stuff cuz I've installed
>> >> >> from
>> >> >
>> >> >Sun,
>> >> >
>> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
>> >> >
>> >> >up by
>> >> >
>> >> >> hand and some of the menus are still fubar) and anytime I do a
>> >> >> -devel,
>> >> >
>> >> >it
>> >> >
>> >> >> barfs over strigi. What the heck does that thing do anywho?
>> >> >>
>> >> >> I also am not running the F10 kernel cuz I have to set stakes and
>> >> >> call
>> >> >
>> >> >a
>> >> >
>> >> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
>> >> >
>> >> >and am
>> >> >
>> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now
>> >> >> glxgears
>> >> >
>> >> >says
>> >> >
>> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
>> >> >>
>> >> >> 14:05:14 : Error in Dependency Resolution
>> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
>> >> >
>> >> >by
>> >> >
>> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>> >> >
>> >> >(rpmfusion-free-
>> >> >
>> >> >> updates)
>> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
>> >> >
>> >> >needed by
>> >> >
>> >> >> package
>> >> >
>> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>> >> >
>> >> >> (rpmfusion-nonfree-updates)
>> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
>> >> >
>> >> >strigi-
>> >> >
>> >> >> devel-0.5.11-1.fc10.i386 (fedora)
>> >> >>
>> >> >> I might be able to get a list of updates (if you need them) not done
>> >> >
>> >> >from yum.
>> >> >
>> >> >> I use yumex most of the time.
>> >> >>
>> >> >> Thanks Dominick
>> >> >
>> >> >No that is fine, thanks. Which version of selinux-policy is currently
>> >> >installed?
>> >> >
>> >> >I picked a few of the denials out of there and both were allowed in
>> >> > the rawhide policy.
>> >> >
>> >> >This leads me to think that either you are running a old version of
>> >> > the selinux-policy or that the fixes in rawhide policy have not been
>> >> > pushed to Fedora 10 policy yet.
>> >>
>> >> I'll go for the latter as there isn't an update available.
>> >> [root at coyote Documents]# rpm -qa|grep policy
>> >> checkpolicy-2.0.16-3.fc10.i386
>> >> selinux-policy-3.5.13-18.fc10.noarch
>> >> policycoreutils-2.0.57-11.fc10.i386
>> >> policycoreutils-gui-2.0.57-11.fc10.i386
>> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
>> >>
>> >> >I either case you can create custom policies to allow these denials.
>> >> >
>> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
>> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
>> >>
>> >> And that upchucks. It generates mydenials.pp, then:
>> >> [root at coyote Documents]# /usr/sbin/semodule -i mydenials.pp
>> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS
>> >> base. libsemanage.semanage_link_sandbox: Link packages failed
>> >> /usr/sbin/semodule: Failed!
>> >>
>> >> Looks like I may be missing something?
>> >
>> >Can you give me to output of sestatus?
This is after the reboot/relabel, using this /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enabeled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
[root at coyote radeon]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: error (Success)
Policy version: 24
Policy from config file: targeted
and that looks completely fubar to me. But since its 'permissive',
consolekit is running, but sealert is popping up about every 30 seconds.
Its fussing about console-kit-history now. WTH?
>> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
>>
>> Fails exactly the same. Does selinux=disabled screw with that?
>
>Well you should have SELinux enabled when you install the module.
>Enable it first.
>
>> >You might also consider /usr/sbin/semodule -b base.pp (this should
>> >replace the base module)
ohhkayy
Turned it back on, rebooted, relabeled, and:
[root at coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
[root at coyote Documents]# /usr/sbin/semodule -b base.pp
/usr/sbin/semodule: Could not read file 'base.pp': No such file or directory
[root at coyote Documents]# locate base.pp
/etc/selinux/targeted/modules/active/base.pp
/usr/share/selinux/targeted/base.pp.bz2
[root at coyote targeted]# ls -l `locate base.pp`
-rw------- 1 root root 16771501 2009-02-26 18:38 /etc/selinux/targeted/modules/active/base.pp
-rw-r--r-- 1 root root 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
So which one is right? I'm getting a headache. :(
So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote
the /etc/selinux/targeted/modules/active/base.pp with it, it was about half
the size. I think this is the same error again.
[root at coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
And that bunzip2 operation of course generated this:
[root at coyote Documents]# rpm -V `rpm -qa|grep targeted`
missing /usr/share/selinux/targeted/base.pp.bz2
So I did a bzip2 -k base.pp, and now rpm -V is happy again.
Sounds like I need to manually nuke whats in etc and force
rpm to re-install? Unforch, /var/cache/yum is devoid of any
F10 files, I just checked.
Your turn coach. :)
>
>Not totally sure. No. First enable SELinux. Then try to install the
>policy module again. If that does not work consider replacing base.pp.
>
>The error suggests that base.pp is for MLS policy. This should not be
>the case.
>
>> >man semodule
>> >
>> >This looks like something that could have gone wrong during the upgrade.
>>
>> It won't be the first time. When I went from f6 to f8, lots of stuff was
>> busted, stuff the guru's said could not happen, but did to me. One whole
>> section of the install was skipped & I had to go pull in about 200
>> packages by hand.
>>
>> >It claims that a MLS base module is installed but you have installed
>> >selinux-policy-targeted
>>
>> And that is how I'm normally configured.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Hey dol! merry dol! ring a dong dillo!
Ring a dong! hop along! fal lal the willow!
Tom Bom, jolly Tom, Tom Bombadillo!
-- J. R. R. Tolkien
More information about the fedora-selinux-list
mailing list