Bug 141028

Summary: selinux fails without warning
Product: [Fedora] Fedora Reporter: Need Real Name <lsof>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-08 21:26:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
warnings from selinux
none
selinux errors after reboot and policy switch
none
spamassassin reading resolv.conf (!)
none
java failing
none
cd burn errors none

Description Need Real Name 2004-11-28 14:55:46 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20041020 Epiphany/1.4.4

Description of problem:
During install, selinux was off.

Today, I wanted to turn it on.
I now have these two lines in /etc/selinux/config:
SELINUX=permissive
SELINUXTYPE=strict

A reboot, later:

# id -Z
Sorry, --context (-Z) can be used only on a selinux-enabled kernel.

Oh dear.

Maybe a relabel is needed:

# fixfiles relabel

    Files in the /tmp directory may be labeled incorrectly, this command
    can remove all files in /tmp.  If you choose to remove files from
/tmp,
    a reboot will be required after completion.

    Do you wish to clean out the /tmp directory [N]? y
/etc/selinux/strict/contexts/files/file_contexts: No such file or
directory

The problem is that selinux-policy-strict is not installed, and the
bigger problem is that selinux didn't complain on boot about this.

(Also: Is this a security problem? )

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
x
    

Additional info:

Comment 1 Daniel Walsh 2004-11-29 14:46:00 UTC
You booted in permissive mode with says just run SELinux in testing
mode, so all it will do is log errors, if you change it to strict
mode, the kernel will crash.

So this is not a security issue.


Dan

Comment 2 Need Real Name 2004-11-29 15:25:22 UTC
It didn't log an error.

Comment 3 Daniel Walsh 2004-11-29 16:30:43 UTC
Do you see anything if you use dmesg.  Problem is this is happening in
/sbin/init before the rc scripts start.  So init should be reporting
an error to the screen, and maybe dmesg will catch it.

Comment 4 Need Real Name 2004-11-30 17:42:44 UTC
I'm afraid I can't look - /var/log/dmesg has a timestamp of today, and
there don't seem to be any other dmesg logs.

I guess we have to hope it does log it :)

Comment 5 Need Real Name 2004-12-08 14:22:49 UTC
Who should all the selinux error messages I get on boot go to?

Comment 6 Daniel Walsh 2004-12-08 15:36:25 UTC
Ok I just reread your original error message.  Do you wish to run with
strict or targeted policy (targeted is the default for FC3).  
If you want to run targeted change the line in /etc/selinux/config to
targeted and touch /.autorelabel and reboot.  Machine will relabel on
reboot.

If you want strict, you must install selinux-policy-strict and touch
the /.autorelabel file and reboot.



Comment 7 Need Real Name 2004-12-08 15:42:44 UTC
> The problem is that selinux-policy-strict is not installed
After I installed selinux-policy-strict (which should have been
installed anyway, or at least everything should be aware that it might
not be installed), and running fixfiles relabel, I now have strict
permissive mode on.

I get a ton of selinux messages on boot though, and I'd like to know
who would like them.

Hopefully it's not the same response as bug 138843: "file a bug for
each package". Euck :/

Comment 8 Daniel Walsh 2004-12-08 15:46:41 UTC
No you can attach the avc messages here, although I would prefer the
avc messages in enforcing mode,  permissive mode gives off lots of
false messages.



Comment 9 Need Real Name 2004-12-08 15:55:25 UTC
Created attachment 108117 [details]
warnings from selinux

These are warnings produced after going to runlevel 5 from 1.
I can't turn on enforcing mode for the moment, sorry about that.

Comment 10 Daniel Walsh 2004-12-08 16:56:50 UTC
Ok first off are you updated to the latest strict policy?

1.19.11-1 should be available.

Secondly, you do-not have everything labeled correctly.  
Change permissive to enforcing in the /etc/selinux/config file.
So touch /.autorelabel and reboot.  Which should be able to get you to
a good state.  

Does this work.

Comment 11 Need Real Name 2004-12-08 17:38:03 UTC
I'm using selinux-policy-strict-1.19.10-2
1.19.11-1 isn't available yet.

As a side note, Red Hat people always seem to think rpms are available
way before they do become available. I suppose slow mirrors don't help
that.

Anyway, switching to enforcing mode gave me two errors which worried
me enough to switch back. Here they are:
A permission denied error trying to (read from?) /dev/zero
and a permission denied error at line 65 of /etc/rc.d/rc.sysinit
mentioning /selinux/enforce

# ls -laZ --lcontext /selinux/enforce
-rw-r--r--  1                                  root root 0 Dec  8 
2004 /selinux/enforce

Comment 12 Daniel Walsh 2004-12-08 18:13:35 UTC
Sorry about that, it usually takes 24 hours for rpms to get out to the
main site, then longer to get to mirrors.  I usually throw SELinux
packages on ftp://people.redhat.com/dwalsh/SELinux/Fedora

Try to run the machine in strict mode, even if it produces some errors
and then submit the errors to me, so we can get them fixed.  I run
with strict policy all the time and it works fairly well.  

Dan

Comment 13 Need Real Name 2004-12-08 20:00:15 UTC
Created attachment 108144 [details]
selinux errors after reboot and policy switch

New policy installed, enforcing mode set on... failure!

Well not quite.. :)
The previous "touch /.autorelabel" didn't work, and it hasn't worked the
previous two times I used it either.

So I switched to runlevel 1, ran a fixfiles relabel, rebooted, and now I have
just three errors. Better than the previous fifty!

But I'm not convinced that selinux is logging everything. I see these errors in
/var/log/messages:
Dec  8 20:49:41 localhost xfs[2520]: ignoring font path element
/usr/X11R6/lib/X11/fonts/Speedo (unreadable)
Dec  8 20:49:50 localhost kernel: drivers/usb/input/hid-input.c: event field
not found
Dec  8 20:49:50 localhost kernel: drivers/usb/input/hid-input.c: event field
not found
Dec  8 20:52:54 localhost ntpd[2442]: synchronized to 82.219.3.129, stratum 2
Dec  8 20:52:54 localhost ntpd[2442]: kernel time sync disabled 0041

Comment 14 Need Real Name 2004-12-08 20:01:03 UTC
Trying to attach that attachment kept giving "the file is empty"
errors from epiphany. Maybe I should file a bug for that too.

Comment 15 Need Real Name 2004-12-11 13:06:34 UTC
Created attachment 108385 [details]
spamassassin reading resolv.conf (!)

Comment 16 Need Real Name 2004-12-12 13:05:39 UTC
Created attachment 108402 [details]
java failing

Comment 17 Need Real Name 2004-12-12 14:45:40 UTC
Created attachment 108405 [details]
cd burn errors

k3b and nautilus fail to burn to disk, despite trying as root.
How do you manager to burn disks with selinux enabled?

Comment 18 Need Real Name 2004-12-12 16:52:28 UTC
java doesn't crash if I "setenforce 0 && java"

Comment 19 Need Real Name 2004-12-12 19:36:13 UTC
Re: #17
k3b will burn as root now, but only after refreshing the utils page so
it can find growisofs

Comment 20 Need Real Name 2004-12-13 21:20:49 UTC
/usr/share/ssl/misc/CA.pl from openssl-perl can't run.
perl /usr/share/ssl/misc/CA.pl works.

This is getting ridiculous.

Comment 21 Need Real Name 2004-12-13 21:57:55 UTC
apachectrl configtest has not output unless setenforce is 0

Comment 22 Colin Walters 2004-12-13 22:47:15 UTC
Need Real Name: The reason that occurs is because files marked as
usr_t cannot be executed by default.  I think the rationale here is
simply that binaries should be in /usr/bin or the like.  Basically
it's an openssl packaging bug; if CA.pl is useful it should be in
/usr/bin, otherwise put it in /usr/share/doc/openssl or something.


Comment 23 Need Real Name 2004-12-13 23:06:50 UTC
Fair enough.
You asked me to post any errors I got, and I have.

Fedora ships with either:
 i) a bad policy that prevents a script from running
 ii) a bad package that has a script in the wrong place

Either way it a Fedora package that is broken and needs to be fixed.

These are the kinds of annoyances that will lead SAs to turn off the
selinux thing because it gets in the way of doing work.

Comment 24 Colin Walters 2004-12-13 23:31:07 UTC
Need Real Name: I agree there is a bug.  We could just give up and
allow userdomains to exec usr_t in the default policy, but it'd be
better to fix the packages.

As for turning SELinux off, well, the thing to remember is that the
strict policy tries to describe how an entire Linux system works, and
it is far from complete.  Some of the issues you've found are
difficult to fix; for example the Java one is an interaction between
older binaries and a change in the way the kernel does memory
permission checking.  Others are easier - the cdrecord needing access
to etc_t looks like a simple policy bug.

We are working on fixing these issues though; please do keep reporting
them.



Comment 25 Need Real Name 2005-02-02 08:52:22 UTC
minicom fails to connect to a serial line when running as root.
I'll post the error later.

Comment 26 Need Real Name 2005-03-22 11:17:56 UTC
I can't restest minicom, so can't close this bug.

Comment 27 Need Real Name 2005-04-08 21:26:14 UTC
No response. Closing. Would be good if minicom worked.

Comment 28 Daniel Walsh 2005-04-09 10:50:04 UTC
You never submitted AVC Messages for the mincom bug?

BTW
/usr/share/ssl/misc/CA.pl should be bin_t with the latest policy.
apachectrl should work with the httpd_tty_comm turned on .


Comment 29 Need Real Name 2005-04-09 11:14:45 UTC
Great. Unfortunately I can't retest minicom because I have no serial cable atm.
I've upped to FC4T1 so I no longer have the AVC messages. Sorry.