FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-17-2008, 07:55 PM
max
 
Default setroub;eshoot problem

P.S. - this line from the output below :


SELinux: policy loaded with handle_unknown=deny


Something about this is bugging me, I am checking with google but so far
I haven't found what I am looking for, try searching for this and see
what you come up with... I think it should be set to allow on fedora but
I am not sure of the circumstances under which it would be set to
allow/deny so I could be wrong....it has to do, IIRC, with other
security checks in the kernel? I am not finding the same info I did
before on this and my memory isn't playing ball.




Unknown Permissions Handling
# The behavior for handling permissions defined in the
# kernel but missing from the policy. The permissions
# can either be allowed, denied, or the policy loading
# can be rejected.

That is from the build.conf file. It explains at least what the above
option means. From looking at my default install of f9 that I have (from
dmesg):


SELinux: policy loaded with handle_unknown=allow

This could be your problem or part of it anyway. I am going to rebuild
policy and set it to deny and see what happens. The default is allow in
the refpolicy and I never tried changing it, i have i think been
spending too much time reading....good a time as any to see what i've
learned.


Max
--
Fortune favors the BOLD

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-17-2008, 08:40 PM
Steve
 
Default setroub;eshoot problem

---- max <maximilianbianco@gmail.com> wrote:
> > Where do I go from here?
>
> 0 - Well one option, that I don't generally encourage unless your in
> hurry, is to do a fresh install of F9. You won't learn anything and
> you've expressed interest in SELinux so I would encourage you to take
> advantage of the learning oppurtunity, especially if your dual booting
> and its a very minor inconvenience to reboot a desktop/laptop machine,
> at least as far as I am concerned.

I think I may have to re-install in the end because I'm seeing some really weird things but until I totally destroy the emachine I might as well experiment.

I ran:
# restorecon -n -v -r
to see if it any file would need to be relabelled. It showed that all my shared library files were of type lib_t when the default was shlib_t so I went ahead and relabelled them. It didn't solve the setraoubleshoot problem though and now root does not appear to have access to init.

> 1 - Check for bugs against preupgrade that relate to SELinux and check
> for bugs against SETroubleshoot. I'm pretty sure SEtroubleshoot is a
> symptom not a cause of your problem but it doesn't hurt to check.
>
> https://bugzilla.redhat.com/

There are a couple of bug that might be related but are not quite the same. 439299 and 449176.

> 2 - The only other sane thing I could advise you too do is bounce your
> question off the fedora-selinux list. I would include a reference to
> this thread and all the relevant details. The kernel your running, the
> policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot
> version, the error messages below , and that you run in permissive and
> used preupgrade to go from f8 to f9.
> This will ensure that the right people see your message, this list is
> also monitored but I think when they get busy fedora-selinux is likely
> to still get checked more often than fedora-list.

I was trying to avoid this. I already get several hundred e-mails per day and I would guess that the selinux list is pretty busy too. Oh well, I'll just have to deal with it for a while.

> I don't have any other sane suggestions left. I feel like the answer is
> right there but I can't quite put my finger on it. If you feel like
> being a guinea pig and are willing to absolve me of all responsibility
> then let me know:^) My curiosity is peaked so I will try to dig up what
> I can and I'll let you know if I feel like I have found a good answer.
>
> Take it easy,
>
> Max
>
> P.S. - this line from the output below :
>
> > SELinux: policy loaded with handle_unknown=deny
>
> Something about this is bugging me, I am checking with google but so far
> I haven't found what I am looking for, try searching for this and see
> what you come up with... I think it should be set to allow on fedora but
> I am not sure of the circumstances under which it would be set to
> allow/deny so I could be wrong....it has to do, IIRC, with other
> security checks in the kernel? I am not finding the same info I did
> before on this and my memory isn't playing ball.

Yes, this doesn't seem right. From what I've read, the strict policy would have a default of deny but a targeted policy shoule be allow.

Thanks for the suggestions
Steve

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-18-2008, 12:47 PM
Steve
 
Default setroub;eshoot problem

> ---- max <maximilianbianco@gmail.com> wrote:

> > 2 - The only other sane thing I could advise you too do is bounce your
> > question off the fedora-selinux list. I would include a reference to
> > this thread and all the relevant details. The kernel your running, the
> > policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot
> > version, the error messages below , and that you run in permissive and
> > used preupgrade to go from f8 to f9.
> > This will ensure that the right people see your message, this list is
> > also monitored but I think when they get busy fedora-selinux is likely
> > to still get checked more often than fedora-list.
>
> I was trying to avoid this. I already get several hundred e-mails per day and I would guess that the selinux list is pretty busy too. Oh well, I'll just have to deal with it for a while.

I found this in the SELinux list archives:

http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm

which appears to say there was a problem but it was fixed in a patch. I wonder if it has not made it to F9 yet?

Steve

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-18-2008, 02:10 PM
max
 
Default setroub;eshoot problem

Steve wrote:


---- max <maximilianbianco@gmail.com> wrote:


2 - The only other sane thing I could advise you too do is bounce your
question off the fedora-selinux list. I would include a reference to
this thread and all the relevant details. The kernel your running, the
policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot
version, the error messages below , and that you run in permissive and
used preupgrade to go from f8 to f9.
This will ensure that the right people see your message, this list is
also monitored but I think when they get busy fedora-selinux is likely
to still get checked more often than fedora-list.

I was trying to avoid this. I already get several hundred e-mails per day and I would guess that the selinux list is pretty busy too. Oh well, I'll just have to deal with it for a while.


I found this in the SELinux list archives:

http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm

which appears to say there was a problem but it was fixed in a patch. I wonder if it has not made it to F9 yet?

Steve
It could be related but they seem to have been running mls policy which
is not the default policy in f9. I think the patch would have made it
into F9 by now, the thread dates back to January and F9 released in May
if memory serves. I think in the end you will have to rebuild the
policy. The only way that I know of to change the handle_unknown=deny to
allow is at policy build time. This is set to allow in F8 and F9. Why
yours is not this way is something I don't understand, unless mine is
screwed up somehow but I doubt it. I have looked at two f9 boxes and an
f8 box. All of them have the handle_unknown=allow. Maybe a third party
could confirm this :


dmesg | grep -i selinux


Use the Force,

Max

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-18-2008, 02:24 PM
max
 
Default setroub;eshoot problem

max wrote:

Steve wrote:


---- max <maximilianbianco@gmail.com> wrote:


2 - The only other sane thing I could advise you too do is bounce
your question off the fedora-selinux list. I would include a
reference to this thread and all the relevant details. The kernel
your running, the policy version (rpm -qa | grep
selinux...setrouble) , setroubleshoot version, the error messages
below , and that you run in permissive and used preupgrade to go
from f8 to f9.
This will ensure that the right people see your message, this list
is also monitored but I think when they get busy fedora-selinux is
likely to still get checked more often than fedora-list.
I was trying to avoid this. I already get several hundred e-mails per
day and I would guess that the selinux list is pretty busy too. Oh
well, I'll just have to deal with it for a while.


I found this in the SELinux list archives:

http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm

which appears to say there was a problem but it was fixed in a patch.
I wonder if it has not made it to F9 yet?


Steve
It could be related but they seem to have been running mls policy which
is not the default policy in f9. I think the patch would have made it
into F9 by now, the thread dates back to January and F9 released in May
if memory serves. I think in the end you will have to rebuild the
policy. The only way that I know of to change the handle_unknown=deny to
allow is at policy build time. This is set to allow in F8 and F9. Why
yours is not this way is something I don't understand, unless mine is
screwed up somehow but I doubt it. I have looked at two f9 boxes and an
f8 box. All of them have the handle_unknown=allow. Maybe a third party
could confirm this :


dmesg | grep -i selinux


Use the Force,

Max

Steve,

Try semodule -B . It had completely slipped past me. It will force a
rebuild and reload of policy.

Checkout man semodule.


Max

--
Fortune favors the BOLD

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-20-2008, 02:14 AM
Steve
 
Default setroub;eshoot problem

---- max <maximilianbianco@gmail.com> wrote:
> max wrote:
> > Steve wrote:
> >>
> >>> ---- max <maximilianbianco@gmail.com> wrote:
> >>
> >>>> 2 - The only other sane thing I could advise you too do is bounce
> >>>> your question off the fedora-selinux list. I would include a
> >>>> reference to this thread and all the relevant details. The kernel
> >>>> your running, the policy version (rpm -qa | grep
> >>>> selinux...setrouble) , setroubleshoot version, the error messages
> >>>> below , and that you run in permissive and used preupgrade to go
> >>>> from f8 to f9.
> >>>> This will ensure that the right people see your message, this list
> >>>> is also monitored but I think when they get busy fedora-selinux is
> >>>> likely to still get checked more often than fedora-list.
> >>> I was trying to avoid this. I already get several hundred e-mails per
> >>> day and I would guess that the selinux list is pretty busy too. Oh
> >>> well, I'll just have to deal with it for a while.
> >>
> >> I found this in the SELinux list archives:
> >>
> >> http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm
> >>
> >> which appears to say there was a problem but it was fixed in a patch.
> >> I wonder if it has not made it to F9 yet?
> >>
> >> Steve
> > It could be related but they seem to have been running mls policy which
> > is not the default policy in f9. I think the patch would have made it
> > into F9 by now, the thread dates back to January and F9 released in May
> > if memory serves. I think in the end you will have to rebuild the
> > policy. The only way that I know of to change the handle_unknown=deny to
> > allow is at policy build time. This is set to allow in F8 and F9. Why
> > yours is not this way is something I don't understand, unless mine is
> > screwed up somehow but I doubt it. I have looked at two f9 boxes and an
> > f8 box. All of them have the handle_unknown=allow. Maybe a third party
> > could confirm this :
> >
> > dmesg | grep -i selinux
> >
> >
> > Use the Force,
> >
> > Max
> Steve,
>
> Try semodule -B . It had completely slipped past me. It will force a
> rebuild and reload of policy.
> Checkout man semodule.

Well I tried that and it didn't appear to do anything. It immeditely return me to the pronpt.

However, there was an update to the policy made available yesterday afternoon. I installed it (I can't tell you exactly what it was because I'm on a different machine right now) and then ran the changes from the July 10th entry of Dan Walsh's blog, (http://danwalsh.livejournal.com/) and my problem has gone away. Yea! I can now start up setroubleshootd. I wonder if that problem I noted above just made it to F9?

Now on to my next selinux problem on a different machine. I'll start a different thread for that.

Thanks for the help, Max.

Steve

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-20-2008, 05:15 AM
"Patrick O'Callaghan"
 
Default setroub;eshoot problem

On Sat, 2008-07-19 at 22:14 -0400, Steve wrote:
> Now on to my next selinux problem on a different machine. I'll start a
> different thread for that.

You already did. This message isn't part of your original thread.

poc

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 10:18 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org