On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote: > On Saturday 28 February 2009, Dominick Grift wrote: > >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote: > >> On Saturday 28 February 2009, Dominick Grift wrote: > >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote: > >> >> Greetings all; > >> >> > >> >> I have just upgraded then updated as much as possible, an F8 > > > >install to > > > >> >> F10. selinux is now denying ConsoleKit and friends, and awstats. > > > >F10 will > > > >> >> run without console-kit-daemon I find, but I went so far as to > > > >touch > > > >> >> /.autorelabel & reboot & leave it to contemplate its sins for an > > > >hour or > > > >> >> so as there is nearly 2TB of drives here. Didn't help. > >> >> > >> >> So Now I have selinux disabled, and everything it working. Can > > > >this be > > > >> >> addressed? > >> > > >> >Can you show use the avc denials related to your issues? avc denials > > > >are > > > >> >sent to /var/log/audit/audit.log and can be retrieved with the > > > >ausearch > > > >> >command. For example use: ausearch -m avc -ts today, to retrieve > > > >today's > > > >> >avc denials. > >> > >> None today, I turned it off, yesterdays is attached. > >> > >> >You state that you updated as much as possible. What did you not > > > >update? > > > >> About 70 packages are left, all the java stuff cuz I've installed from > > > >Sun, > > > >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that > > > >up by > > > >> hand and some of the menus are still fubar) and anytime I do a -devel, > > > >it > > > >> barfs over strigi. What the heck does that thing do anywho? > >> > >> I also am not running the F10 kernel cuz I have to set stakes and call > > > >a > > > >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7 > > > >and am > > > >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears > > > >says > > > >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen: > >> > >> 14:05:14 : Error in Dependency Resolution > >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed > > > >by > > > >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386 > > > >(rpmfusion-free- > > > >> updates) > >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is > > > >needed by > > > >> package > > > >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686 > > > >> (rpmfusion-nonfree-updates) > >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package > > > >strigi- > > > >> devel-0.5.11-1.fc10.i386 (fedora) > >> > >> I might be able to get a list of updates (if you need them) not done > > > >from yum. > > > >> I use yumex most of the time. > >> > >> Thanks Dominick > > > >No that is fine, thanks. Which version of selinux-policy is currently > >installed? > > > >I picked a few of the denials out of there and both were allowed in the > >rawhide policy. > > > >This leads me to think that either you are running a old version of the > >selinux-policy or that the fixes in rawhide policy have not been pushed > >to Fedora 10 policy yet. > > > I'll go for the latter as there isn't an update available. > [root@coyote Documents]# rpm -qa|grep policy > checkpolicy-2.0.16-3.fc10.i386 > selinux-policy-3.5.13-18.fc10.noarch > policycoreutils-2.0.57-11.fc10.i386 > policycoreutils-gui-2.0.57-11.fc10.i386 > selinux-policy-targeted-3.5.13-18.fc10.noarch > > >I either case you can create custom policies to allow these denials. > > > >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M > >mydenials; /usr/sbin/semodule -i mydenials.pp > > And that upchucks. It generates mydenials.pp, then: > [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp > libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. > libsemanage.semanage_link_sandbox: Link packages failed > /usr/sbin/semodule: Failed! > > Looks like I may be missing something? Can you give me to output of sestatus? you could try /usr/sbin/semodule -s targeted -i mydenials.pp You might also consider /usr/sbin/semodule -b base.pp (this should replace the base module) man semodule This looks like something that could have gone wrong during the upgrade. It claims that a MLS base module is installed but you have installed selinux-policy-targeted you should really c.c. fedora-selinux-list so that knowledgeable people like dwalsh can give suggestions as well. > >caution: i did not review all denials in your list, however most look > >like they should be allowed. > > > >You should not let issues like these persuade you to disable SELinux. > >You can also run SELinux is permissive mode which will act as an > >intrusion detection system but will not prevent policy violations. > > I am not terribly paranoid about running selinux, Dominick, I have all my > local network behind an x86 version of dd-wrt & its locked up pretty tight. > selinux is last ditch. In 2 years, no one has gotten past dd-wrt that I > didn't first give them the password to it. I see my running it as more of the > playing of a role, that of the canary in the coal mine if you will. > > >hth , Dominick > > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
