On Fri, 2010-02-19 at 15:23 -0500, Alan Rouse wrote: > Stephen wrote: > > What does this file contain? It shouldn't exist at all with modular/managed policy; > > it was the legacy way of providing distribution-shipped custom boolean definitions > > with monolithic policy. Delete it or put SETLOCALDEFS=0 in your /etc/selinux/config to ignore it. > > Excellent!!! I put SETLOCALDEFS=0 in /etc/selinux/config and now I'm able to boot into the desktop with selinux enabled, in permissive mode. (BTW, setsebool does create / update the /etc/selinux/refpolicy-standard/modules/active/booleans.local file.) > > Outstanding issues: > 1) Several pages of AVC messages: getty_t, sysadm_dbsud_t, system_dbusd_t, various others. > > 2) Error messages during the "fixfiles relabel" (running as root, in permissive mode): > > linux-f8dr:/etc/selinux # fixfiles relabel > > Files in the /tmp directory may be labeled incorrectly, this command > can remove all files in /tmp. If you choose to remove files from /tmp, > a reboot will be required after completion. > > Do you wish to clean out the /tmp directory [N]? n > /sbin/setfiles: unable to stat file /home/alan/.gvfs: Permission denied > /sbin/setfiles: error while labeling /home: Permission denied > find: unknown predicate `-context' > find: unknown predicate `-context' I'd run fixfiles from single-user mode and then reboot. You should file bugs against policycoreutils (to update to the latest) and against findutils (to include the selinux patch). The first problem (inability for even root to traverse a FUSE mount that is owned by another user) was worked around by a change to setfiles in policycoreutils 2.0.71 to skip inaccessible mounts. The second problem (lack of support for the -context predicate in find) indicates that your findutils package was not built with SELinux support. It appears that this support is still a separate patch in the Fedora package rather than being part of upstream findutils, so they would need to grab it from the Fedora .src.rpm or source repository. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
