Weird SELinux problem after upgrade to F9
 

Hi everyone,

Over the last few days, I have managed to upgrade myself from FC4 (yes,
really!) all the way to Fedora 9.

My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to
run so much faster with a smaller memory footprint under F9. Thanks to
all the Fedora developers!

My problem is that after the upgrades I was getting all sorts of SELinux
errors (from practically every application), so I figured that I would
go ahead and relabel the filesystems. After the relabel, I was still
getting dozens of errors per second, so I changed SELinux to Permissive
mode (via /etc/selinux/config), rebooted and the system is now working.

However, I would like to get SELinux to work in Enforcing mode.

I have the following SELinux related packages installed:

# yum list all selinux*
Installed Packages

selinux-doc.noarch 1.26-1.1 installed
selinux-policy.noarch 3.3.1-55.fc9 installed
selinux-policy-targeted.noarch 3.3.1-55.fc9 installed

Available Packages
selinux-policy-devel.noarch 3.3.1-55.fc9 updates
selinux-policy-mls.noarch 3.3.1-55.fc9 updates

These are the types of errors I was seeing:

Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus


Any help in getting this working would be very appreciated!

Thanks.

---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Weird SELinux problem after upgrade to F9
 

Does anyone have any suggestions here?

I would really love to get SELinux working correctly on my F9 upgraded box.

What can I do to debug this?

On Tue, Jun 03, 2008 at 03:25:17AM -0700, Kayvan A. Sylvan wrote:
> Hi everyone,
>
> Over the last few days, I have managed to upgrade myself from FC4 (yes,
> really!) all the way to Fedora 9.
>
> My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to
> run so much faster with a smaller memory footprint under F9. Thanks to
> all the Fedora developers!
>
> My problem is that after the upgrades I was getting all sorts of SELinux
> errors (from practically every application), so I figured that I would
> go ahead and relabel the filesystems. After the relabel, I was still
> getting dozens of errors per second, so I changed SELinux to Permissive
> mode (via /etc/selinux/config), rebooted and the system is now working.
>
> However, I would like to get SELinux to work in Enforcing mode.
>
> I have the following SELinux related packages installed:
>
> # yum list all selinux*
> Installed Packages
>
> selinux-doc.noarch 1.26-1.1 installed
> selinux-policy.noarch 3.3.1-55.fc9 installed
> selinux-policy-targeted.noarch 3.3.1-55.fc9 installed
>
> Available Packages
> selinux-policy-devel.noarch 3.3.1-55.fc9 updates
> selinux-policy-mls.noarch 3.3.1-55.fc9 updates
>
> These are the types of errors I was seeing:
>
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
> Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
>
>
> Any help in getting this working would be very appreciated!
>
> Thanks.
>
> ---Kayvan
> --
> Kayvan A. Sylvan | Proud husband of | Father to my kids:
> Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Weird SELinux problem after upgrade to F9
 

Does anyone have any suggestions here?

I would really love to get SELinux working correctly on my F9 upgraded box.

What can I do to debug this?

On Tue, Jun 03, 2008 at 03:25:17AM -0700, Kayvan A. Sylvan wrote:
> Hi everyone,
>
> Over the last few days, I have managed to upgrade myself from FC4 (yes,
> really!) all the way to Fedora 9.
>
> My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to
> run so much faster with a smaller memory footprint under F9. Thanks to
> all the Fedora developers!
>
> My problem is that after the upgrades I was getting all sorts of SELinux
> errors (from practically every application), so I figured that I would
> go ahead and relabel the filesystems. After the relabel, I was still
> getting dozens of errors per second, so I changed SELinux to Permissive
> mode (via /etc/selinux/config), rebooted and the system is now working.
>
> However, I would like to get SELinux to work in Enforcing mode.
>
> I have the following SELinux related packages installed:
>
> # yum list all selinux*
> Installed Packages
>
> selinux-doc.noarch 1.26-1.1 installed
> selinux-policy.noarch 3.3.1-55.fc9 installed
> selinux-policy-targeted.noarch 3.3.1-55.fc9 installed
>
> Available Packages
> selinux-policy-devel.noarch 3.3.1-55.fc9 updates
> selinux-policy-mls.noarch 3.3.1-55.fc9 updates
>
> These are the types of errors I was seeing:
>
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
> Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
>
>
> Any help in getting this working would be very appreciated!
>
> Thanks.
>
> ---Kayvan
> --
> Kayvan A. Sylvan | Proud husband of | Father to my kids:
> Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Weird SELinux problem after upgrade to F9
 

Kayvan A. Sylvan wrote:
> Hi everyone,
>
> Over the last few days, I have managed to upgrade myself from FC4 (yes,
> really!) all the way to Fedora 9.
>
> My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to
> run so much faster with a smaller memory footprint under F9. Thanks to
> all the Fedora developers!
>
> My problem is that after the upgrades I was getting all sorts of SELinux
> errors (from practically every application), so I figured that I would
> go ahead and relabel the filesystems. After the relabel, I was still
> getting dozens of errors per second, so I changed SELinux to Permissive
> mode (via /etc/selinux/config), rebooted and the system is now working.
>
> However, I would like to get SELinux to work in Enforcing mode.
>
> I have the following SELinux related packages installed:
>
> # yum list all selinux*
> Installed Packages
>
> selinux-doc.noarch 1.26-1.1 installed
> selinux-policy.noarch 3.3.1-55.fc9 installed
> selinux-policy-targeted.noarch 3.3.1-55.fc9 installed
>
> Available Packages
> selinux-policy-devel.noarch 3.3.1-55.fc9 updates
> selinux-policy-mls.noarch 3.3.1-55.fc9 updates
>
> These are the types of errors I was seeing:
>
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
> Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus
>
>
> Any help in getting this working would be very appreciated!
>
> Thanks.
>
> ---Kayvan
You might need to check your user database

semanage user -l
semanage login -l

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Weird SELinux problem after upgrade to F9
 

On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote:
> You might need to check your user database
>
> semanage user -l
> semanage login -l

I do not know anything about how this is supposed to look. Here is
what the commands report:

[root@satyr ~]# semanage user -l

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles

root user s0 SystemLow-SystemHigh system_r sysadm_r user_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r

[root@satyr ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0
root root -s0:c0.c255
system_u system_u SystemLow-SystemHigh

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Weird SELinux problem after upgrade to F9
 

Kayvan A. Sylvan wrote:
> On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote:
>> You might need to check your user database
>>
>> semanage user -l
>> semanage login -l
>
> I do not know anything about how this is supposed to look. Here is
> what the commands report:
>
> [root@satyr ~]# semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range SELinux Roles
>
> root user s0 SystemLow-SystemHigh system_r sysadm_r user_r
> system_u user s0 SystemLow-SystemHigh system_r
> user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
>
> [root@satyr ~]# semanage login -l
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ user_u s0
> root root -s0:c0.c255
> system_u system_u SystemLow-SystemHigh
>

Kayvan A. Sylvan wrote:
> On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote:
>> You might need to check your user database
>>
>> semanage user -l
>> semanage login -l
>
> I do not know anything about how this is supposed to look. Here is
> what the commands report:
>
> [root@satyr ~]# semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
SELinux Roles
>
> root user s0 SystemLow-SystemHigh
system_r sysadm_r user_r
> system_u user s0 SystemLow-SystemHigh
system_r
> user_u user s0 SystemLow-SystemHigh
system_r sysadm_r user_r
>
> [root@satyr ~]# semanage login -l
>
> Login Name SELinux User MLS/MCS Range

>
> __default__ user_u s0

> root root -s0:c0.c255

> system_u system_u
SystemLow-SystemHigh
>
This is an upgrade problem.

For some reason the selinux policy trigger did not fire so the default
login on your machine is not setup for unconfined users.

If you execute the following three commands it should fix your system

# semanage user -a -S targeted -P user -R "unconfined_r system_r"
-r0-s0:c0.c1023 unconfined_u
# semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023
__default__
# semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list