On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote: > On Saturday 28 February 2009, Dominick Grift wrote: > >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote: > >> Greetings all; > >> > >> I have just upgraded then updated as much as possible, an F8 install to > >> F10. selinux is now denying ConsoleKit and friends, and awstats. F10 will > >> run without console-kit-daemon I find, but I went so far as to touch > >> /.autorelabel & reboot & leave it to contemplate its sins for an hour or > >> so as there is nearly 2TB of drives here. Didn't help. > >> > >> So Now I have selinux disabled, and everything it working. Can this be > >> addressed? > > > >Can you show use the avc denials related to your issues? avc denials are > >sent to /var/log/audit/audit.log and can be retrieved with the ausearch > >command. For example use: ausearch -m avc -ts today, to retrieve today's > >avc denials. > > > None today, I turned it off, yesterdays is attached. > > >You state that you updated as much as possible. What did you not update? > > About 70 packages are left, all the java stuff cuz I've installed from Sun, > I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that up by > hand and some of the menus are still fubar) and anytime I do a -devel, it > barfs over strigi. What the heck does that thing do anywho? > > I also am not running the F10 kernel cuz I have to set stakes and call a > surveyer to measure screen scrolling speed, so I'm running 2.6.28.7 and am > building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears says > 275-300 fps and I can tolerate it. Anyway, from the yumex screen: > > 14:05:14 : Error in Dependency Resolution > 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed by > package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386 (rpmfusion-free- > updates) > Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is needed by > package kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686 > (rpmfusion-nonfree-updates) > Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package strigi- > devel-0.5.11-1.fc10.i386 (fedora) > > I might be able to get a list of updates (if you need them) not done from yum. > I use yumex most of the time. > > Thanks Dominick > No that is fine, thanks. Which version of selinux-policy is currently installed? I picked a few of the denials out of there and both were allowed in the rawhide policy. This leads me to think that either you are running a old version of the selinux-policy or that the fixes in rawhide policy have not been pushed to Fedora 10 policy yet. I either case you can create custom policies to allow these denials. A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M mydenials; /usr/sbin/semodule -i mydenials.pp caution: i did not review all denials in your list, however most look like they should be allowed. You should not let issues like these persuade you to disable SELinux. You can also run SELinux is permissive mode which will act as an intrusion detection system but will not prevent policy violations. hth , Dominick -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
