f10 vs selinux again.

Dominick Grift domg472 at gmail.com
Sat Feb 28 23:46:12 UTC 2009 

On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> >> >> >> Greetings all;
> >> >> >> >>
> >> >> >> >> I have just upgraded then updated as much as possible, an F8
> >> >> >
> >> >> >install to
> >> >> >
> >> >> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
> >> >> >
> >> >> >F10 will
> >> >> >
> >> >> >> >> run without console-kit-daemon I find, but I went so far as to
> >> >> >
> >> >> >touch
> >> >> >
> >> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
> >> >> >
> >> >> >hour or
> >> >> >
> >> >> >> >> so as there is nearly 2TB of drives here.  Didn't help.
> >> >> >> >>
> >> >> >> >> So Now I have selinux disabled, and everything it working.  Can
> >> >> >
> >> >> >this be
> >> >> >
> >> >> >> >> addressed?
> >> >> >> >
> >> >> >> >Can you show use the avc denials related to your issues? avc
> >> >> >> > denials
> >> >> >
> >> >> >are
> >> >> >
> >> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
> >> >> >
> >> >> >ausearch
> >> >> >
> >> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve
> >> >> >
> >> >> >today's
> >> >> >
> >> >> >> >avc denials.
> >> >> >>
> >> >> >> None today, I turned it off, yesterdays is attached.
> >> >> >>
> >> >> >> >You state that you updated as much as possible. What did you not
> >> >> >
> >> >> >update?
> >> >> >
> >> >> >> About 70 packages are left, all the java stuff cuz I've installed
> >> >> >> from
> >> >> >
> >> >> >Sun,
> >> >> >
> >> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
> >> >> >
> >> >> >up by
> >> >> >
> >> >> >> hand and some of the menus are still fubar) and anytime I do a
> >> >> >> -devel,
> >> >> >
> >> >> >it
> >> >> >
> >> >> >> barfs over strigi.  What the heck does that thing do anywho?
> >> >> >>
> >> >> >> I also am not running the F10 kernel cuz I have to set stakes and
> >> >> >> call
> >> >> >
> >> >> >a
> >> >> >
> >> >> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
> >> >> >
> >> >> >and am
> >> >> >
> >> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees.  Now
> >> >> >> glxgears
> >> >> >
> >> >> >says
> >> >> >
> >> >> >> 275-300 fps and I can tolerate it.  Anyway, from the yumex screen:
> >> >> >>
> >> >> >> 14:05:14 : Error in Dependency Resolution
> >> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
> >> >> >
> >> >> >by
> >> >> >
> >> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >> >> >
> >> >> >(rpmfusion-free-
> >> >> >
> >> >> >> updates)
> >> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
> >> >> >
> >> >> >needed by
> >> >> >
> >> >> >> package
> >> >> >
> >> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >> >> >
> >> >> >> (rpmfusion-nonfree-updates)
> >> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
> >> >> >
> >> >> >strigi-
> >> >> >
> >> >> >> devel-0.5.11-1.fc10.i386 (fedora)
> >> >> >>
> >> >> >> I might be able to get a list of updates (if you need them) not done
> >> >> >
> >> >> >from yum.
> >> >> >
> >> >> >> I use yumex most of the time.
> >> >> >>
> >> >> >> Thanks Dominick
> >> >> >
> >> >> >No that is fine, thanks. Which version of selinux-policy is currently
> >> >> >installed?
> >> >> >
> >> >> >I picked a few of the denials out of there and both were allowed in
> >> >> > the rawhide policy.
> >> >> >
> >> >> >This leads me to think that either you are running a old version of
> >> >> > the selinux-policy or that the fixes in rawhide policy have not been
> >> >> > pushed to Fedora 10 policy yet.
> >> >>
> >> >> I'll go for the latter as there isn't an update available.
> >> >> [root at coyote Documents]# rpm -qa|grep policy
> >> >> checkpolicy-2.0.16-3.fc10.i386
> >> >> selinux-policy-3.5.13-18.fc10.noarch
> >> >> policycoreutils-2.0.57-11.fc10.i386
> >> >> policycoreutils-gui-2.0.57-11.fc10.i386
> >> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
> >> >>
> >> >> >I either case you can create custom policies to allow these denials.
> >> >> >
> >> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
> >> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
> >> >>
> >> >> And that upchucks.  It generates mydenials.pp, then:
> >> >> [root at coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> >> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS
> >> >> base. libsemanage.semanage_link_sandbox: Link packages failed
> >> >> /usr/sbin/semodule:  Failed!
> >> >>
> >> >> Looks like I may be missing something?
> >> >
> >> >Can you give me to output of sestatus?
> This is after the reboot/relabel, using this /etc/selinux/config
> 
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #	enforcing - SELinux security policy is enforced.
> #	permissive - SELinux prints warnings instead of enforcing.
> #	disabled - No SELinux policy is loaded.
> SELINUX=enabeled
should read enforcing or permissive
> 
> # SELINUXTYPE= can take one of these two values:
> #	targeted - Targeted processes are protected,
> #	mls - Multi Level Security protection.
> SELINUXTYPE=targeted
> # SETLOCALDEFS= Check local definition changes
> SETLOCALDEFS=0 
> 
> [root at coyote radeon]# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          error (Success)
This looks wrong. see above
> Policy version:                 24
> Policy from config file:        targeted
> 
> and that looks completely fubar to me.  But since its 'permissive',
> consolekit is running, but sealert is popping up about every 30 seconds.
> Its fussing about console-kit-history now.  WTH?

You can easily disable setroubleshoot:

service setroubleshoot stop
( to disable it by default: chkconfig setroubleshoot off )

> >> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
> >>
> >> Fails exactly the same.  Does selinux=disabled screw with that?
> >
> >Well you should have SELinux enabled when you install the module.
> >Enable it first.
> >
> >> >You might also consider /usr/sbin/semodule -b base.pp (this should
> >> >replace the base module)
> 
> ohhkayy
> 
> Turned it back on, rebooted, relabeled, and:
> 
> [root at coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule:  Failed!
> 
> [root at coyote Documents]# /usr/sbin/semodule -b base.pp
> /usr/sbin/semodule:  Could not read file 'base.pp': No such file or directory
> [root at coyote Documents]# locate base.pp
> /etc/selinux/targeted/modules/active/base.pp
> /usr/share/selinux/targeted/base.pp.bz2
> 
> [root at coyote targeted]# ls -l `locate base.pp`
> -rw------- 1 root root 16771501 2009-02-26 18:38 /etc/selinux/targeted/modules/active/base.pp
> -rw-r--r-- 1 root root   172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
> 
> So which one is right?  I'm getting a headache. :(

the one in /etc is active. The one is /usr is used to generate it i
believe
> 
> So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote 
> the /etc/selinux/targeted/modules/active/base.pp with it, it was about half
> the size.  I think this is the same error again.
> [root at coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule:  Failed!
> 
> And that bunzip2 operation of course generated this:
> [root at coyote Documents]# rpm -V `rpm -qa|grep targeted`
> missing     /usr/share/selinux/targeted/base.pp.bz2
> 
> So I did a bzip2 -k base.pp, and now rpm -V is happy again.
> 
> Sounds like I need to manually nuke whats in etc and force 
> rpm to re-install?  Unforch, /var/cache/yum is devoid of any
> F10 files, I just checked.
> 
> Your turn coach. :)
You could try:
rpm -Uvh --replacefiles --replacepkgs selinux-policy and
selinux-policy-targeted then make sure your base.pp is fresh (try
semodule -B)

> >
> >Not totally sure. No. First enable SELinux. Then try to install the
> >policy module again. If that does not work consider replacing base.pp.
> >
> >The error suggests that base.pp is for MLS policy. This should not be
> >the case.
> >
> >> >man semodule
> >> >
> >> >This looks like something that could have gone wrong during the upgrade.
> >>
> >> It won't be the first time.  When I went from f6 to f8, lots of stuff was
> >> busted, stuff the guru's said could not happen, but did to me.  One whole
> >> section of the install was skipped & I had to go pull in about 200
> >> packages by hand.
> >>
> >> >It claims that a MLS base module is installed but you have installed
> >> >selinux-policy-targeted
> >>
> >> And that is how I'm normally configured.
>

More information about the fedora-selinux-list mailing list