[redhat-lspp] problem changing role.

Glauber de Oliveira Costa glommer at br.ibm.com
Tue Feb 7 16:52:17 UTC 2006 

Sorry for posting for both lists. I'm reporting a whole problem, and I think 
there are pieces of them of interest for each one of you. Since it's not been 
that easy to isolate that parts, I'm posting the whole picture here.

I noticed the problem when doing the newrole command. When trying to change 
root's role to sysadm_r , I got the following message:

[root at localhost ~]# newrole -r sysadm_r -t sysadm_t
Authenticating root.
Password:
Error sending audit message.

The problem remained even in permissive mode. I then checked the AVC messages 
from audit log, and *problem 1*, noticed that some objects of the system did 
not had any categories associated with they mls labels (i.e. , they were s0 
instead of s0:c0.c255). This led the process and the object to be in an 
uncomparable state, and the chcon command fixed it. However, our installation 
here is pretty much a default one. Vivi (CC'ed) may be able to give more 
information on this, but maybe it's a signal that there is something wrong 
with default installation. We may give you more info if you want, as 
requested.

The offending labels were on:
/usr/share/fonts and /var/cache/fontconfig/*

Fixing the labels of the files got rid with AVC denial messages, but the 
problem persisted. However, audit log now shows the following message:

type=SELINUX_ERR msg=audit(1139315244.562:56): SELinux:  unrecognized netlink 
message type=2300 for sclass=49

The following piece of code from security/selinux/hooks.c in kernel tree 
reveals that is not a great issue in permissive mode (err = 0 statement), but 
I honestly don't know what does this message represent, and what sould be the 
consequences of it while enforcing, so, reporting I am:

        if (err) {
                if (err == -EINVAL) {
                        audit_log(current->audit_context, GFP_KERNEL, 
AUDIT_SELINUX_ERR,
                                  "SELinux:  unrecognized netlink message"
                                  " type=%hu for sclass=%hu\n",
                                  nlh->nlmsg_type, isec->sclass);
                        if (!selinux_enforcing)
                                err = 0;
                }

But after that, newrole did not yet worked. To put it to work, I got 
policycoreutils-1.29.18-2.src.rpm from fedora development tree. I then 
compiled it, (tip for packagers, I was unable to do it without issuing a ln 
-s /lib/libsepol.so.1 /lib/libsepol.so) and this time, I was able to change 
roles.

However, It *DOES NOT* seems like a versioning problem, as shown by the 
following output:

[root at localhost log]# rpm -qa policycoreutils
policycoreutils-1.29.18-2

Wich just makes me clueless about what the real problem is. 
For practical purposes, we're now able to do the tasks we were trying to. But 
some questions remains unanswered (specially the kernel message and the 
newrole problem). Hope this report helps you guys to somehow improve the 
process. 

Let me know if there can be any valuable information that can be provided.


Glauber.

More information about the redhat-lspp mailing list