Re: setroub;eshoot problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Steve wrote:
---- max bianco <maximilianbianco@xxxxxxxxx> wrote:
On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@xxxxxxxxxx> wrote:
I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:

connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused

#ls -lZ /var/run/setroubleshoot/setroubleshoot_server
srw-rw-rw-  root root system_u:object_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server

That looks right. Is it F8 or F9?

Found some more interesting AVC messages in /var/log/dmesg, This doesn't mean anything to me. Where is the best place to go to get a little more educated about what all this is supposed to mean?

Thanks,
Steve

That depends on what you already know about SELinux. I have found alot of material but its never enough for me:^) This is as good a place to start as any(probably better than most):

http://fedoraproject.org/wiki/SELinux

Depending on how deep you want to get you might look up the Flask Security Architecture. There is a PDF available, its not very long but its informative. There are also a few SELinux specific papers out there. I am reading SELinux by Example, it seems very complete so far and actually references some of the available papers throughout. As for the errors below I am assuming this is the first time you've seen them since you just installed policy. Did you uninstall the policy at some point? Has the machine always, from day of install, been in permissive? Was this a fresh install or an upgrade? Are there any AVC's or error messages, related to SELinux, in the logs from before policy was installed?

...
SELinux:8192 avtab hash slots allocated. Num of rules:68341
SELinux:8192 avtab hash slots allocated. Num of rules:68341
security:  3 users, 6 roles, 1823 types, 80 bools, 1 sens, 1024 cats
security:  61 classes, 68341 rules
security:  class peer not defined in policy
security:  class capability2 not defined in policy
security:  permission recvfrom in class node not defined in policy
security:  permission sendto in class node not defined in policy
security:  permission ingress in class netif not defined in policy
security:  permission egress in class netif not defined in policy
security:  permission setfcap in class capability not defined in policy
security:  permission forward_in in class packet not defined in policy
security:  permission forward_out in class packet not defined in policy
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), not configured for labeling
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: policy loaded with handle_unknown=deny
type=1403 audit(1216200106.325:2): policy loaded auid=4294967295 ses=4294967295
type=1400 audit(1216200107.996:3): avc:  denied  { read write } for  pid=505 comm="restorecon" path="/dev/console" dev=tmpfs ino=233 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
type=1400 audit(1216200109.580:4): avc:  denied  { create } for  pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216200109.594:5): avc:  denied  { getattr } for  pid=731 comm="hwclock" path="/etc/adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file
type=1400 audit(1216200109.594:6): avc:  denied  { read } for  pid=731 comm="hwclock" name="adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:adjtime_t:s0 tclass=file
type=1400 audit(1216200109.819:7): avc:  denied  { sys_time } for  pid=731 comm="hwclock" capability=25 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1216214509.907:8): avc:  denied  { write } for  pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216214510.000:9): avc:  denied  { nlmsg_relay } for  pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216214510.000:10): avc:  denied  { audit_write } for  pid=731 comm="hwclock" capability=29 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1216214510.000:11): avc:  denied  { read } for  pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
...




--
Fortune favors the BOLD

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux