f10 vs selinux again.
Gene Heskett
gene.heskett at verizon.net
Sun Mar 1 00:11:50 UTC 2009
On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
>> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
>> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> >> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> >> >> >> Greetings all;
>> >> >> >> >>
>> >> >> >> >> I have just upgraded then updated as much as possible, an F8
>> >> >> >
>> >> >> >install to
>> >> >> >
>> >> >> >> >> F10. selinux is now denying ConsoleKit and friends, and
>> >> >> >> >> awstats.
>> >> >> >
>> >> >> >F10 will
>> >> >> >
>> >> >> >> >> run without console-kit-daemon I find, but I went so far as to
>> >> >> >
>> >> >> >touch
>> >> >> >
>> >> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for
>> >> >> >> >> an
>> >> >> >
>> >> >> >hour or
>> >> >> >
>> >> >> >> >> so as there is nearly 2TB of drives here. Didn't help.
>> >> >> >> >>
>> >> >> >> >> So Now I have selinux disabled, and everything it working.
>> >> >> >> >> Can
>> >> >> >
>> >> >> >this be
>> >> >> >
>> >> >> >> >> addressed?
>> >> >> >> >
>> >> >> >> >Can you show use the avc denials related to your issues? avc
>> >> >> >> > denials
>> >> >> >
>> >> >> >are
>> >> >> >
>> >> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
>> >> >> >
>> >> >> >ausearch
>> >> >> >
>> >> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve
>> >> >> >
>> >> >> >today's
>> >> >> >
>> >> >> >> >avc denials.
>> >> >> >>
>> >> >> >> None today, I turned it off, yesterdays is attached.
>> >> >> >>
>> >> >> >> >You state that you updated as much as possible. What did you not
>> >> >> >
>> >> >> >update?
>> >> >> >
>> >> >> >> About 70 packages are left, all the java stuff cuz I've installed
>> >> >> >> from
>> >> >> >
>> >> >> >Sun,
>> >> >> >
>> >> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix
>> >> >> >> that
>> >> >> >
>> >> >> >up by
>> >> >> >
>> >> >> >> hand and some of the menus are still fubar) and anytime I do a
>> >> >> >> -devel,
>> >> >> >
>> >> >> >it
>> >> >> >
>> >> >> >> barfs over strigi. What the heck does that thing do anywho?
>> >> >> >>
>> >> >> >> I also am not running the F10 kernel cuz I have to set stakes and
>> >> >> >> call
>> >> >> >
>> >> >> >a
>> >> >> >
>> >> >> >> surveyer to measure screen scrolling speed, so I'm running
>> >> >> >> 2.6.28.7
>> >> >> >
>> >> >> >and am
>> >> >> >
>> >> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now
>> >> >> >> glxgears
>> >> >> >
>> >> >> >says
>> >> >> >
>> >> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex
>> >> >> >> screen:
>> >> >> >>
>> >> >> >> 14:05:14 : Error in Dependency Resolution
>> >> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is
>> >> >> >> needed
>> >> >> >
>> >> >> >by
>> >> >> >
>> >> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>> >> >> >
>> >> >> >(rpmfusion-free-
>> >> >> >
>> >> >> >> updates)
>> >> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686
>> >> >> >> is
>> >> >> >
>> >> >> >needed by
>> >> >> >
>> >> >> >> package
>> >> >> >
>> >> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>> >> >> >
>> >> >> >> (rpmfusion-nonfree-updates)
>> >> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by
>> >> >> >> package
>> >> >> >
>> >> >> >strigi-
>> >> >> >
>> >> >> >> devel-0.5.11-1.fc10.i386 (fedora)
>> >> >> >>
>> >> >> >> I might be able to get a list of updates (if you need them) not
>> >> >> >> done
>> >> >> >
>> >> >> >from yum.
>> >> >> >
>> >> >> >> I use yumex most of the time.
>> >> >> >>
>> >> >> >> Thanks Dominick
>> >> >> >
>> >> >> >No that is fine, thanks. Which version of selinux-policy is
>> >> >> > currently installed?
>> >> >> >
>> >> >> >I picked a few of the denials out of there and both were allowed in
>> >> >> > the rawhide policy.
>> >> >> >
>> >> >> >This leads me to think that either you are running a old version of
>> >> >> > the selinux-policy or that the fixes in rawhide policy have not
>> >> >> > been pushed to Fedora 10 policy yet.
>> >> >>
>> >> >> I'll go for the latter as there isn't an update available.
>> >> >> [root at coyote Documents]# rpm -qa|grep policy
>> >> >> checkpolicy-2.0.16-3.fc10.i386
>> >> >> selinux-policy-3.5.13-18.fc10.noarch
>> >> >> policycoreutils-2.0.57-11.fc10.i386
>> >> >> policycoreutils-gui-2.0.57-11.fc10.i386
>> >> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
>> >> >>
>> >> >> >I either case you can create custom policies to allow these
>> >> >> > denials.
>> >> >> >
>> >> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
>> >> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
>> >> >>
>> >> >> And that upchucks. It generates mydenials.pp, then:
>> >> >> [root at coyote Documents]# /usr/sbin/semodule -i mydenials.pp
>> >> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS
>> >> >> base. libsemanage.semanage_link_sandbox: Link packages failed
>> >> >> /usr/sbin/semodule: Failed!
>> >> >>
>> >> >> Looks like I may be missing something?
>> >> >
>> >> >Can you give me to output of sestatus?
>>
>> This is after the reboot/relabel, using this /etc/selinux/config
>>
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=enabeled
>
>should read enforcing or permissive
>
>> # SELINUXTYPE= can take one of these two values:
>> # targeted - Targeted processes are protected,
>> # mls - Multi Level Security protection.
>> SELINUXTYPE=targeted
>> # SETLOCALDEFS= Check local definition changes
>> SETLOCALDEFS=0
>>
>> [root at coyote radeon]# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: error (Success)
>
>This looks wrong. see above
>
>> Policy version: 24
>> Policy from config file: targeted
>>
>> and that looks completely fubar to me. But since its 'permissive',
>> consolekit is running, but sealert is popping up about every 30 seconds.
>> Its fussing about console-kit-history now. WTH?
>
>You can easily disable setroubleshoot:
>
>service setroubleshoot stop
>( to disable it by default: chkconfig setroubleshoot off )
>
>> >> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
>> >>
>> >> Fails exactly the same. Does selinux=disabled screw with that?
>> >
>> >Well you should have SELinux enabled when you install the module.
>> >Enable it first.
>> >
>> >> >You might also consider /usr/sbin/semodule -b base.pp (this should
>> >> >replace the base module)
>>
>> ohhkayy
>>
>> Turned it back on, rebooted, relabeled, and:
>>
>> [root at coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>> libsemanage.semanage_link_sandbox: Link packages failed
>> /usr/sbin/semodule: Failed!
>>
>> [root at coyote Documents]# /usr/sbin/semodule -b base.pp
>> /usr/sbin/semodule: Could not read file 'base.pp': No such file or
>> directory [root at coyote Documents]# locate base.pp
>> /etc/selinux/targeted/modules/active/base.pp
>> /usr/share/selinux/targeted/base.pp.bz2
>>
>> [root at coyote targeted]# ls -l `locate base.pp`
>> -rw------- 1 root root 16771501 2009-02-26 18:38
>> /etc/selinux/targeted/modules/active/base.pp -rw-r--r-- 1 root root
>> 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
>>
>> So which one is right? I'm getting a headache. :(
>
>the one in /etc is active. The one is /usr is used to generate it i
>believe
>
>> So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and
>> overwrote the /etc/selinux/targeted/modules/active/base.pp with it, it was
>> about half the size. I think this is the same error again.
>> [root at coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>> libsemanage.semanage_link_sandbox: Link packages failed
>> /usr/sbin/semodule: Failed!
>>
>> And that bunzip2 operation of course generated this:
>> [root at coyote Documents]# rpm -V `rpm -qa|grep targeted`
>> missing /usr/share/selinux/targeted/base.pp.bz2
>>
>> So I did a bzip2 -k base.pp, and now rpm -V is happy again.
>>
>> Sounds like I need to manually nuke whats in etc and force
>> rpm to re-install? Unforch, /var/cache/yum is devoid of any
>> F10 files, I just checked.
>>
>> Your turn coach. :)
>
>You could try:
>rpm -Uvh --replacefiles --replacepkgs selinux-policy
>and
>selinux-policy-targeted
>then make sure your base.pp is fresh (try
>semodule -B)
Where do I get the policy and policy-targeted rpms?
/var/cache/yum is empty of any F10 stuff.
How about I use the ones on the install dvd? Then if they are old, yumex can
replace them.
>> >Not totally sure. No. First enable SELinux. Then try to install the
>> >policy module again. If that does not work consider replacing base.pp.
>> >
>> >The error suggests that base.pp is for MLS policy. This should not be
>> >the case.
>> >
>> >> >man semodule
>> >> >
>> >> >This looks like something that could have gone wrong during the
>> >> > upgrade.
I'll second that thought. Thanks Dominick
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
I either want less decadence or more chance to participate in it.
More information about the fedora-selinux-list
mailing list