FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-14-2008, 12:55 PM
Steve
 
Default setroub;eshoot problem

I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:

connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused

#ls -lZ /var/run/setroubleshoot/setroubleshoot_server
srw-rw-rw- root root system_ubject_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server

What should the permissions be?
Should I relabel?

Thanks,
Steve

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-15-2008, 01:27 AM
"max bianco"
 
Default setroub;eshoot problem

On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@cfl.rr.com> wrote:
> I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
>
> connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
>
> #ls -lZ /var/run/setroubleshoot/setroubleshoot_server
> srw-rw-rw- root root system_ubject_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
>
That looks right. Is it F8 or F9?
SETroubleshoot is usually on, do you remember why you turned it off?



--
If opinions were really like assholes we'd each have just one

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-15-2008, 01:20 PM
Steve
 
Default setroub;eshoot problem

---- max bianco <maximilianbianco@gmail.com> wrote:
> On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@cfl.rr.com> wrote:
> > I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
> >
> > connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
> >
> > #ls -lZ /var/run/setroubleshoot/setroubleshoot_server
> > srw-rw-rw- root root system_ubject_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
> >
> That looks right. Is it F8 or F9?
> SETroubleshoot is usually on, do you remember why you turned it off?

This is F9 and I didn't turm setroubleshoot off - not on purpose.anyway }-P
If I look in System->Administration->Services at setroubleshootd, it says that it is enabled but the status is unknown

Steve.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-15-2008, 02:28 PM
"max bianco"
 
Default setroub;eshoot problem

On Tue, Jul 15, 2008 at 9:20 AM, Steve <zephod@cfl.rr.com> wrote:
>
> ---- max bianco <maximilianbianco@gmail.com> wrote:
>> On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@cfl.rr.com> wrote:
>> > I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
>> >
>> > connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
>> >
>> > #ls -lZ /var/run/setroubleshoot/setroubleshoot_server
>> > srw-rw-rw- root root system_ubject_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
>> >
>> That looks right. Is it F8 or F9?
>> SETroubleshoot is usually on, do you remember why you turned it off?
>
> This is F9 and I didn't turm setroubleshoot off - not on purpose.anyway }-P
> If I look in System->Administration->Services at setroubleshootd, it says that it is enabled but the status is unknown
>
It usually runs in the background and only wakes up when needed,
however you should stil be able to run it from Applications-->System
Tools-->SELinux Troubleshooter with out a problem. I can in fact do
that here. Do you have all current updates? Do you know what version
of policy you are running? Have you recently installed any custom
policy? Did you switch SELinux to permissive recently ? I assume you
have stopped and restarted the service. Which kernel are you running?
Have you checked for bugs filed against setroubleshoot? There are
quite a few bugs filed against it, maybe one of these is related to
the problem your having.

Try these commands:

rpm -qa 'selinux*'

rpm -qa 'setrouble*'

sestatus

uname -a


Post the results, with that info there might be more help to be had.





--
If opinions were really like assholes we'd each have just one

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-16-2008, 01:16 PM
Steve
 
Default setroub;eshoot problem

---- max bianco <maximilianbianco@gmail.com> wrote:
> On Tue, Jul 15, 2008 at 9:20 AM, Steve <zephod@cfl.rr.com> wrote:
> >
> > ---- max bianco <maximilianbianco@gmail.com> wrote:
> >> On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@cfl.rr.com> wrote:
> >> > I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
> >> >
> >> > connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
> >> >
> >> > #ls -lZ /var/run/setroubleshoot/setroubleshoot_server
> >> > srw-rw-rw- root root system_ubject_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
> >> >
> >> That looks right. Is it F8 or F9?
> >> SETroubleshoot is usually on, do you remember why you turned it off?
> >
> > This is F9 and I didn't turm setroubleshoot off - not on purpose.anyway }-P
> > If I look in System->Administration->Services at setroubleshootd, it says that it is enabled but the status is unknown
> >
> It usually runs in the background and only wakes up when needed,
> however you should stil be able to run it from Applications-->System
> Tools-->SELinux Troubleshooter with out a problem. I can in fact do
> that here.

# ps -ef | grep setroubleshoot
root 4380 4331 0 08:48 pts/0 00:00:00 grep setroubleshoot

# chkconfig --list | grep setroubleshoot
setroubleshoot 0ff 1ff 2n 3n 4n 5n 6ff

Hmmm. so why isn'y it running? ..Ah-ha! Found this in /var/log/messages:
setroubleshoot: [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:setroubleshootd_t:s0, AVC scontext=system_u:system_r:setroubleshootd_t:s0
...
setroubleshoot: [rpc.ERROR] attempt to open server connection failed: Connection refused

> Do you have all current updates?
Yes.

> Do you know what version of policy you are running?
Don't know.

> Have you recently installed any custom policy?
No.

> Did you switch SELinux to permissive recently ?
No. I have always run in permissive mode.

> I assume you have stopped and restarted the service.
Seems like the service can never start. See above.

> Which kernel are you running?
# uname -sr Linux 2.6.25.6-55.fc9.x86_64

> Have you checked for bugs filed against setroubleshoot? There are
> quite a few bugs filed against it, maybe one of these is related to
> the problem your having.
I will look.

> Try these commands:
>
> rpm -qa 'selinux*'
# rpm -qa "selinux*"
#
# rpm-qa | grep selinux
libselinux-devel-2.0.64-2.fc9.i386
libselinux-python-2.0.64-2.fc9.x86_64
libselinux-devel-2.0.64-2.fc9.x86_64
libselinux-2.0.64-2.fc9.i386
libselinux-2.0.64-2.fc9.x86_64
#

Huh. Seems that there is no selinux policy installed.

# yum search selinux-policy
Loaded plugins: fedorakmod, refresh-packagekit
================================================== =================== Matched: selinux-policy ================================================== ===================
selinux-policy.noarch : SELinux policy configuration
selinux-policy-devel.noarch : SELinux policy development
selinux-policy-mls.noarch : SELinux mls base policy
selinux-policy-targeted.noarch : SELinux targeted base policy

# yum install selinux-policy.noarch selinux-policy-targeted.noarch
...

Installing : selinux-policy-targeted [2/2]
libsepol.scope_copy_callback: moilscanner: Duplicate declaration in module: type/attribute mailscanner_spool_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
libsepol.sepol_user_modify: undefined role unconfined_r for user unconfined_u
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local modifications into policy
/usr/sbin/semanage: Could not add SELinux user unconfined_u
libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [__default__ -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not modify login mapping for __default__
libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not modify login mapping for root
libsepol.sepol_user_modify: undefined role guest_r for user guest_u
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local modifications into policy
/usr/sbin/semanage: Could not add SELinux user guest_u
libsepol.sepol_user_modify: undefined role xguest_r for user xguest_u
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local modifications into policy
/usr/sbin/semanage: Could not add SELinux user xguest_u
warning: /etc/selinux/targeted/contexts/customizable_types saved as /etc/selinux/targeted/contexts/customizable_types.rpmorig
warning: /etc/selinux/targeted/contexts/default_contexts saved as /etc/selinux/targeted/contexts/default_contexts.rpmorig
warning: /etc/selinux/targeted/contexts/default_type created as /etc/selinux/targeted/contexts/default_type.rpmnew
warning: /etc/selinux/targeted/contexts/initrc_context created as /etc/selinux/targeted/contexts/initrc_context.rpmnew
warning: /etc/selinux/targeted/contexts/securetty_types created as /etc/selinux/targeted/contexts/securetty_types.rpmnew
warning: /etc/selinux/targeted/contexts/users/root created as /etc/selinux/targeted/contexts/users/root.rpmnew

Installed: selinux-policy.noarch 0:3.3.1-74.fc9 selinux-policy-targeted.noarch 0:3.3.1-74.fc9
Complete!
#
Lots of warnings there.

> rpm -qa 'setrouble*'
# rpm -qa | grep 'setrouble*'
setroubleshoot-2.0.8-2.fc9.noarch
setroubleshoot-plugins-2.0.4-5.fc9.noarch
setroubleshoot-server-2.0.8-2.fc9.noarch
#

> sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 22
Policy from config file: targeted
#
Well that answers the earlier question about the policy version.
> uname -a
Linux xxxxx 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 16:05:21 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

>
> Post the results, with that info there might be more help to be had.
That'a a lot of data. Hope its not too much.

Steve

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-16-2008, 01:34 PM
Steve
 
Default setroub;eshoot problem

---- max bianco <maximilianbianco@gmail.com> wrote:
> On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@cfl.rr.com> wrote:
> > I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
> >
> > connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
> >
> > #ls -lZ /var/run/setroubleshoot/setroubleshoot_server
> > srw-rw-rw- root root system_ubject_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
> >
> That looks right. Is it F8 or F9?

Found some more interesting AVC messages in /var/log/dmesg, This doesn't mean anything to me. Where is the best place to go to get a little more educated about what all this is supposed to mean?

Thanks,
Steve

...
SELinux:8192 avtab hash slots allocated. Num of rules:68341
SELinux:8192 avtab hash slots allocated. Num of rules:68341
security: 3 users, 6 roles, 1823 types, 80 bools, 1 sens, 1024 cats
security: 61 classes, 68341 rules
security: class peer not defined in policy
security: class capability2 not defined in policy
security: permission recvfrom in class node not defined in policy
security: permission sendto in class node not defined in policy
security: permission ingress in class netif not defined in policy
security: permission egress in class netif not defined in policy
security: permission setfcap in class capability not defined in policy
security: permission forward_in in class packet not defined in policy
security: permission forward_out in class packet not defined in policy
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), not configured for labeling
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: policy loaded with handle_unknown=deny
type=1403 audit(1216200106.325:2): policy loaded auid=4294967295 ses=4294967295
type=1400 audit(1216200107.996:3): avc: denied { read write } for pid=505 comm="restorecon" path="/dev/console" dev=tmpfs ino=233 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_ubject_r:tmpfs_t:s0 tclass=chr_file
type=1400 audit(1216200109.580:4): avc: denied { create } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216200109.594:5): avc: denied { getattr } for pid=731 comm="hwclock" path="/etc/adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_ubject_r:adjtime_t:s0 tclass=file
type=1400 audit(1216200109.594:6): avc: denied { read } for pid=731 comm="hwclock" name="adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_ubject_r:adjtime_t:s0 tclass=file
type=1400 audit(1216200109.819:7): avc: denied { sys_time } for pid=731 comm="hwclock" capability=25 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1216214509.907:8): avc: denied { write } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216214510.000:9): avc: denied { nlmsg_relay } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216214510.000:10): avc: denied { audit_write } for pid=731 comm="hwclock" capability=29 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1216214510.000:11): avc: denied { read } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
...


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-16-2008, 03:00 PM
max
 
Default setroub;eshoot problem

Steve wrote:
---- max bianco <maximilianbianco@gmail.com> wrote:

On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@cfl.rr.com> wrote:

I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:

connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused

#ls -lZ /var/run/setroubleshoot/setroubleshoot_server
srw-rw-rw- root root system_ubject_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server


That looks right. Is it F8 or F9?


Found some more interesting AVC messages in /var/log/dmesg, This doesn't mean anything to me. Where is the best place to go to get a little more educated about what all this is supposed to mean?

Thanks,
Steve

That depends on what you already know about SELinux. I have found alot
of material but its never enough for me:^) This is as good a place to
start as any(probably better than most):


http://fedoraproject.org/wiki/SELinux

Depending on how deep you want to get you might look up the Flask
Security Architecture. There is a PDF available, its not very long but
its informative. There are also a few SELinux specific papers out there.
I am reading SELinux by Example, it seems very complete so far and
actually references some of the available papers throughout. As for the
errors below I am assuming this is the first time you've seen them since
you just installed policy. Did you uninstall the policy at some point?
Has the machine always, from day of install, been in permissive? Was
this a fresh install or an upgrade? Are there any AVC's or error
messages, related to SELinux, in the logs from before policy was installed?



...
SELinux:8192 avtab hash slots allocated. Num of rules:68341
SELinux:8192 avtab hash slots allocated. Num of rules:68341
security: 3 users, 6 roles, 1823 types, 80 bools, 1 sens, 1024 cats
security: 61 classes, 68341 rules
security: class peer not defined in policy
security: class capability2 not defined in policy
security: permission recvfrom in class node not defined in policy
security: permission sendto in class node not defined in policy
security: permission ingress in class netif not defined in policy
security: permission egress in class netif not defined in policy
security: permission setfcap in class capability not defined in policy
security: permission forward_in in class packet not defined in policy
security: permission forward_out in class packet not defined in policy
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), not configured for labeling
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: policy loaded with handle_unknown=deny
type=1403 audit(1216200106.325:2): policy loaded auid=4294967295 ses=4294967295
type=1400 audit(1216200107.996:3): avc: denied { read write } for pid=505 comm="restorecon" path="/dev/console" dev=tmpfs ino=233 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_ubject_r:tmpfs_t:s0 tclass=chr_file
type=1400 audit(1216200109.580:4): avc: denied { create } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216200109.594:5): avc: denied { getattr } for pid=731 comm="hwclock" path="/etc/adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_ubject_r:adjtime_t:s0 tclass=file
type=1400 audit(1216200109.594:6): avc: denied { read } for pid=731 comm="hwclock" name="adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_ubject_r:adjtime_t:s0 tclass=file
type=1400 audit(1216200109.819:7): avc: denied { sys_time } for pid=731 comm="hwclock" capability=25 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1216214509.907:8): avc: denied { write } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216214510.000:9): avc: denied { nlmsg_relay } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=1400 audit(1216214510.000:10): avc: denied { audit_write } for pid=731 comm="hwclock" capability=29 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1216214510.000:11): avc: denied { read } for pid=731 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
...





--
Fortune favors the BOLD

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-16-2008, 03:28 PM
Steve
 
Default setroub;eshoot problem

---- max <maximilianbianco@gmail.com> wrote:
> Steve wrote:
> > ---- max bianco <maximilianbianco@gmail.com> wrote:
> >> On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod@cfl.rr.com> wrote:
> >>> I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
> >>>
> >>> connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
> >>>
> >>> #ls -lZ /var/run/setroubleshoot/setroubleshoot_server
> >>> srw-rw-rw- root root system_ubject_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
> >>>
> >> That looks right. Is it F8 or F9?
> >
> > Found some more interesting AVC messages in /var/log/dmesg, This doesn't mean anything to me. Where is the best place to go to get a little more educated about what all this is supposed to mean?
> >
> > Thanks,
> > Steve
> >
> That depends on what you already know about SELinux.

I can't even spell it correctly selinux or SElinux or Selinux or... ;-D

> I have found alot of material but its never enough for me:^)
> This is as good a place to start as any(probably better than most):
>
> http://fedoraproject.org/wiki/SELinux
Thanks, I'll check it out.

>
> Depending on how deep you want to get you might look up the Flask
> Security Architecture. There is a PDF available, its not very long but
> its informative. There are also a few SELinux specific papers out there.
> I am reading SELinux by Example, it seems very complete so far and
> actually references some of the available papers throughout. As for the
> errors below I am assuming this is the first time you've seen them since
> you just installed policy.
It's the 1st time I've looked for any problem so I can't say if they were there before or not.

> Did you uninstall the policy at some point?
No.

> Has the machine always, from day of install, been in permissive?
Yes.

> Was this a fresh install or an upgrade?
This was an upgrade from F8 using preinstall. I have had all kinds of problems since the upgrade and I'm just now getting to look at the SElinux problems. IIRC, the default policy was permissive in F8.

> Are there any AVC's or error messages, related to SELinux, in the logs from before policy was installed?
Yes, but I'm on the Windows side of my dual boot machine right now so I'll have to post those later.

Steve.
>
> > ...

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-17-2008, 12:32 PM
Steve
 
Default setroub;eshoot problem

Max,

To answer your question from yesterday, I had been getting the same errors even before I installed the policies yesterday which is strange because the messages indicate that a policy was loaded. Is there a built-in default policy? Where do I go from here?

Thanks,
Steve

>From /var/log/messages:

Jul 1 18:53:55 asa-ws-053 setroubleshoot: [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:setroubleshootd_t:s0, AVC scontext=system_u:system_r:setroubleshootd_t:s0

and

Jul 1 18:53:51 asa-ws-053 kernel: security: class peer not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: security: class capability2 not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: security: permission recvfrom in class node not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: security: permission sendto in class node not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: security: permission ingress in class netif not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: security: permission egress in class netif not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: security: permission setfcap in class capability not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: security: permission forward_in in class packet not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: security: permission forward_out in class packet not defined in policy
Jul 1 18:53:51 asa-ws-053 kernel: SELinux: policy loaded with handle_unknown=deny
Jul 1 18:53:51 asa-ws-053 kernel: type=1403 audit(1214938405.305:2): policy loaded auid=4294967295 ses=4294967295
Jul 1 18:53:51 asa-ws-053 kernel: type=1400 audit(1214938406.918:3): avc: denied { read write } for pid=505 comm="restorecon" path="/dev/console" dev=tmpfs ino=233 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_ubject_r:tmpfs_t:s0 tclass=chr_file
Jul 1 18:53:51 asa-ws-053 kernel: type=1400 audit(1214938408.569:4): avc: denied { create } for pid=739 comm="hwclock" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
Jul 1 18:53:51 asa-ws-053 kernel: type=1400 audit(1214938408.583:5): avc: denied { getattr } for pid=739 comm="hwclock" path="/etc/adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_ubject_r:adjtime_t:s0 tclass=file
Jul 1 18:53:51 asa-ws-053 kernel: type=1400 audit(1214938408.583:6): avc: denied { read } for pid=739 comm="hwclock" name="adjtime" dev=dm-0 ino=36569532 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_ubject_r:adjtime_t:s0 tclass=file
Jul 1 18:53:51 asa-ws-053 kernel: type=1400 audit(1214938408.938:7): avc: denied { sys_nice } for pid=611 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability
Jul 1 18:53:51 asa-ws-053 kernel: type=1400 audit(1214938408.938:8): avc: denied { setsched } for pid=611 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-17-2008, 05:29 PM
max
 
Default setroub;eshoot problem

Steve wrote:

Max,

To answer your question from yesterday, I had been getting the same errors even before I installed the policies yesterday which is strange because the messages indicate that a policy was loaded.




Is there a built-in default policy?


Yes there is a default policy that comes with fedora. You did however
set SELinux in permissive so its going to be hard to tell when exactly
the problem began, whether it started before or after the upgrade. You
used preupgrade so its possible this screwed the pooch somehow, I used
preupgrade on a box but all went smoothly, at least it appeared that
way, I had other qualms with preupgrade so I blew that upgrade away and
did a fresh install. However I don't run SELinux in permissive and this
may be the deciding factor, I just don't know.



Where do I go from here?


0 - Well one option, that I don't generally encourage unless your in
hurry, is to do a fresh install of F9. You won't learn anything and
you've expressed interest in SELinux so I would encourage you to take
advantage of the learning oppurtunity, especially if your dual booting
and its a very minor inconvenience to reboot a desktop/laptop machine,
at least as far as I am concerned.


1 - Check for bugs against preupgrade that relate to SELinux and check
for bugs against SETroubleshoot. I'm pretty sure SEtroubleshoot is a
symptom not a cause of your problem but it doesn't hurt to check.


https://bugzilla.redhat.com/

2 - The only other sane thing I could advise you too do is bounce your
question off the fedora-selinux list. I would include a reference to
this thread and all the relevant details. The kernel your running, the
policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot
version, the error messages below , and that you run in permissive and
used preupgrade to go from f8 to f9.
This will ensure that the right people see your message, this list is
also monitored but I think when they get busy fedora-selinux is likely
to still get checked more often than fedora-list.


I don't have any other sane suggestions left. I feel like the answer is
right there but I can't quite put my finger on it. If you feel like
being a guinea pig and are willing to absolve me of all responsibility
then let me know:^) My curiosity is peaked so I will try to dig up what
I can and I'll let you know if I feel like I have found a good answer.


Take it easy,

Max

P.S. - this line from the output below :


SELinux: policy loaded with handle_unknown=deny


Something about this is bugging me, I am checking with google but so far
I haven't found what I am looking for, try searching for this and see
what you come up with... I think it should be set to allow on fedora but
I am not sure of the circumstances under which it would be set to
allow/deny so I could be wrong....it has to do, IIRC, with other
security checks in the kernel? I am not finding the same info I did
before on this and my memory isn't playing ball.



--
Fortune favors the BOLD

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 05:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org