On 03/04/2010 05:18 PM, Temlakos wrote: > Daniel J Walsh wrote: > >> On 03/04/2010 01:33 PM, Temlakos wrote: >> >>> Dominick Grift wrote: >>> >>> >>>> On 03/04/2010 07:14 PM, Temlakos wrote: >>>> >>>> >>>> >>>> >>>>> Anyway--in case I have to use that installer again, as I think I >>>>> might, >>>>> I'd like to have somebody go over those alerts--because they /have/ to >>>>> be related, somehow. Here they are again: >>>>> >>>>> >>>>> >>>> Just a comment: >>>> >>>> ausearch -m avc -ts ... does not show all denials in >>>> /var/log/audit/audit.log >>>> >>>> There could also be user space AVC denials present which can be >>>> listed with: >>>> >>>> ausearch -m user_avc -ts ... >>>> >>>> In some rare cases sone AVC denials may end up in dmesg and/or >>>> /var/log/messages. >>>> >>>> Unfortunately i do not see anything in your enclosed AVC denials that i >>>> suspect may be related to your issue. Hopefully someone else does. >>>> >>>> >>>> >>>> >>> Well, I just tried searching on user_avc, even after un-hiding the >>> alerts. Result: >>> >>> <no matches> >>> >>> So what I submitted, has to be it. >>> >>> But: might this have anything to do with it? I'm using KDE now, and one >>> of the things that the installer had to do was to get into KWallet, and >>> for that the system asked for my KWallet password, which I gave. >>> >>> I'm new to KDE, and I'm surprised that I didn't use it earlier. KDE has >>> an automatic package installer that has already made my life a lot >>> simpler, and when I realized that I was using a lot of KDE-specific >>> apps, KDE was the logical choice. But maybe KDE has some subtleties that >>> occasionally create a security problem in a security-enhanced >>> environment. >>> >>> Temlakos >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >>> >>> >> I have seen installations trip over execmod,execmem and execstack checks. >> >> Also if the tools use java, it can do some stuff that SELinux does not >> like. >> >> getsebool allow_execstack allow_execmem allow_execmod >> >> >> > allow_execstack --> on > allow_execmem --> on > allow_execmod --> off > > OK, what next? > > Temlakos > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Try installing with allow_execmod on. setsebool allow_execmod 1 -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
