Bug 437478

Summary: SELinux is completely hosed in F 9 Alpha (or so it seems!)
Product: [Fedora] Fedora Reporter: Steve Murphy <murf>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-17 19:38:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
From setroubleshoot browser none

Description Steve Murphy 2008-03-14 14:09:19 UTC 
I downloaded the F9alpha DVD image yesterday, and installed on Dell Laptop.
When it came up, It wanted to update with 701 packages to download. Took most of
the day, but it completed. Besides the fact that firefox won't even start,
SELinux is the next most noticeable problem. Thousands and Thousands of
problems. Some come up during the installs, so I have no idea how many probs are
simply because SELinux wouldn't let some file be updated. 

SELinux == Lupus for F 9 alph

For instance, I can't connect to wireless AP; I see refs to NetworkManager on
web, so I fire up System>Administration>Services, and I get thousands of
complaints, mostly "SELinux is preventing gam_server (gamin_t) "ptrace" to
<Unknown> (crond_t)"

I got fed up with SELinux, and went to disable it entirely. But the gui talked
me into putting it into permissive mode instead, which I did, and checked the
relabel disk option, and rebooted. It did relabel the entire drive, and it did
take a while.

But it still complains; it's not preventing things, but it's complaining like
heck on just about everything.

Since I put it in permissive mode, I had another round of updates installed.
Since then, I could get into "Services" and actually enable NetworkManager, and
start it. So, who knows. It still won't connect to my AP, tho.

I was getting problems with font.dir; complaints when I ssh'd into the box from
another machine; starting up the "services" program (as mentioned before), and
who knows what else. How much damage this might have done while packages were
installing, I have no idea. Firefox isn't starting; networkManager isn't making
wireless connections; And the stupid xulrunner package update has been
downloaded maybe 3-4 times now, and keeps needing updates. An infinite update
loop, no less.


While in setroubleshoot, I highlighted all the entries in the top pane and did a
"save As", and I'll attach that to this bug report.
Comment 1 Steve Murphy 2008-03-14 14:13:04 UTC 
Created attachment 298050 [details]
From setroubleshoot browser

If you need the messages, let me know.

In normal system operation, I don't think I should have seen any of these. It's
all normal activity. I'd hope, anyway!
Comment 2 Daniel Walsh 2008-03-14 15:05:23 UTC 
xulrunner is a known problem unrelated to SELinux.  I forget how to fix it but
you should be able to find it on the web.  I think you need to remove it with
nodeps and then install it.

You also seem to be logging into root via XWindows which SELinux is going to
complain about.

I am fixing the nsplugin problems and gamin avc's.

Running audit2allow on your setroubleshoot output produces
#============= gamin_t ==============
allow gamin_t NetworkManager_t:process ptrace;
allow gamin_t auditd_t:process ptrace;
allow gamin_t crond_t:process ptrace;
allow gamin_t hald_t:process ptrace;
allow gamin_t restorecond_t:process ptrace;
allow gamin_t self:capability sys_ptrace;
allow gamin_t sendmail_t:process ptrace;
allow gamin_t sshd_t:process ptrace;
allow gamin_t system_dbusd_t:process ptrace;

>> I am dontauditing these. selinux-policy-3.3.1-19.fc9

#============= nsplugin_config_t ==============
allow nsplugin_config_t inotifyfs_t:dir read;
allow nsplugin_config_t unconfined_t:unix_dgram_socket { read write };
allow nsplugin_config_t unconfined_t:unix_stream_socket { read write };

>> I am fixing these. selinux-policy-3.3.1-19.fc9

#============= semanage_t ==============
allow semanage_t user_home_t:file append;
>> This is redirection of terminal to .xsession-errors, ignoring for now. can be
ignored

#============= sshd_t ==============
allow sshd_t xdm_t:key link;
>> This is a bug in the kerkel key code that is being fixes, can be ignored

#============= syslogd_t ==============
allow syslogd_t system_map_t:file read;
>> Should be fixed in current policy.  selinux-policy-3.3.1-18.fc9
#============= tmpreaper_t ==============
allow tmpreaper_t var_lib_t:dir setattr;
>> I have no idea what is causing this?  WHy is tmpreaper looking in /var/lib, 
Seems like some tool is configured badly.

#============= xdm_t ==============
allow xdm_t admin_home_t:dir write;
>> Caused by you logging in as root via XWindows, will not fix

#============= xdm_xserver_t ==============
allow xdm_xserver_t admin_home_t:file read;
>> Caused by you logging in as root via XWindows, will not fix
Comment 3 Daniel Walsh 2008-03-17 19:38:08 UTC 
  Fixed in selinux-policy-3.3.20.fc9