FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-28-2009, 11:11 PM
Gene Heskett
 
Default f10 vs selinux again.

On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
>> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
>> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> >> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> >> >> >> Greetings all;
>> >> >> >> >>
>> >> >> >> >> I have just upgraded then updated as much as possible, an F8
>> >> >> >
>> >> >> >install to
>> >> >> >
>> >> >> >> >> F10. selinux is now denying ConsoleKit and friends, and
>> >> >> >> >> awstats.
>> >> >> >
>> >> >> >F10 will
>> >> >> >
>> >> >> >> >> run without console-kit-daemon I find, but I went so far as to
>> >> >> >
>> >> >> >touch
>> >> >> >
>> >> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for
>> >> >> >> >> an
>> >> >> >
>> >> >> >hour or
>> >> >> >
>> >> >> >> >> so as there is nearly 2TB of drives here. Didn't help.
>> >> >> >> >>
>> >> >> >> >> So Now I have selinux disabled, and everything it working.
>> >> >> >> >> Can
>> >> >> >
>> >> >> >this be
>> >> >> >
>> >> >> >> >> addressed?
>> >> >> >> >
>> >> >> >> >Can you show use the avc denials related to your issues? avc
>> >> >> >> > denials
>> >> >> >
>> >> >> >are
>> >> >> >
>> >> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
>> >> >> >
>> >> >> >ausearch
>> >> >> >
>> >> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve
>> >> >> >
>> >> >> >today's
>> >> >> >
>> >> >> >> >avc denials.
>> >> >> >>
>> >> >> >> None today, I turned it off, yesterdays is attached.
>> >> >> >>
>> >> >> >> >You state that you updated as much as possible. What did you not
>> >> >> >
>> >> >> >update?
>> >> >> >
>> >> >> >> About 70 packages are left, all the java stuff cuz I've installed
>> >> >> >> from
>> >> >> >
>> >> >> >Sun,
>> >> >> >
>> >> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix
>> >> >> >> that
>> >> >> >
>> >> >> >up by
>> >> >> >
>> >> >> >> hand and some of the menus are still fubar) and anytime I do a
>> >> >> >> -devel,
>> >> >> >
>> >> >> >it
>> >> >> >
>> >> >> >> barfs over strigi. What the heck does that thing do anywho?
>> >> >> >>
>> >> >> >> I also am not running the F10 kernel cuz I have to set stakes and
>> >> >> >> call
>> >> >> >
>> >> >> >a
>> >> >> >
>> >> >> >> surveyer to measure screen scrolling speed, so I'm running
>> >> >> >> 2.6.28.7
>> >> >> >
>> >> >> >and am
>> >> >> >
>> >> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now
>> >> >> >> glxgears
>> >> >> >
>> >> >> >says
>> >> >> >
>> >> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex
>> >> >> >> screen:
>> >> >> >>
>> >> >> >> 14:05:14 : Error in Dependency Resolution
>> >> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is
>> >> >> >> needed
>> >> >> >
>> >> >> >by
>> >> >> >
>> >> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>> >> >> >
>> >> >> >(rpmfusion-free-
>> >> >> >
>> >> >> >> updates)
>> >> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686
>> >> >> >> is
>> >> >> >
>> >> >> >needed by
>> >> >> >
>> >> >> >> package
>> >> >> >
>> >> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>> >> >> >
>> >> >> >> (rpmfusion-nonfree-updates)
>> >> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by
>> >> >> >> package
>> >> >> >
>> >> >> >strigi-
>> >> >> >
>> >> >> >> devel-0.5.11-1.fc10.i386 (fedora)
>> >> >> >>
>> >> >> >> I might be able to get a list of updates (if you need them) not
>> >> >> >> done
>> >> >> >
>> >> >> >from yum.
>> >> >> >
>> >> >> >> I use yumex most of the time.
>> >> >> >>
>> >> >> >> Thanks Dominick
>> >> >> >
>> >> >> >No that is fine, thanks. Which version of selinux-policy is
>> >> >> > currently installed?
>> >> >> >
>> >> >> >I picked a few of the denials out of there and both were allowed in
>> >> >> > the rawhide policy.
>> >> >> >
>> >> >> >This leads me to think that either you are running a old version of
>> >> >> > the selinux-policy or that the fixes in rawhide policy have not
>> >> >> > been pushed to Fedora 10 policy yet.
>> >> >>
>> >> >> I'll go for the latter as there isn't an update available.
>> >> >> [root@coyote Documents]# rpm -qa|grep policy
>> >> >> checkpolicy-2.0.16-3.fc10.i386
>> >> >> selinux-policy-3.5.13-18.fc10.noarch
>> >> >> policycoreutils-2.0.57-11.fc10.i386
>> >> >> policycoreutils-gui-2.0.57-11.fc10.i386
>> >> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
>> >> >>
>> >> >> >I either case you can create custom policies to allow these
>> >> >> > denials.
>> >> >> >
>> >> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
>> >> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
>> >> >>
>> >> >> And that upchucks. It generates mydenials.pp, then:
>> >> >> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
>> >> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS
>> >> >> base. libsemanage.semanage_link_sandbox: Link packages failed
>> >> >> /usr/sbin/semodule: Failed!
>> >> >>
>> >> >> Looks like I may be missing something?
>> >> >
>> >> >Can you give me to output of sestatus?
>>
>> This is after the reboot/relabel, using this /etc/selinux/config
>>
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=enabeled
>
>should read enforcing or permissive
>
>> # SELINUXTYPE= can take one of these two values:
>> # targeted - Targeted processes are protected,
>> # mls - Multi Level Security protection.
>> SELINUXTYPE=targeted
>> # SETLOCALDEFS= Check local definition changes
>> SETLOCALDEFS=0
>>
>> [root@coyote radeon]# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: error (Success)
>
>This looks wrong. see above
>
>> Policy version: 24
>> Policy from config file: targeted
>>
>> and that looks completely fubar to me. But since its 'permissive',
>> consolekit is running, but sealert is popping up about every 30 seconds.
>> Its fussing about console-kit-history now. WTH?
>
>You can easily disable setroubleshoot:
>
>service setroubleshoot stop
>( to disable it by default: chkconfig setroubleshoot off )
>
>> >> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
>> >>
>> >> Fails exactly the same. Does selinux=disabled screw with that?
>> >
>> >Well you should have SELinux enabled when you install the module.
>> >Enable it first.
>> >
>> >> >You might also consider /usr/sbin/semodule -b base.pp (this should
>> >> >replace the base module)
>>
>> ohhkayy
>>
>> Turned it back on, rebooted, relabeled, and:
>>
>> [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>> libsemanage.semanage_link_sandbox: Link packages failed
>> /usr/sbin/semodule: Failed!
>>
>> [root@coyote Documents]# /usr/sbin/semodule -b base.pp
>> /usr/sbin/semodule: Could not read file 'base.pp': No such file or
>> directory [root@coyote Documents]# locate base.pp
>> /etc/selinux/targeted/modules/active/base.pp
>> /usr/share/selinux/targeted/base.pp.bz2
>>
>> [root@coyote targeted]# ls -l `locate base.pp`
>> -rw------- 1 root root 16771501 2009-02-26 18:38
>> /etc/selinux/targeted/modules/active/base.pp -rw-r--r-- 1 root root
>> 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
>>
>> So which one is right? I'm getting a headache.
>
>the one in /etc is active. The one is /usr is used to generate it i
>believe
>
>> So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and
>> overwrote the /etc/selinux/targeted/modules/active/base.pp with it, it was
>> about half the size. I think this is the same error again.
>> [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>> libsemanage.semanage_link_sandbox: Link packages failed
>> /usr/sbin/semodule: Failed!
>>
>> And that bunzip2 operation of course generated this:
>> [root@coyote Documents]# rpm -V `rpm -qa|grep targeted`
>> missing /usr/share/selinux/targeted/base.pp.bz2
>>
>> So I did a bzip2 -k base.pp, and now rpm -V is happy again.
>>
>> Sounds like I need to manually nuke whats in etc and force
>> rpm to re-install? Unforch, /var/cache/yum is devoid of any
>> F10 files, I just checked.
>>
>> Your turn coach.
>
>You could try:
>rpm -Uvh --replacefiles --replacepkgs selinux-policy
>and
>selinux-policy-targeted

>then make sure your base.pp is fresh (try
>semodule -B)

Where do I get the policy and policy-targeted rpms?
/var/cache/yum is empty of any F10 stuff.

How about I use the ones on the install dvd? Then if they are old, yumex can
replace them.

>> >Not totally sure. No. First enable SELinux. Then try to install the
>> >policy module again. If that does not work consider replacing base.pp.
>> >
>> >The error suggests that base.pp is for MLS policy. This should not be
>> >the case.
>> >
>> >> >man semodule
>> >> >
>> >> >This looks like something that could have gone wrong during the
>> >> > upgrade.

I'll second that thought. Thanks Dominick

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
I either want less decadence or more chance to participate in it.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 11:39 PM
Gene Heskett
 
Default f10 vs selinux again.

On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
>
>You could try:
>rpm -Uvh --replacefiles --replacepkgs selinux-policy and
>selinux-policy-targeted then make sure your base.pp is fresh (try
>semodule -B)

Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same with selinux-policy-
targeted, I'm right back to square one:

[root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm
Preparing... ########################################### [100%]
1:selinux-policy-targeted########################################## # [100%]
libsepol.print_missing_requirements: pki's global requirements were not met: type/attribute pki_kra_port_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!

A somewhat different error message that might be a bit more enlightening to
someone who actually knows what it means, but its swahili to me.

So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands?

Your turn, Coach.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Lightning strikes.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-01-2009, 10:18 AM
Dominick Grift
 
Default f10 vs selinux again.

On Sat, 2009-02-28 at 19:39 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
> >
> >You could try:
> >rpm -Uvh --replacefiles --replacepkgs selinux-policy and
> >selinux-policy-targeted then make sure your base.pp is fresh (try
> >semodule -B)
>
> Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same with selinux-policy-
> targeted, I'm right back to square one:
>
> [root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm
> Preparing... ########################################### [100%]
> 1:selinux-policy-targeted########################################## # [100%]
> libsepol.print_missing_requirements: pki's global requirements were not met: type/attribute pki_kra_port_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
> A somewhat different error message that might be a bit more enlightening to
> someone who actually knows what it means, but its swahili to me.
>
> So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands?
>
> Your turn, Coach.
>

You can get the latest packages from koji.fedoraproject.org/koji or your
local fedora mirror.

The error above looks like a bug in policy.

Make sure that if you install the latest selinux policy for f10 from
koji, that you install both: selinux-policy as well as
selinux-policy-targeted.



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-01-2009, 03:54 PM
Gene Heskett
 
Default f10 vs selinux again.

On Sunday 01 March 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 19:39 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
>> >
>> >You could try:
>> >rpm -Uvh --replacefiles --replacepkgs selinux-policy and
>> >selinux-policy-targeted then make sure your base.pp is fresh (try
>> >semodule -B)
>>
>> Ok, did that, no problem with the selinux-policy rpm from the dvd, but
>> when I do the same with selinux-policy- targeted, I'm right back to square
>> one:
>>
>> [root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs
>> selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm Preparing...
>> ########################################### [100%]
>> 1:selinux-policy-targeted########################################## #
>> [100%] libsepol.print_missing_requirements: pki's global requirements were
>> not met: type/attribute pki_kra_port_t libsemanage.semanage_link_sandbox:
>> Link packages failed
>> semodule: Failed!
>>
>> A somewhat different error message that might be a bit more enlightening
>> to someone who actually knows what it means, but its swahili to me.
>>
>> So, should I nuke the contents of /etc/selinux/* and repeat the rpm
>> commands?
>>
>> Your turn, Coach.
>
>You can get the latest packages from koji.fedoraproject.org/koji or your
>local fedora mirror.
>
>The error above looks like a bug in policy.
>
>Make sure that if you install the latest selinux policy for f10 from
>koji, that you install both: selinux-policy as well as
>selinux-policy-targeted.

I found late yesterday that the updates repo in my yum-repos.d was disabled.
Enabling that & pulling in several hundred more updates, I have not seen
another alert since I installed those updated ones. No idea where they came
from, just some yum mirror I have to assume lacking more info.

Maybe we can lay this one to rest, and I can go back to "enforcing" since its
permissive due to a miss-spelling of enforcing in the config. Sorry for the
noise, my apologies.


--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Everything should be made as simple as possible, but not simpler.
-- Albert Einstein

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org