On 03/05/2010 08:43 AM, Daniel J Walsh wrote: > On 03/04/2010 05:18 PM, Temlakos wrote: >> Daniel J Walsh wrote: >>> On 03/04/2010 01:33 PM, Temlakos wrote: >>>> Dominick Grift wrote: >>>> >>>>> On 03/04/2010 07:14 PM, Temlakos wrote: >>>>> >>>>> >>>>> >>>>>> Anyway--in case I have to use that installer again, as I think I >>>>>> might, >>>>>> I'd like to have somebody go over those alerts--because they >>>>>> /have/ to >>>>>> be related, somehow. Here they are again: >>>>>> >>>>>> >>>>> Just a comment: >>>>> >>>>> ausearch -m avc -ts ... does not show all denials in >>>>> /var/log/audit/audit.log >>>>> >>>>> There could also be user space AVC denials present which can be >>>>> listed with: >>>>> >>>>> ausearch -m user_avc -ts ... >>>>> >>>>> In some rare cases sone AVC denials may end up in dmesg and/or >>>>> /var/log/messages. >>>>> >>>>> Unfortunately i do not see anything in your enclosed AVC denials >>>>> that i >>>>> suspect may be related to your issue. Hopefully someone else does. >>>>> >>>>> >>>>> >>>> Well, I just tried searching on user_avc, even after un-hiding the >>>> alerts. Result: >>>> >>>> <no matches> >>>> >>>> So what I submitted, has to be it. >>>> >>>> But: might this have anything to do with it? I'm using KDE now, and >>>> one >>>> of the things that the installer had to do was to get into KWallet, >>>> and >>>> for that the system asked for my KWallet password, which I gave. >>>> >>>> I'm new to KDE, and I'm surprised that I didn't use it earlier. KDE >>>> has >>>> an automatic package installer that has already made my life a lot >>>> simpler, and when I realized that I was using a lot of KDE-specific >>>> apps, KDE was the logical choice. But maybe KDE has some subtleties >>>> that >>>> occasionally create a security problem in a security-enhanced >>>> environment. >>>> >>>> Temlakos >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>>> >>>> >>> I have seen installations trip over execmod,execmem and execstack >>> checks. >>> >>> Also if the tools use java, it can do some stuff that SELinux does not >>> like. >>> >>> getsebool allow_execstack allow_execmem allow_execmod >>> >>> >> allow_execstack --> on >> allow_execmem --> on >> allow_execmod --> off >> >> OK, what next? >> >> Temlakos >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > Try installing with allow_execmod on. > > setsebool allow_execmod 1 > > Done and thanks. Maybe next time I have to use AIR Installer, it will behave. It's nice to be able to enforce the security policy full-time. Temlakos -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
