selinux question on debian lenny

02-06-2010, 01:08 PM

Hi all,

I installed debian lenny with Xfs as it' s filesystem (in raid-1) and went on to install java (openjdk). This system also has a postgresql database server installation.

I tried to enable selinux by following the steps on this wiki:
http://wiki.debian.org/SELinux/Setup

However, after step 5 in that sequence, Run check-selinux-installation to check that everything has been setup correctly and to catch common SELinux problems. (Note: old-style-ptys aren't serious.), I got the following message:

FSCKFIX is not enabled - not serious, but could prevent system from booting

1) What is causing this and how can I correct it?

2) The next thing I did was to check my syslog. The last part of it says:

Feb* 6 14:52:48 biserver kernel: [** 91.461220] __ratelimit: 12 messages
suppressed
Feb* 6 14:52:48 biserver kernel: [** 91.461224] type=1401 audit(1265464368.175:41): security_compute_sid:* invalid context unconfined_u:unconfined_r:xdm_xserver_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u

bject_r:xserver_exec_t:s0 tclass=process
Feb* 6 14:52:48 biserver kernel: [** 91.716479] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:48 biserver acpid: client connected from 3448[0:0]
Feb* 6 14:52:50 biserver kernel: [** 93.801395] type=1401 audit(1265464370.515:42): security_compute_sid:* invalid context unconfined_u:unconfined_r:xdm_xserver_t:s0 for scontext=unconfined_u:unconfined_r:xdm_xserver_t:s 0 tcontext=system_u

bject_r:shell_exec_t:s0 tclass=process
Feb* 6 14:52:50 biserver kernel: [** 93.817255] type=1401 audit(1265464370.531:43): security_compute_sid:*
invalid context unconfined_u:unconfined_r:xdm_xserver_t:s0 for scontext=unconfined_u:unconfined_r:xdm_xserver_t:s 0 tcontext=system_u

bject_r:bin_t:s0 tclass=process
Feb* 6 14:52:51 biserver kernel: [** 94.365592] type=1401 audit(1265464371.079:44): security_compute_sid:* invalid context unconfined_u:unconfined_r:xdm_xserver_t:s0 for scontext=unconfined_u:unconfined_r:xdm_xserver_t:s 0 tcontext=system_u

bject_r:shell_exec_t:s0 tclass=process
Feb* 6 14:52:51 biserver kernel: [** 94.372334] type=1401 audit(1265464371.087:45): security_compute_sid:* invalid context unconfined_u:unconfined_r:xdm_xserver_t:s0 for scontext=unconfined_u:unconfined_r:xdm_xserver_t:s 0 tcontext=system_u

bject_r:bin_t:s0 tclass=process
Feb* 6 14:52:52 biserver kernel: [** 95.820411] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:53 biserver kernel: [**
96.392035] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:53 biserver kernel: [** 96.500011] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:53 biserver kernel: [** 97.145973] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:54 biserver kernel: [** 98.193879] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:56 biserver kernel: [** 99.888604] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:56 biserver kernel: [* 100.276146] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:57 biserver kernel: [* 100.549781] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:57
biserver kernel: [* 100.696083] type=1400 audit(1265464377.411:46): avc:* denied* { search } for* pid=2562 comm="dbus-daemon" name="3488" dev=proc ino=13750 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=dir
Feb* 6 14:52:57 biserver kernel: [* 100.696128] type=1400 audit(1265464377.411:47): avc:* denied* { read } for* pid=2562 comm="dbus-daemon" name="cmdline" dev=proc ino=13751 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=file
Feb* 6 14:52:57 biserver kernel: [* 100.804317] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:52:57 biserver kernel: [* 101.253089] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:53:02 biserver kernel: [* 105.743291] SELinux:* context
unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:53:08 biserver kernel: [* 111.857588] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:53:08 biserver kernel: [* 111.904995] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:53:09 biserver kernel: [* 113.069960] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:53:10 biserver kernel: [* 113.948280] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:53:34 biserver kernel: [* 137.596125] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:53:34 biserver kernel: [* 137.620644] SELinux:* context unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:53:34 biserver kernel: [* 137.772816] SELinux:* context
unconfined_u:unconfined_r:xdm_xserver_t:s0 is invalid
Feb* 6 14:56:14 biserver ntpd[3270]: synchronized to 82.94.235.106, stratum 2

I have seen that my system didn' t start xdm, though. I was thrown to the command line. But doing a startx brought my xfce4 desktop in front of me. but how can I enable xdm? And does that have something to do with the errors I' m seeing in syslog?

3) Do I have to load extra policies if I'm planning to install packages like tomcat? How do I accomplish that?

Thanks in advanced,
Dino