Bug 141028
Summary: | selinux fails without warning | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Need Real Name <lsof> | ||||||||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||
Priority: | medium | ||||||||||||||
Version: | 3 | ||||||||||||||
Target Milestone: | --- | ||||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2005-04-08 21:26:14 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Attachments: |
|
Description
Need Real Name
2004-11-28 14:55:46 UTC
You booted in permissive mode with says just run SELinux in testing mode, so all it will do is log errors, if you change it to strict mode, the kernel will crash. So this is not a security issue. Dan It didn't log an error. Do you see anything if you use dmesg. Problem is this is happening in /sbin/init before the rc scripts start. So init should be reporting an error to the screen, and maybe dmesg will catch it. I'm afraid I can't look - /var/log/dmesg has a timestamp of today, and there don't seem to be any other dmesg logs. I guess we have to hope it does log it :) Who should all the selinux error messages I get on boot go to? Ok I just reread your original error message. Do you wish to run with strict or targeted policy (targeted is the default for FC3). If you want to run targeted change the line in /etc/selinux/config to targeted and touch /.autorelabel and reboot. Machine will relabel on reboot. If you want strict, you must install selinux-policy-strict and touch the /.autorelabel file and reboot. > The problem is that selinux-policy-strict is not installed After I installed selinux-policy-strict (which should have been installed anyway, or at least everything should be aware that it might not be installed), and running fixfiles relabel, I now have strict permissive mode on. I get a ton of selinux messages on boot though, and I'd like to know who would like them. Hopefully it's not the same response as bug 138843: "file a bug for each package". Euck :/ No you can attach the avc messages here, although I would prefer the avc messages in enforcing mode, permissive mode gives off lots of false messages. Created attachment 108117 [details]
warnings from selinux
These are warnings produced after going to runlevel 5 from 1.
I can't turn on enforcing mode for the moment, sorry about that.
Ok first off are you updated to the latest strict policy? 1.19.11-1 should be available. Secondly, you do-not have everything labeled correctly. Change permissive to enforcing in the /etc/selinux/config file. So touch /.autorelabel and reboot. Which should be able to get you to a good state. Does this work. I'm using selinux-policy-strict-1.19.10-2 1.19.11-1 isn't available yet. As a side note, Red Hat people always seem to think rpms are available way before they do become available. I suppose slow mirrors don't help that. Anyway, switching to enforcing mode gave me two errors which worried me enough to switch back. Here they are: A permission denied error trying to (read from?) /dev/zero and a permission denied error at line 65 of /etc/rc.d/rc.sysinit mentioning /selinux/enforce # ls -laZ --lcontext /selinux/enforce -rw-r--r-- 1 root root 0 Dec 8 2004 /selinux/enforce Sorry about that, it usually takes 24 hours for rpms to get out to the main site, then longer to get to mirrors. I usually throw SELinux packages on ftp://people.redhat.com/dwalsh/SELinux/Fedora Try to run the machine in strict mode, even if it produces some errors and then submit the errors to me, so we can get them fixed. I run with strict policy all the time and it works fairly well. Dan Created attachment 108144 [details]
selinux errors after reboot and policy switch
New policy installed, enforcing mode set on... failure!
Well not quite.. :)
The previous "touch /.autorelabel" didn't work, and it hasn't worked the
previous two times I used it either.
So I switched to runlevel 1, ran a fixfiles relabel, rebooted, and now I have
just three errors. Better than the previous fifty!
But I'm not convinced that selinux is logging everything. I see these errors in
/var/log/messages:
Dec 8 20:49:41 localhost xfs[2520]: ignoring font path element
/usr/X11R6/lib/X11/fonts/Speedo (unreadable)
Dec 8 20:49:50 localhost kernel: drivers/usb/input/hid-input.c: event field
not found
Dec 8 20:49:50 localhost kernel: drivers/usb/input/hid-input.c: event field
not found
Dec 8 20:52:54 localhost ntpd[2442]: synchronized to 82.219.3.129, stratum 2
Dec 8 20:52:54 localhost ntpd[2442]: kernel time sync disabled 0041
Trying to attach that attachment kept giving "the file is empty" errors from epiphany. Maybe I should file a bug for that too. Created attachment 108385 [details]
spamassassin reading resolv.conf (!)
Created attachment 108402 [details]
java failing
Created attachment 108405 [details]
cd burn errors
k3b and nautilus fail to burn to disk, despite trying as root.
How do you manager to burn disks with selinux enabled?
java doesn't crash if I "setenforce 0 && java" Re: #17 k3b will burn as root now, but only after refreshing the utils page so it can find growisofs /usr/share/ssl/misc/CA.pl from openssl-perl can't run. perl /usr/share/ssl/misc/CA.pl works. This is getting ridiculous. apachectrl configtest has not output unless setenforce is 0 Need Real Name: The reason that occurs is because files marked as usr_t cannot be executed by default. I think the rationale here is simply that binaries should be in /usr/bin or the like. Basically it's an openssl packaging bug; if CA.pl is useful it should be in /usr/bin, otherwise put it in /usr/share/doc/openssl or something. Fair enough. You asked me to post any errors I got, and I have. Fedora ships with either: i) a bad policy that prevents a script from running ii) a bad package that has a script in the wrong place Either way it a Fedora package that is broken and needs to be fixed. These are the kinds of annoyances that will lead SAs to turn off the selinux thing because it gets in the way of doing work. Need Real Name: I agree there is a bug. We could just give up and allow userdomains to exec usr_t in the default policy, but it'd be better to fix the packages. As for turning SELinux off, well, the thing to remember is that the strict policy tries to describe how an entire Linux system works, and it is far from complete. Some of the issues you've found are difficult to fix; for example the Java one is an interaction between older binaries and a change in the way the kernel does memory permission checking. Others are easier - the cdrecord needing access to etc_t looks like a simple policy bug. We are working on fixing these issues though; please do keep reporting them. minicom fails to connect to a serial line when running as root. I'll post the error later. I can't restest minicom, so can't close this bug. No response. Closing. Would be good if minicom worked. You never submitted AVC Messages for the mincom bug? BTW /usr/share/ssl/misc/CA.pl should be bin_t with the latest policy. apachectrl should work with the httpd_tty_comm turned on . Great. Unfortunately I can't retest minicom because I have no serial cable atm. I've upped to FC4T1 so I no longer have the AVC messages. Sorry. |