FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-28-2009, 04:53 PM
Gene Heskett
 
Default f10 vs selinux again.

Greetings all;

I have just upgraded then updated as much as possible, an F8 install to F10.
selinux is now denying ConsoleKit and friends, and awstats. F10 will run
without console-kit-daemon I find, but I went so far as to touch /.autorelabel
& reboot & leave it to contemplate its sins for an hour or so as there is
nearly 2TB of drives here. Didn't help.

So Now I have selinux disabled, and everything it working. Can this be
addressed?

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"It may be that our role on this planet is not to worship God but to
create him."
-Arthur C. Clarke

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 05:06 PM
Dominick Grift
 
Default f10 vs selinux again.

On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> Greetings all;
>
> I have just upgraded then updated as much as possible, an F8 install to F10.
> selinux is now denying ConsoleKit and friends, and awstats. F10 will run
> without console-kit-daemon I find, but I went so far as to touch /.autorelabel
> & reboot & leave it to contemplate its sins for an hour or so as there is
> nearly 2TB of drives here. Didn't help.
>
> So Now I have selinux disabled, and everything it working. Can this be
> addressed?
>

Can you show use the avc denials related to your issues? avc denials are
sent to /var/log/audit/audit.log and can be retrieved with the ausearch
command. For example use: ausearch -m avc -ts today, to retrieve today's
avc denials.

You state that you updated as much as possible. What did you not update?


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 06:45 PM
Dominick Grift
 
Default f10 vs selinux again.

On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> Greetings all;
> >>
> >> I have just upgraded then updated as much as possible, an F8
install to
> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
F10 will
> >> run without console-kit-daemon I find, but I went so far as to
touch
> >> /.autorelabel & reboot & leave it to contemplate its sins for an
hour or
> >> so as there is nearly 2TB of drives here. Didn't help.
> >>
> >> So Now I have selinux disabled, and everything it working. Can
this be
> >> addressed?
> >
> >Can you show use the avc denials related to your issues? avc denials
are
> >sent to /var/log/audit/audit.log and can be retrieved with the
ausearch
> >command. For example use: ausearch -m avc -ts today, to retrieve
today's
> >avc denials.
> >
> None today, I turned it off, yesterdays is attached.
>
> >You state that you updated as much as possible. What did you not
update?
>
> About 70 packages are left, all the java stuff cuz I've installed from
Sun,
> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
up by
> hand and some of the menus are still fubar) and anytime I do a -devel,
it
> barfs over strigi. What the heck does that thing do anywho?
>
> I also am not running the F10 kernel cuz I have to set stakes and call
a
> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
and am
> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
says
> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
>
> 14:05:14 : Error in Dependency Resolution
> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
by
> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
(rpmfusion-free-
> updates)
> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
needed by
> package
kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> (rpmfusion-nonfree-updates)
> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
strigi-
> devel-0.5.11-1.fc10.i386 (fedora)
>
> I might be able to get a list of updates (if you need them) not done
from yum.
> I use yumex most of the time.
>
> Thanks Dominick
>

No that is fine, thanks. Which version of selinux-policy is currently
installed?

I picked a few of the denials out of there and both were allowed in the
rawhide policy.

This leads me to think that either you are running a old version of the
selinux-policy or that the fixes in rawhide policy have not been pushed
to Fedora 10 policy yet.

I either case you can create custom policies to allow these denials.

A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
mydenials; /usr/sbin/semodule -i mydenials.pp

caution: i did not review all denials in your list, however most look
like they should be allowed.

You should not let issues like these persuade you to disable SELinux.
You can also run SELinux is permissive mode which will act as an
intrusion detection system but will not prevent policy violations.

hth , Dominick




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 07:47 PM
Dominick Grift
 
Default f10 vs selinux again.

On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> >> Greetings all;
> >> >>
> >> >> I have just upgraded then updated as much as possible, an F8
> >
> >install to
> >
> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
> >
> >F10 will
> >
> >> >> run without console-kit-daemon I find, but I went so far as to
> >
> >touch
> >
> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
> >
> >hour or
> >
> >> >> so as there is nearly 2TB of drives here. Didn't help.
> >> >>
> >> >> So Now I have selinux disabled, and everything it working. Can
> >
> >this be
> >
> >> >> addressed?
> >> >
> >> >Can you show use the avc denials related to your issues? avc denials
> >
> >are
> >
> >> >sent to /var/log/audit/audit.log and can be retrieved with the
> >
> >ausearch
> >
> >> >command. For example use: ausearch -m avc -ts today, to retrieve
> >
> >today's
> >
> >> >avc denials.
> >>
> >> None today, I turned it off, yesterdays is attached.
> >>
> >> >You state that you updated as much as possible. What did you not
> >
> >update?
> >
> >> About 70 packages are left, all the java stuff cuz I've installed from
> >
> >Sun,
> >
> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
> >
> >up by
> >
> >> hand and some of the menus are still fubar) and anytime I do a -devel,
> >
> >it
> >
> >> barfs over strigi. What the heck does that thing do anywho?
> >>
> >> I also am not running the F10 kernel cuz I have to set stakes and call
> >
> >a
> >
> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
> >
> >and am
> >
> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
> >
> >says
> >
> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
> >>
> >> 14:05:14 : Error in Dependency Resolution
> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
> >
> >by
> >
> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >
> >(rpmfusion-free-
> >
> >> updates)
> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
> >
> >needed by
> >
> >> package
> >
> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >
> >> (rpmfusion-nonfree-updates)
> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
> >
> >strigi-
> >
> >> devel-0.5.11-1.fc10.i386 (fedora)
> >>
> >> I might be able to get a list of updates (if you need them) not done
> >
> >from yum.
> >
> >> I use yumex most of the time.
> >>
> >> Thanks Dominick
> >
> >No that is fine, thanks. Which version of selinux-policy is currently
> >installed?
> >
> >I picked a few of the denials out of there and both were allowed in the
> >rawhide policy.
> >
> >This leads me to think that either you are running a old version of the
> >selinux-policy or that the fixes in rawhide policy have not been pushed
> >to Fedora 10 policy yet.
> >
> I'll go for the latter as there isn't an update available.
> [root@coyote Documents]# rpm -qa|grep policy
> checkpolicy-2.0.16-3.fc10.i386
> selinux-policy-3.5.13-18.fc10.noarch
> policycoreutils-2.0.57-11.fc10.i386
> policycoreutils-gui-2.0.57-11.fc10.i386
> selinux-policy-targeted-3.5.13-18.fc10.noarch
>
> >I either case you can create custom policies to allow these denials.
> >
> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
> >mydenials; /usr/sbin/semodule -i mydenials.pp
>
> And that upchucks. It generates mydenials.pp, then:
> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule: Failed!
>
> Looks like I may be missing something?

Can you give me to output of sestatus?

you could try /usr/sbin/semodule -s targeted -i mydenials.pp

You might also consider /usr/sbin/semodule -b base.pp (this should
replace the base module)

man semodule

This looks like something that could have gone wrong during the upgrade.

It claims that a MLS base module is installed but you have installed
selinux-policy-targeted

you should really c.c. fedora-selinux-list so that knowledgeable people
like dwalsh can give suggestions as well.


> >caution: i did not review all denials in your list, however most look
> >like they should be allowed.
> >
> >You should not let issues like these persuade you to disable SELinux.
> >You can also run SELinux is permissive mode which will act as an
> >intrusion detection system but will not prevent policy violations.
>
> I am not terribly paranoid about running selinux, Dominick, I have all my
> local network behind an x86 version of dd-wrt & its locked up pretty tight.
> selinux is last ditch. In 2 years, no one has gotten past dd-wrt that I
> didn't first give them the password to it. I see my running it as more of the
> playing of a role, that of the canary in the coal mine if you will.
>
> >hth , Dominick
>
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 08:09 PM
Gene Heskett
 
Default f10 vs selinux again.

On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> >> Greetings all;
>> >> >>
>> >> >> I have just upgraded then updated as much as possible, an F8
>> >
>> >install to
>> >
>> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
>> >
>> >F10 will
>> >
>> >> >> run without console-kit-daemon I find, but I went so far as to
>> >
>> >touch
>> >
>> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
>> >
>> >hour or
>> >
>> >> >> so as there is nearly 2TB of drives here. Didn't help.
>> >> >>
>> >> >> So Now I have selinux disabled, and everything it working. Can
>> >
>> >this be
>> >
>> >> >> addressed?
>> >> >
>> >> >Can you show use the avc denials related to your issues? avc denials
>> >
>> >are
>> >
>> >> >sent to /var/log/audit/audit.log and can be retrieved with the
>> >
>> >ausearch
>> >
>> >> >command. For example use: ausearch -m avc -ts today, to retrieve
>> >
>> >today's
>> >
>> >> >avc denials.
>> >>
>> >> None today, I turned it off, yesterdays is attached.
>> >>
>> >> >You state that you updated as much as possible. What did you not
>> >
>> >update?
>> >
>> >> About 70 packages are left, all the java stuff cuz I've installed from
>> >
>> >Sun,
>> >
>> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
>> >
>> >up by
>> >
>> >> hand and some of the menus are still fubar) and anytime I do a -devel,
>> >
>> >it
>> >
>> >> barfs over strigi. What the heck does that thing do anywho?
>> >>
>> >> I also am not running the F10 kernel cuz I have to set stakes and call
>> >
>> >a
>> >
>> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
>> >
>> >and am
>> >
>> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
>> >
>> >says
>> >
>> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
>> >>
>> >> 14:05:14 : Error in Dependency Resolution
>> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
>> >
>> >by
>> >
>> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>> >
>> >(rpmfusion-free-
>> >
>> >> updates)
>> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
>> >
>> >needed by
>> >
>> >> package
>> >
>> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>> >
>> >> (rpmfusion-nonfree-updates)
>> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
>> >
>> >strigi-
>> >
>> >> devel-0.5.11-1.fc10.i386 (fedora)
>> >>
>> >> I might be able to get a list of updates (if you need them) not done
>> >
>> >from yum.
>> >
>> >> I use yumex most of the time.
>> >>
>> >> Thanks Dominick
>> >
>> >No that is fine, thanks. Which version of selinux-policy is currently
>> >installed?
>> >
>> >I picked a few of the denials out of there and both were allowed in the
>> >rawhide policy.
>> >
>> >This leads me to think that either you are running a old version of the
>> >selinux-policy or that the fixes in rawhide policy have not been pushed
>> >to Fedora 10 policy yet.
>>
>> I'll go for the latter as there isn't an update available.
>> [root@coyote Documents]# rpm -qa|grep policy
>> checkpolicy-2.0.16-3.fc10.i386
>> selinux-policy-3.5.13-18.fc10.noarch
>> policycoreutils-2.0.57-11.fc10.i386
>> policycoreutils-gui-2.0.57-11.fc10.i386
>> selinux-policy-targeted-3.5.13-18.fc10.noarch
>>
>> >I either case you can create custom policies to allow these denials.
>> >
>> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
>> >mydenials; /usr/sbin/semodule -i mydenials.pp
>>
>> And that upchucks. It generates mydenials.pp, then:
>> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>> libsemanage.semanage_link_sandbox: Link packages failed
>> /usr/sbin/semodule: Failed!
>>
>> Looks like I may be missing something?
>
>Can you give me to output of sestatus?
>
>you could try /usr/sbin/semodule -s targeted -i mydenials.pp

Fails exactly the same. Does selinux=disabled screw with that?
>
>You might also consider /usr/sbin/semodule -b base.pp (this should
>replace the base module)

Are you sure I want to do that?

>man semodule
>
>This looks like something that could have gone wrong during the upgrade.

It won't be the first time. When I went from f6 to f8, lots of stuff was
busted, stuff the guru's said could not happen, but did to me. One whole
section of the install was skipped & I had to go pull in about 200 packages by
hand.

>It claims that a MLS base module is installed but you have installed
>selinux-policy-targeted

And that is how I'm normally configured.

>you should really c.c. fedora-selinux-list so that knowledgeable people
>like dwalsh can give suggestions as well.

Duh, sorry. Your reply showed up in the list folder so I didn't hit reply-
all, added now.

>> >caution: i did not review all denials in your list, however most look
>> >like they should be allowed.
>> >
>> >You should not let issues like these persuade you to disable SELinux.
>> >You can also run SELinux is permissive mode which will act as an
>> >intrusion detection system but will not prevent policy violations.
>>
>> I am not terribly paranoid about running selinux, Dominick, I have all my
>> local network behind an x86 version of dd-wrt & its locked up pretty
>> tight. selinux is last ditch. In 2 years, no one has gotten past dd-wrt
>> that I didn't first give them the password to it. I see my running it as
>> more of the playing of a role, that of the canary in the coal mine if you
>> will.
>>
>> >hth , Dominick


--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Let us be charitable, and call it a misleading feature :-)
-- Larry Wall in <2609@jato.Jpl.Nasa.Gov>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 08:15 PM
Dominick Grift
 
Default f10 vs selinux again.

On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> >> >> Greetings all;
> >> >> >>
> >> >> >> I have just upgraded then updated as much as possible, an F8
> >> >
> >> >install to
> >> >
> >> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
> >> >
> >> >F10 will
> >> >
> >> >> >> run without console-kit-daemon I find, but I went so far as to
> >> >
> >> >touch
> >> >
> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
> >> >
> >> >hour or
> >> >
> >> >> >> so as there is nearly 2TB of drives here. Didn't help.
> >> >> >>
> >> >> >> So Now I have selinux disabled, and everything it working. Can
> >> >
> >> >this be
> >> >
> >> >> >> addressed?
> >> >> >
> >> >> >Can you show use the avc denials related to your issues? avc denials
> >> >
> >> >are
> >> >
> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
> >> >
> >> >ausearch
> >> >
> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve
> >> >
> >> >today's
> >> >
> >> >> >avc denials.
> >> >>
> >> >> None today, I turned it off, yesterdays is attached.
> >> >>
> >> >> >You state that you updated as much as possible. What did you not
> >> >
> >> >update?
> >> >
> >> >> About 70 packages are left, all the java stuff cuz I've installed from
> >> >
> >> >Sun,
> >> >
> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
> >> >
> >> >up by
> >> >
> >> >> hand and some of the menus are still fubar) and anytime I do a -devel,
> >> >
> >> >it
> >> >
> >> >> barfs over strigi. What the heck does that thing do anywho?
> >> >>
> >> >> I also am not running the F10 kernel cuz I have to set stakes and call
> >> >
> >> >a
> >> >
> >> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
> >> >
> >> >and am
> >> >
> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
> >> >
> >> >says
> >> >
> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
> >> >>
> >> >> 14:05:14 : Error in Dependency Resolution
> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
> >> >
> >> >by
> >> >
> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >> >
> >> >(rpmfusion-free-
> >> >
> >> >> updates)
> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
> >> >
> >> >needed by
> >> >
> >> >> package
> >> >
> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >> >
> >> >> (rpmfusion-nonfree-updates)
> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
> >> >
> >> >strigi-
> >> >
> >> >> devel-0.5.11-1.fc10.i386 (fedora)
> >> >>
> >> >> I might be able to get a list of updates (if you need them) not done
> >> >
> >> >from yum.
> >> >
> >> >> I use yumex most of the time.
> >> >>
> >> >> Thanks Dominick
> >> >
> >> >No that is fine, thanks. Which version of selinux-policy is currently
> >> >installed?
> >> >
> >> >I picked a few of the denials out of there and both were allowed in the
> >> >rawhide policy.
> >> >
> >> >This leads me to think that either you are running a old version of the
> >> >selinux-policy or that the fixes in rawhide policy have not been pushed
> >> >to Fedora 10 policy yet.
> >>
> >> I'll go for the latter as there isn't an update available.
> >> [root@coyote Documents]# rpm -qa|grep policy
> >> checkpolicy-2.0.16-3.fc10.i386
> >> selinux-policy-3.5.13-18.fc10.noarch
> >> policycoreutils-2.0.57-11.fc10.i386
> >> policycoreutils-gui-2.0.57-11.fc10.i386
> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
> >>
> >> >I either case you can create custom policies to allow these denials.
> >> >
> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
> >>
> >> And that upchucks. It generates mydenials.pp, then:
> >> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> >> libsemanage.semanage_link_sandbox: Link packages failed
> >> /usr/sbin/semodule: Failed!
> >>
> >> Looks like I may be missing something?
> >
> >Can you give me to output of sestatus?
> >
> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
>
> Fails exactly the same. Does selinux=disabled screw with that?

Well you should have SELinux enabled when you install the module.
Enable it first.

> >
> >You might also consider /usr/sbin/semodule -b base.pp (this should
> >replace the base module)
>
> Are you sure I want to do that?

Not totally sure. No. First enable SELinux. Then try to install the
policy module again. If that does not work consider replacing base.pp.

The error suggests that base.pp is for MLS policy. This should not be
the case.

> >man semodule
> >
> >This looks like something that could have gone wrong during the upgrade.
>
> It won't be the first time. When I went from f6 to f8, lots of stuff was
> busted, stuff the guru's said could not happen, but did to me. One whole
> section of the install was skipped & I had to go pull in about 200 packages by
> hand.
>
> >It claims that a MLS base module is installed but you have installed
> >selinux-policy-targeted
>
> And that is how I'm normally configured.
>
> >you should really c.c. fedora-selinux-list so that knowledgeable people
> >like dwalsh can give suggestions as well.
>
> Duh, sorry. Your reply showed up in the list folder so I didn't hit reply-
> all, added now.
>
> >> >caution: i did not review all denials in your list, however most look
> >> >like they should be allowed.
> >> >
> >> >You should not let issues like these persuade you to disable SELinux.
> >> >You can also run SELinux is permissive mode which will act as an
> >> >intrusion detection system but will not prevent policy violations.
> >>
> >> I am not terribly paranoid about running selinux, Dominick, I have all my
> >> local network behind an x86 version of dd-wrt & its locked up pretty
> >> tight. selinux is last ditch. In 2 years, no one has gotten past dd-wrt
> >> that I didn't first give them the password to it. I see my running it as
> >> more of the playing of a role, that of the canary in the coal mine if you
> >> will.
> >>
> >> >hth , Dominick
>
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 10:18 PM
Gene Heskett
 
Default f10 vs selinux again.

On Saturday 28 February 2009, Dominick Grift wrote:
>On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
>> On Saturday 28 February 2009, Dominick Grift wrote:
>> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
>> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
>> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
>> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
>> >> >> >> Greetings all;
>> >> >> >>
>> >> >> >> I have just upgraded then updated as much as possible, an F8
>> >> >
>> >> >install to
>> >> >
>> >> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
>> >> >
>> >> >F10 will
>> >> >
>> >> >> >> run without console-kit-daemon I find, but I went so far as to
>> >> >
>> >> >touch
>> >> >
>> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
>> >> >
>> >> >hour or
>> >> >
>> >> >> >> so as there is nearly 2TB of drives here. Didn't help.
>> >> >> >>
>> >> >> >> So Now I have selinux disabled, and everything it working. Can
>> >> >
>> >> >this be
>> >> >
>> >> >> >> addressed?
>> >> >> >
>> >> >> >Can you show use the avc denials related to your issues? avc
>> >> >> > denials
>> >> >
>> >> >are
>> >> >
>> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
>> >> >
>> >> >ausearch
>> >> >
>> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve
>> >> >
>> >> >today's
>> >> >
>> >> >> >avc denials.
>> >> >>
>> >> >> None today, I turned it off, yesterdays is attached.
>> >> >>
>> >> >> >You state that you updated as much as possible. What did you not
>> >> >
>> >> >update?
>> >> >
>> >> >> About 70 packages are left, all the java stuff cuz I've installed
>> >> >> from
>> >> >
>> >> >Sun,
>> >> >
>> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
>> >> >
>> >> >up by
>> >> >
>> >> >> hand and some of the menus are still fubar) and anytime I do a
>> >> >> -devel,
>> >> >
>> >> >it
>> >> >
>> >> >> barfs over strigi. What the heck does that thing do anywho?
>> >> >>
>> >> >> I also am not running the F10 kernel cuz I have to set stakes and
>> >> >> call
>> >> >
>> >> >a
>> >> >
>> >> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
>> >> >
>> >> >and am
>> >> >
>> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now
>> >> >> glxgears
>> >> >
>> >> >says
>> >> >
>> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
>> >> >>
>> >> >> 14:05:14 : Error in Dependency Resolution
>> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
>> >> >
>> >> >by
>> >> >
>> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
>> >> >
>> >> >(rpmfusion-free-
>> >> >
>> >> >> updates)
>> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
>> >> >
>> >> >needed by
>> >> >
>> >> >> package
>> >> >
>> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
>> >> >
>> >> >> (rpmfusion-nonfree-updates)
>> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
>> >> >
>> >> >strigi-
>> >> >
>> >> >> devel-0.5.11-1.fc10.i386 (fedora)
>> >> >>
>> >> >> I might be able to get a list of updates (if you need them) not done
>> >> >
>> >> >from yum.
>> >> >
>> >> >> I use yumex most of the time.
>> >> >>
>> >> >> Thanks Dominick
>> >> >
>> >> >No that is fine, thanks. Which version of selinux-policy is currently
>> >> >installed?
>> >> >
>> >> >I picked a few of the denials out of there and both were allowed in
>> >> > the rawhide policy.
>> >> >
>> >> >This leads me to think that either you are running a old version of
>> >> > the selinux-policy or that the fixes in rawhide policy have not been
>> >> > pushed to Fedora 10 policy yet.
>> >>
>> >> I'll go for the latter as there isn't an update available.
>> >> [root@coyote Documents]# rpm -qa|grep policy
>> >> checkpolicy-2.0.16-3.fc10.i386
>> >> selinux-policy-3.5.13-18.fc10.noarch
>> >> policycoreutils-2.0.57-11.fc10.i386
>> >> policycoreutils-gui-2.0.57-11.fc10.i386
>> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
>> >>
>> >> >I either case you can create custom policies to allow these denials.
>> >> >
>> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
>> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
>> >>
>> >> And that upchucks. It generates mydenials.pp, then:
>> >> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
>> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS
>> >> base. libsemanage.semanage_link_sandbox: Link packages failed
>> >> /usr/sbin/semodule: Failed!
>> >>
>> >> Looks like I may be missing something?
>> >
>> >Can you give me to output of sestatus?
This is after the reboot/relabel, using this /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enabeled

# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

[root@coyote radeon]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: error (Success)
Policy version: 24
Policy from config file: targeted

and that looks completely fubar to me. But since its 'permissive',
consolekit is running, but sealert is popping up about every 30 seconds.
Its fussing about console-kit-history now. WTH?

>> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
>>
>> Fails exactly the same. Does selinux=disabled screw with that?
>
>Well you should have SELinux enabled when you install the module.
>Enable it first.
>
>> >You might also consider /usr/sbin/semodule -b base.pp (this should
>> >replace the base module)

ohhkayy

Turned it back on, rebooted, relabeled, and:

[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!

[root@coyote Documents]# /usr/sbin/semodule -b base.pp
/usr/sbin/semodule: Could not read file 'base.pp': No such file or directory
[root@coyote Documents]# locate base.pp
/etc/selinux/targeted/modules/active/base.pp
/usr/share/selinux/targeted/base.pp.bz2

[root@coyote targeted]# ls -l `locate base.pp`
-rw------- 1 root root 16771501 2009-02-26 18:38 /etc/selinux/targeted/modules/active/base.pp
-rw-r--r-- 1 root root 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2

So which one is right? I'm getting a headache.

So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote
the /etc/selinux/targeted/modules/active/base.pp with it, it was about half
the size. I think this is the same error again.
[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!

And that bunzip2 operation of course generated this:
[root@coyote Documents]# rpm -V `rpm -qa|grep targeted`
missing /usr/share/selinux/targeted/base.pp.bz2

So I did a bzip2 -k base.pp, and now rpm -V is happy again.

Sounds like I need to manually nuke whats in etc and force
rpm to re-install? Unforch, /var/cache/yum is devoid of any
F10 files, I just checked.

Your turn coach.

>
>Not totally sure. No. First enable SELinux. Then try to install the
>policy module again. If that does not work consider replacing base.pp.
>
>The error suggests that base.pp is for MLS policy. This should not be
>the case.
>
>> >man semodule
>> >
>> >This looks like something that could have gone wrong during the upgrade.
>>
>> It won't be the first time. When I went from f6 to f8, lots of stuff was
>> busted, stuff the guru's said could not happen, but did to me. One whole
>> section of the install was skipped & I had to go pull in about 200
>> packages by hand.
>>
>> >It claims that a MLS base module is installed but you have installed
>> >selinux-policy-targeted
>>
>> And that is how I'm normally configured.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Hey dol! merry dol! ring a dong dillo!
Ring a dong! hop along! fal lal the willow!
Tom Bom, jolly Tom, Tom Bombadillo!
-- J. R. R. Tolkien

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 10:27 PM
Joe Nall
 
Default f10 vs selinux again.

On Feb 28, 2009, at 5:18 PM, Gene Heskett wrote:

...
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enabeled


enabeled (other than being misspelled) is not a valid choice
(enforcing, permissive, disabled)



...
[root@coyote radeon]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: error (Success)


because the mode from the config file is not correct

joe

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 10:46 PM
Dominick Grift
 
Default f10 vs selinux again.

On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
> On Saturday 28 February 2009, Dominick Grift wrote:
> >On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
> >> >> >> On Saturday 28 February 2009, Dominick Grift wrote:
> >> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
> >> >> >> >> Greetings all;
> >> >> >> >>
> >> >> >> >> I have just upgraded then updated as much as possible, an F8
> >> >> >
> >> >> >install to
> >> >> >
> >> >> >> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
> >> >> >
> >> >> >F10 will
> >> >> >
> >> >> >> >> run without console-kit-daemon I find, but I went so far as to
> >> >> >
> >> >> >touch
> >> >> >
> >> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for an
> >> >> >
> >> >> >hour or
> >> >> >
> >> >> >> >> so as there is nearly 2TB of drives here. Didn't help.
> >> >> >> >>
> >> >> >> >> So Now I have selinux disabled, and everything it working. Can
> >> >> >
> >> >> >this be
> >> >> >
> >> >> >> >> addressed?
> >> >> >> >
> >> >> >> >Can you show use the avc denials related to your issues? avc
> >> >> >> > denials
> >> >> >
> >> >> >are
> >> >> >
> >> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the
> >> >> >
> >> >> >ausearch
> >> >> >
> >> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve
> >> >> >
> >> >> >today's
> >> >> >
> >> >> >> >avc denials.
> >> >> >>
> >> >> >> None today, I turned it off, yesterdays is attached.
> >> >> >>
> >> >> >> >You state that you updated as much as possible. What did you not
> >> >> >
> >> >> >update?
> >> >> >
> >> >> >> About 70 packages are left, all the java stuff cuz I've installed
> >> >> >> from
> >> >> >
> >> >> >Sun,
> >> >> >
> >> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
> >> >> >
> >> >> >up by
> >> >> >
> >> >> >> hand and some of the menus are still fubar) and anytime I do a
> >> >> >> -devel,
> >> >> >
> >> >> >it
> >> >> >
> >> >> >> barfs over strigi. What the heck does that thing do anywho?
> >> >> >>
> >> >> >> I also am not running the F10 kernel cuz I have to set stakes and
> >> >> >> call
> >> >> >
> >> >> >a
> >> >> >
> >> >> >> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
> >> >> >
> >> >> >and am
> >> >> >
> >> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now
> >> >> >> glxgears
> >> >> >
> >> >> >says
> >> >> >
> >> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex screen:
> >> >> >>
> >> >> >> 14:05:14 : Error in Dependency Resolution
> >> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
> >> >> >
> >> >> >by
> >> >> >
> >> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
> >> >> >
> >> >> >(rpmfusion-free-
> >> >> >
> >> >> >> updates)
> >> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
> >> >> >
> >> >> >needed by
> >> >> >
> >> >> >> package
> >> >> >
> >> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> >> >> >
> >> >> >> (rpmfusion-nonfree-updates)
> >> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
> >> >> >
> >> >> >strigi-
> >> >> >
> >> >> >> devel-0.5.11-1.fc10.i386 (fedora)
> >> >> >>
> >> >> >> I might be able to get a list of updates (if you need them) not done
> >> >> >
> >> >> >from yum.
> >> >> >
> >> >> >> I use yumex most of the time.
> >> >> >>
> >> >> >> Thanks Dominick
> >> >> >
> >> >> >No that is fine, thanks. Which version of selinux-policy is currently
> >> >> >installed?
> >> >> >
> >> >> >I picked a few of the denials out of there and both were allowed in
> >> >> > the rawhide policy.
> >> >> >
> >> >> >This leads me to think that either you are running a old version of
> >> >> > the selinux-policy or that the fixes in rawhide policy have not been
> >> >> > pushed to Fedora 10 policy yet.
> >> >>
> >> >> I'll go for the latter as there isn't an update available.
> >> >> [root@coyote Documents]# rpm -qa|grep policy
> >> >> checkpolicy-2.0.16-3.fc10.i386
> >> >> selinux-policy-3.5.13-18.fc10.noarch
> >> >> policycoreutils-2.0.57-11.fc10.i386
> >> >> policycoreutils-gui-2.0.57-11.fc10.i386
> >> >> selinux-policy-targeted-3.5.13-18.fc10.noarch
> >> >>
> >> >> >I either case you can create custom policies to allow these denials.
> >> >> >
> >> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M
> >> >> >mydenials; /usr/sbin/semodule -i mydenials.pp
> >> >>
> >> >> And that upchucks. It generates mydenials.pp, then:
> >> >> [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp
> >> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS
> >> >> base. libsemanage.semanage_link_sandbox: Link packages failed
> >> >> /usr/sbin/semodule: Failed!
> >> >>
> >> >> Looks like I may be missing something?
> >> >
> >> >Can you give me to output of sestatus?
> This is after the reboot/relabel, using this /etc/selinux/config
>
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=enabeled
should read enforcing or permissive
>
> # SELINUXTYPE= can take one of these two values:
> # targeted - Targeted processes are protected,
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
> # SETLOCALDEFS= Check local definition changes
> SETLOCALDEFS=0
>
> [root@coyote radeon]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: error (Success)
This looks wrong. see above
> Policy version: 24
> Policy from config file: targeted
>
> and that looks completely fubar to me. But since its 'permissive',
> consolekit is running, but sealert is popping up about every 30 seconds.
> Its fussing about console-kit-history now. WTH?

You can easily disable setroubleshoot:

service setroubleshoot stop
( to disable it by default: chkconfig setroubleshoot off )

> >> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp
> >>
> >> Fails exactly the same. Does selinux=disabled screw with that?
> >
> >Well you should have SELinux enabled when you install the module.
> >Enable it first.
> >
> >> >You might also consider /usr/sbin/semodule -b base.pp (this should
> >> >replace the base module)
>
> ohhkayy
>
> Turned it back on, rebooted, relabeled, and:
>
> [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule: Failed!
>
> [root@coyote Documents]# /usr/sbin/semodule -b base.pp
> /usr/sbin/semodule: Could not read file 'base.pp': No such file or directory
> [root@coyote Documents]# locate base.pp
> /etc/selinux/targeted/modules/active/base.pp
> /usr/share/selinux/targeted/base.pp.bz2
>
> [root@coyote targeted]# ls -l `locate base.pp`
> -rw------- 1 root root 16771501 2009-02-26 18:38 /etc/selinux/targeted/modules/active/base.pp
> -rw-r--r-- 1 root root 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
>
> So which one is right? I'm getting a headache.

the one in /etc is active. The one is /usr is used to generate it i
believe
>
> So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote
> the /etc/selinux/targeted/modules/active/base.pp with it, it was about half
> the size. I think this is the same error again.
> [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule: Failed!
>
> And that bunzip2 operation of course generated this:
> [root@coyote Documents]# rpm -V `rpm -qa|grep targeted`
> missing /usr/share/selinux/targeted/base.pp.bz2
>
> So I did a bzip2 -k base.pp, and now rpm -V is happy again.
>
> Sounds like I need to manually nuke whats in etc and force
> rpm to re-install? Unforch, /var/cache/yum is devoid of any
> F10 files, I just checked.
>
> Your turn coach.
You could try:
rpm -Uvh --replacefiles --replacepkgs selinux-policy and
selinux-policy-targeted then make sure your base.pp is fresh (try
semodule -B)

> >
> >Not totally sure. No. First enable SELinux. Then try to install the
> >policy module again. If that does not work consider replacing base.pp.
> >
> >The error suggests that base.pp is for MLS policy. This should not be
> >the case.
> >
> >> >man semodule
> >> >
> >> >This looks like something that could have gone wrong during the upgrade.
> >>
> >> It won't be the first time. When I went from f6 to f8, lots of stuff was
> >> busted, stuff the guru's said could not happen, but did to me. One whole
> >> section of the install was skipped & I had to go pull in about 200
> >> packages by hand.
> >>
> >> >It claims that a MLS base module is installed but you have installed
> >> >selinux-policy-targeted
> >>
> >> And that is how I'm normally configured.
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-28-2009, 11:06 PM
Gene Heskett
 
Default f10 vs selinux again.

On Saturday 28 February 2009, Joe Nall wrote:
>On Feb 28, 2009, at 5:18 PM, Gene Heskett wrote:
>> ...
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=enabeled
>
>enabeled (other than being misspelled) is not a valid choice
>(enforcing, permissive, disabled)

Duh, by George you're right. But I can't see fixing that till we get the
base.pp problem fixed.

>> ...
>> [root@coyote radeon]# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: error (Success)
>
>because the mode from the config file is not correct
>
>joe


--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
I either want less decadence or more chance to participate in it.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org