---- max <maximilianbianco@xxxxxxxxx> wrote: > max wrote: > > Steve wrote: > >> > >>> ---- max <maximilianbianco@xxxxxxxxx> wrote: > >> > >>>> 2 - The only other sane thing I could advise you too do is bounce > >>>> your question off the fedora-selinux list. I would include a > >>>> reference to this thread and all the relevant details. The kernel > >>>> your running, the policy version (rpm -qa | grep > >>>> selinux...setrouble) , setroubleshoot version, the error messages > >>>> below , and that you run in permissive and used preupgrade to go > >>>> from f8 to f9. > >>>> This will ensure that the right people see your message, this list > >>>> is also monitored but I think when they get busy fedora-selinux is > >>>> likely to still get checked more often than fedora-list. > >>> I was trying to avoid this. I already get several hundred e-mails per > >>> day and I would guess that the selinux list is pretty busy too. Oh > >>> well, I'll just have to deal with it for a while. > >> > >> I found this in the SELinux list archives: > >> > >> http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm > >> > >> which appears to say there was a problem but it was fixed in a patch. > >> I wonder if it has not made it to F9 yet? > >> > >> Steve > > It could be related but they seem to have been running mls policy which > > is not the default policy in f9. I think the patch would have made it > > into F9 by now, the thread dates back to January and F9 released in May > > if memory serves. I think in the end you will have to rebuild the > > policy. The only way that I know of to change the handle_unknown=deny to > > allow is at policy build time. This is set to allow in F8 and F9. Why > > yours is not this way is something I don't understand, unless mine is > > screwed up somehow but I doubt it. I have looked at two f9 boxes and an > > f8 box. All of them have the handle_unknown=allow. Maybe a third party > > could confirm this : > > > > dmesg | grep -i selinux > > > > > > Use the Force, > > > > Max > Steve, > > Try semodule -B . It had completely slipped past me. It will force a > rebuild and reload of policy. > Checkout man semodule. Well I tried that and it didn't appear to do anything. It immeditely return me to the pronpt. However, there was an update to the policy made available yesterday afternoon. I installed it (I can't tell you exactly what it was because I'm on a different machine right now) and then ran the changes from the July 10th entry of Dan Walsh's blog, (http://danwalsh.livejournal.com/) and my problem has gone away. Yea! I can now start up setroubleshootd. I wonder if that problem I noted above just made it to F9? Now on to my next selinux problem on a different machine. I'll start a different thread for that. Thanks for the help, Max. Steve -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
