From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040809 Description of problem: After running 'fixfiles relabel' in runlevel 3 from tty1 as root and changing SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=strict I booted up the computer and got messages related to avc errors. I got messages during boot, which will be attached in a file called onboot.txt The latest error file will be attached that contains avc errors that are after launching the GUI (startx from tty2, as regular user) I hope that running fixfile relabel from runlevel 3 is sufficient to start testing selinux. Mozilla, thunderbird, disk mounting tools and other programs seem to work correctly after the initial setup. This was not the case when testing during FC2test phase. Great job! Version-Release number of selected component (if applicable): selinux-policy-strict-1.15.14-1 How reproducible: Didn't try Steps to Reproduce: 1.Decide to start testing selinux on system that was not setup for SELinux during install. 2. Read FAQ on required steps to initialize SELinux. 3. set /etc/sysconfig file to info listed above. Then close down all apps except tty1 as root (runlevel 3). 4. at the tty1 term run fixfiles relabel and wait for relabeling to complete overnight. 5. start system up in the morning to see results. Actual Results: System booted normally. Errors noted during booting up and logging in seemed to issue a few as root. Regular user worked without errors. Expected Results: avc erros expected.The question is what errors are related to my lack of knowledge and what errors are legitimate and need fixing. Additional info: I expected errors related to mozilla and other application. I cannot really detect or decript the avc errors. Here they are!
Created attachment 102743 [details] This is booting in runlevel 3 before initializing GUI
Created attachment 102744 [details] this is after mounting disks, testing apps running up2date This attachment is currently reflecting the avc errors that I have recorded in /var/log/messages.
Am I correct in assuming you did the fixfiles relabel *after* you changed the policy? The way you state it this is not clear.
The file was as shown in the cut and pasted file excerpt. The system was set to strict policy and in permissive mode before relabeling. I cannot recall if the relabeling was performed before SELinux was activated. I seem to recall that SELinux was enabled after the fixfiles relabel were preformed. I'm attaching a log from august 19th when relabeling was done with the strict policy selected and SELinux was set to enforce and using the permissive policy.
Created attachment 103148 [details] August 19th errors that caused system lock on boot This is related to conversations from the SELinux list. Relabeling was performed while the policy was set to strict. After relabeling, the policy was set to permissive mode. I hope this helps.
Hm. First get some facts straigth: "permissive policy" is the "targeted" policy? Or are you speaking of enforcing? Reports should usually be based on a system in enforcing mode (unless explicitely requested). So after setting the policy to permissive (= targeted?) you did *not* relabel again? The point of relabeling is to make the file permissions match the policy, so you need to do that directly after a policy change. But maybe I am just misunderstanding you.
I should have read your initial comment with more care. Indeed you are not speaking of the targeted policy, but running in permissive mode. As I said in my previous comment you should not file reports based on running in permissive mode. You will get all kinds of avc denials that you would not see in enforcing mode, because the system allows you to perform tasks (and thus generate avc messages) that you would not be able to perform when running in enforcing mode. Maybe I am still missing something here, but I would say this is NOTABUG. If you are still having issues when running in enforcing mode you should file them.
Created attachment 103159 [details] Using kernel-2.6.8-1.526 relabel This is the attached avc errors after performing a relabel using targeted policy and permissive mode. If this is not helpful, I guess not a bug is acceptable. I had problems w/ this kernel and SELinux letting me login, I could not login as root or user. On shutdown, I believe the loopback device locked up. I then booted up using kernel-2.6.7-1.517 and did not see any errors other than messaged regarding areas not labeled correctly. --- /etc/sysconfig/selinux file contains ------------------------------------ # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted ----- end report -----------------
policy and SELInux rpm versions installed at relabeling time. selinux-policy-targeted-1.17.4-2 policycoreutils-1.17.3-3 selinux-policy-strict-1.17.4-2 libselinux-1.17.1-1 libselinux-devel-1.17.1-1
After getting the kernel lockup and reading problems since corrected w/ things like loopback devices, I uninstalled and reinstalled the kernel. Booting today showed ABSOLUTELY no avc errors. Many thanks to the team! Bug can be officially closed. I'll try enforcing mode again with permissive policy. Thanks, Jim
Created attachment 103197 [details] Final info - success - cron message JUst as confirmation that I now am able to run SELinux in enforcing mode and noticed a relabeling operation in a cron mail. This is attached in case successful operations is of any value. Thanks! Jim
> I'll try enforcing mode again with permissive policy. Policy: targeted or strict State: enforcing or permissive Reporting bugs is usually done in enforcing mode. See also http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id3102366 .
Policy: Targeted State: enforcing I can't seem to communicate the two correctly. The file entries are correct. Things seem to be working fine. No errors reported in badcontent.txt and /etc/cron.daily/fixfiles.cron: logging to /dev/null /usr/sbin/setfiles: conflicting specifications for /etc/sysconfig/networking/profiles/default/resolv.conf and /etc/resolv.conf, using +system_u:object_r:net_conf_t. /usr/sbin/setfiles: read 444 specifications WARNING: Multiple same specifications for /dev/hdc. /usr/sbin/setfiles: labeling files under / /usr/sbin/setfiles: relabeling /dev/hdd from system_u:object_r:fixed_disk_device_t to system_u:object_r:removable_device_t /usr/sbin/setfiles: relabeling /dev/mdsp15 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp9 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp4 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp1 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp12 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdspstat from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp3 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp11 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp5 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp2 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp7 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp13 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp14 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp6 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp16 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp10 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /dev/mdsp8 from system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t /usr/sbin/setfiles: relabeling /var/named/slaves from system_u:object_r:named_cache_t to system_u:object_r:named_zone_t /usr/sbin/setfiles: relabeling /var/named/data from system_u:object_r:named_cache_t to system_u:object_r:named_zone_t /usr/sbin/setfiles: relabeling /var/run/utmp from user_u:object_r:var_run_t to system_u:object_r:initrc_var_run_t /usr/sbin/setfiles: relabeling /.autofsck from user_u:object_r:root_t to system_u:object_r:etc_runtime_t /usr/sbin/setfiles: relabeling /etc/rndc.key from system_u:object_r:named_conf_t to system_u:object_r:rndc_conf_t /usr/sbin/setfiles: relabeling /etc/rndc.conf from system_u:object_r:named_conf_t to system_u:object_r:rndc_conf_t /usr/sbin/setfiles: relabeling /etc/fstab from user_u:object_r:tmp_t to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling /etc/mtab from user_u:object_r:etc_t to system_u:object_r:etc_runtime_t /usr/sbin/setfiles: relabeling /etc/hotplug/usb.usermap from root:object_r:etc_t to system_u:object_r:hotplug_etc_t /usr/sbin/setfiles: relabeling /etc/named.custom from system_u:object_r:etc_t to system_u:object_r:named_conf_t /usr/sbin/setfiles: hash table stats: 263055 elements, 52019/65536 buckets used, longest chain length 12 /usr/sbin/setfiles: labeling files under /boot /usr/sbin/setfiles: hash table stats: 32 elements, 32/65536 buckets used, longest chain length 1 /usr/sbin/setfiles: labeling files under /hda-boot /usr/sbin/setfiles: hash table stats: 43 elements, 43/65536 buckets used, longest chain length 1 /usr/sbin/setfiles: labeling files under /hdb-boot /usr/sbin/setfiles: hash table stats: 33 elements, 33/65536 buckets used, longest chain length 1 /usr/sbin/setfiles: labeling files under /hdb-root /usr/sbin/setfiles: hash table stats: 308375 elements, 48454/65536 buckets used, longest chain length 20 /usr/sbin/setfiles: Done. Null message body; hope that's ok