On Saturday 28 February 2009, Dominick Grift wrote: >On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote: >> On Saturday 28 February 2009, Dominick Grift wrote: >> >On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote: >> >> On Saturday 28 February 2009, Dominick Grift wrote: >> >> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote: >> >> >> On Saturday 28 February 2009, Dominick Grift wrote: >> >> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote: >> >> >> >> On Saturday 28 February 2009, Dominick Grift wrote: >> >> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote: >> >> >> >> >> Greetings all; >> >> >> >> >> >> >> >> >> >> I have just upgraded then updated as much as possible, an F8 >> >> >> > >> >> >> >install to >> >> >> > >> >> >> >> >> F10. selinux is now denying ConsoleKit and friends, and >> >> >> >> >> awstats. >> >> >> > >> >> >> >F10 will >> >> >> > >> >> >> >> >> run without console-kit-daemon I find, but I went so far as to >> >> >> > >> >> >> >touch >> >> >> > >> >> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for >> >> >> >> >> an >> >> >> > >> >> >> >hour or >> >> >> > >> >> >> >> >> so as there is nearly 2TB of drives here. Didn't help. >> >> >> >> >> >> >> >> >> >> So Now I have selinux disabled, and everything it working. >> >> >> >> >> Can >> >> >> > >> >> >> >this be >> >> >> > >> >> >> >> >> addressed? >> >> >> >> > >> >> >> >> >Can you show use the avc denials related to your issues? avc >> >> >> >> > denials >> >> >> > >> >> >> >are >> >> >> > >> >> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the >> >> >> > >> >> >> >ausearch >> >> >> > >> >> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve >> >> >> > >> >> >> >today's >> >> >> > >> >> >> >> >avc denials. >> >> >> >> >> >> >> >> None today, I turned it off, yesterdays is attached. >> >> >> >> >> >> >> >> >You state that you updated as much as possible. What did you not >> >> >> > >> >> >> >update? >> >> >> > >> >> >> >> About 70 packages are left, all the java stuff cuz I've installed >> >> >> >> from >> >> >> > >> >> >> >Sun, >> >> >> > >> >> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix >> >> >> >> that >> >> >> > >> >> >> >up by >> >> >> > >> >> >> >> hand and some of the menus are still fubar) and anytime I do a >> >> >> >> -devel, >> >> >> > >> >> >> >it >> >> >> > >> >> >> >> barfs over strigi. What the heck does that thing do anywho? >> >> >> >> >> >> >> >> I also am not running the F10 kernel cuz I have to set stakes and >> >> >> >> call >> >> >> > >> >> >> >a >> >> >> > >> >> >> >> surveyer to measure screen scrolling speed, so I'm running >> >> >> >> 2.6.28.7 >> >> >> > >> >> >> >and am >> >> >> > >> >> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now >> >> >> >> glxgears >> >> >> > >> >> >> >says >> >> >> > >> >> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex >> >> >> >> screen: >> >> >> >> >> >> >> >> 14:05:14 : Error in Dependency Resolution >> >> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is >> >> >> >> needed >> >> >> > >> >> >> >by >> >> >> > >> >> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386 >> >> >> > >> >> >> >(rpmfusion-free- >> >> >> > >> >> >> >> updates) >> >> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 >> >> >> >> is >> >> >> > >> >> >> >needed by >> >> >> > >> >> >> >> package >> >> >> > >> >> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686 >> >> >> > >> >> >> >> (rpmfusion-nonfree-updates) >> >> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by >> >> >> >> package >> >> >> > >> >> >> >strigi- >> >> >> > >> >> >> >> devel-0.5.11-1.fc10.i386 (fedora) >> >> >> >> >> >> >> >> I might be able to get a list of updates (if you need them) not >> >> >> >> done >> >> >> > >> >> >> >from yum. >> >> >> > >> >> >> >> I use yumex most of the time. >> >> >> >> >> >> >> >> Thanks Dominick >> >> >> > >> >> >> >No that is fine, thanks. Which version of selinux-policy is >> >> >> > currently installed? >> >> >> > >> >> >> >I picked a few of the denials out of there and both were allowed in >> >> >> > the rawhide policy. >> >> >> > >> >> >> >This leads me to think that either you are running a old version of >> >> >> > the selinux-policy or that the fixes in rawhide policy have not >> >> >> > been pushed to Fedora 10 policy yet. >> >> >> >> >> >> I'll go for the latter as there isn't an update available. >> >> >> [root@coyote Documents]# rpm -qa|grep policy >> >> >> checkpolicy-2.0.16-3.fc10.i386 >> >> >> selinux-policy-3.5.13-18.fc10.noarch >> >> >> policycoreutils-2.0.57-11.fc10.i386 >> >> >> policycoreutils-gui-2.0.57-11.fc10.i386 >> >> >> selinux-policy-targeted-3.5.13-18.fc10.noarch >> >> >> >> >> >> >I either case you can create custom policies to allow these >> >> >> > denials. >> >> >> > >> >> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M >> >> >> >mydenials; /usr/sbin/semodule -i mydenials.pp >> >> >> >> >> >> And that upchucks. It generates mydenials.pp, then: >> >> >> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp >> >> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS >> >> >> base. libsemanage.semanage_link_sandbox: Link packages failed >> >> >> /usr/sbin/semodule: Failed! >> >> >> >> >> >> Looks like I may be missing something? >> >> > >> >> >Can you give me to output of sestatus? >> >> This is after the reboot/relabel, using this /etc/selinux/config >> >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enabeled > >should read enforcing or permissive > >> # SELINUXTYPE= can take one of these two values: >> # targeted - Targeted processes are protected, >> # mls - Multi Level Security protection. >> SELINUXTYPE=targeted >> # SETLOCALDEFS= Check local definition changes >> SETLOCALDEFS=0 >> >> [root@coyote radeon]# sestatus >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: permissive >> Mode from config file: error (Success) > >This looks wrong. see above > >> Policy version: 24 >> Policy from config file: targeted >> >> and that looks completely fubar to me. But since its 'permissive', >> consolekit is running, but sealert is popping up about every 30 seconds. >> Its fussing about console-kit-history now. WTH? > >You can easily disable setroubleshoot: > >service setroubleshoot stop >( to disable it by default: chkconfig setroubleshoot off ) > >> >> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp >> >> >> >> Fails exactly the same. Does selinux=disabled screw with that? >> > >> >Well you should have SELinux enabled when you install the module. >> >Enable it first. >> > >> >> >You might also consider /usr/sbin/semodule -b base.pp (this should >> >> >replace the base module) >> >> ohhkayy >> >> Turned it back on, rebooted, relabeled, and: >> >> [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. >> libsemanage.semanage_link_sandbox: Link packages failed >> /usr/sbin/semodule: Failed! >> >> [root@coyote Documents]# /usr/sbin/semodule -b base.pp >> /usr/sbin/semodule: Could not read file 'base.pp': No such file or >> directory [root@coyote Documents]# locate base.pp >> /etc/selinux/targeted/modules/active/base.pp >> /usr/share/selinux/targeted/base.pp.bz2 >> >> [root@coyote targeted]# ls -l `locate base.pp` >> -rw------- 1 root root 16771501 2009-02-26 18:38 >> /etc/selinux/targeted/modules/active/base.pp -rw-r--r-- 1 root root >> 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2 >> >> So which one is right? I'm getting a headache. :( > >the one in /etc is active. The one is /usr is used to generate it i >believe > >> So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and >> overwrote the /etc/selinux/targeted/modules/active/base.pp with it, it was >> about half the size. I think this is the same error again. >> [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. >> libsemanage.semanage_link_sandbox: Link packages failed >> /usr/sbin/semodule: Failed! >> >> And that bunzip2 operation of course generated this: >> [root@coyote Documents]# rpm -V `rpm -qa|grep targeted` >> missing /usr/share/selinux/targeted/base.pp.bz2 >> >> So I did a bzip2 -k base.pp, and now rpm -V is happy again. >> >> Sounds like I need to manually nuke whats in etc and force >> rpm to re-install? Unforch, /var/cache/yum is devoid of any >> F10 files, I just checked. >> >> Your turn coach. :) > >You could try: >rpm -Uvh --replacefiles --replacepkgs selinux-policy >and >selinux-policy-targeted >then make sure your base.pp is fresh (try >semodule -B) Where do I get the policy and policy-targeted rpms? /var/cache/yum is empty of any F10 stuff. How about I use the ones on the install dvd? Then if they are old, yumex can replace them. >> >Not totally sure. No. First enable SELinux. Then try to install the >> >policy module again. If that does not work consider replacing base.pp. >> > >> >The error suggests that base.pp is for MLS policy. This should not be >> >the case. >> > >> >> >man semodule >> >> > >> >> >This looks like something that could have gone wrong during the >> >> > upgrade. I'll second that thought. Thanks Dominick -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) I either want less decadence or more chance to participate in it. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
