Hi, I upgraded my FC2 system (which did not have selinux enabled) to FC3. After the upgrade selinux was not enabled. First I tried to enable it by using system-config-securitylevel. On boot I got plenty of error messages on console (nothing showed up in the system logs). I immediately rebooted again with selinux disadled. Nest I installed selinux-policy-targeted-sources package and did: cd /etc/selinux/targeted/src/policy make make relabel Now when I reboot things looks quite ok except: 1) Contrary to http://fedora.redhat.com/docs/selinux-faq-fc3/ pages: id -Z shows: root:system_r:unconfined_t (not root:sysadm_r:sysadm_t) (After su -) I tried only to remove and reinstall pam package (system-auth was changed but there was no system-auth.rpmnew). This had no influence. 2) ISDN does not start correctly on boot: First problem was that even without selinux the test in isdn rc-script failed on: isdnctrl list all >/dev/null 2>&1 if [ $? = 0 ] ; then (prints Can't open /dev/isdnctrl or /dev/isdn/isdnctrl: No such file or directory) I guess this is udev related problem? However disabling this test it works without selinux. With selinux I get on boot: kernel: audit(1100423485.839:0): avc: denied { create } for pid=2610 exe=/sbin/MAKEDEV name=isdnctrl scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:tty_device_t tclass=lnk_file 'mgetty ttyI':s do open but do not work. After boot "service isdn start" works even with selinux (I need to make it work in boot) and devices operate properly. 3) Now if I try to start "system-config-securitylevel" *with selinux enabled* I just get: Traceback (most recent call last): File "/usr/share/system-config-securitylevel/system-config- securitylevel.py", line 18, in ? app.stand_alone() File "/usr/share/system-config-securitylevel/securitylevel.py", line 427, in stand_alone self.selinuxPage = selinuxPage.selinuxPage() File "/usr/share/system-config-securitylevel/selinuxPage.py", line 329, in __init__ self.refreshTunables(self.initialtype) File "/usr/share/system-config-securitylevel/selinuxPage.py", line 427, in refreshTunables self.loadBooleans() File "/usr/share/system-config-securitylevel/selinuxPage.py", line 418, in loadBooleans on=rec[3]=="1" IndexError: list index out of range Never have I seen there a way to make httpd work without selinux. When running box with selinux disabled I see only named (rndc option) and get... option on screen). 4) Most of my web pages do not work (most of these are PHP based pages): Nov 14 11:20:53 srv kernel: audit(1100424053.389:0): avc: denied { execute } for pid=4416 exe=/usr/sbin/httpd name=rrdcgi dev=dm-0 ino=3542815 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=file Nov 14 11:20:59 srv kernel: audit(1100424059.745:0): avc: denied { getattr } for pid=4415 exe=/usr/sbin/httpd path=/opt/bb/bb1.9e- btf/www/bb.html dev=dm-0 ino=1491992 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=file Nov 14 11:20:59 srv kernel: audit(1100424059.745:0): avc: denied { getattr } for pid=4415 exe=/usr/sbin/httpd path=/opt/bb/bb1.9e- btf/www/bb.html dev=dm-0 ino=1491992 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=file Nov 14 11:21:50 srv kernel: audit(1100424110.999:0): avc: denied { write } for pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=3932284 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_lib_t tclass=sock_file Nov 14 11:21:52 srv kernel: audit(1100424112.001:0): avc: denied { write } for pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=3932284 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_lib_t tclass=sock_file Nov 14 11:21:53 srv kernel: audit(1100424113.003:0): avc: denied { write } for pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=3932284 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_lib_t tclass=sock_file Nov 14 11:21:54 srv kernel: audit(1100424114.004:0): avc: denied { write } for pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=3932284 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_lib_t tclass=sock_file Nov 14 11:22:09 srv kernel: audit(1100424129.740:0): avc: denied { read } for pid=4421 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=3443116 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file Nov 14 11:22:09 srv kernel: audit(1100424129.741:0): avc: denied { read } for pid=4422 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=3443116 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file Nov 14 11:22:13 srv kernel: audit(1100424133.029:0): avc: denied { execute } for pid=4423 exe=/usr/sbin/httpd name=rrdcgi dev=dm-0 ino=3542815 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=file I wonder how could I make these work without opening selinux too much? What is the best way to upgrade selinux to same state where it would be after fresh install of FC3 (Reinstalling my server is unfortunately no option)? This would also be good material for the FAQ pages. Tia, Jouni
