Oleg Makarenko wrote: > Just to add more confusion... or probably give some hints to somebody... > >I have the same problem on _both_ 1.27_FC3 and 1.35_FC3 kernels. > >On 1.35_FC3 machine (remote 2 Xeon x686 server) sshd and mingetty were >broken after the recent policy update. > >I rebooted it with enforcing=0 (using remote console) and then > >make -W users reload > >(I have policy sources installed on the machine) > >Everything works fine since then with >selinux-policy-targeted-1.17.30-3.13 and kernel-smp-2.6.11-1.35_FC3. My >policy sources have very minor changes in apache.te and mysqld.te files >only. Some http related booleans are also different... May be the binary >policy in the package is broken? > >On my home 1.27_FC3 machine I have just updated the policy and have not >rebooted yet. Just after the update a lot of things are broken. For >example I am unable to start a new (gnome-)terminal etc etc > >setenforce 0 in the root's window (that I happen to run yum from) helps. >Now I am able to start new non root's terminal and mozilla to write this >e-mail :) > >If I then do setenforce 1 and try to ls I get: > >[oleg@mole ~]$ ls >ls: error while loading shared libraries: /lib/tls/librt.so.1: cannot >apply additional memory protection after relocation: Permission denied > >and in /var/log/messages I see > >Jun 28 23:42:01 localhost kernel: audit(1119987721.476:0): avc: denied >{ execmod } for pid=5873 comm=ls path=/lib/tls/librt-2.3.5.so dev=hda3 >ino=16719 scontext=user_u:system_r:unconfined_t >tcontext=system_u:object_r:lib_t tclass=file > > when I try to run ssh I get: > >[oleg@mole ~]$ ssh localhost >ssh: error while loading shared libraries: /lib/libdl.so.2: cannot apply >additional memory protection after relocation: Permission denied > >and > >Jun 28 23:44:29 localhost kernel: audit(1119987869.572:0): avc: denied >{ execmod } for pid=5882 comm=ssh path=/lib/libdl-2.3.5.so dev=hda3 >ino=2052530 scontext=user_u:system_r:unconfined_t >tcontext=system_u:object_r:lib_t tclass=file > >in the root's terminal everything works fine even with setenforcing 1 > >hope this information may be useful. > >=oleg > > I have installed 1.35_FC3 kernel on my 1.27_FC3 machine and it works fine with the latest policy without any additional tricks. With exactly the same settings and policy 1.27_FC3 doesn't boot as /sbin/init triggers avc: denied { execmod }. 1.14 doesn't work either while kernel-2.6.10-1.770_FC3 works fine with the new policy. Policy rebuilding doesn't help here so probably my 1.35_FC3 machine actually run kernel 1.27_FC3 at the update time. Sorry for confusion. So I also see the problem only on 1.14 and 1.27 kernels. =oleg -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list