Bug 129949 - Errors trying to setup SELInux for first time - relabeled using strict - changed to targeted after relabeling completed
Errors trying to setup SELInux for first time - relabeled using strict - chan...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-15 10:20 EDT by Jim Cornette
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.17.4-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-27 17:24:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This is booting in runlevel 3 before initializing GUI (27.61 KB, text/plain)
2004-08-15 10:22 EDT, Jim Cornette
no flags Details
this is after mounting disks, testing apps running up2date (56.17 KB, text/plain)
2004-08-15 10:23 EDT, Jim Cornette
no flags Details
August 19th errors that caused system lock on boot (166.79 KB, text/plain)
2004-08-26 20:35 EDT, Jim Cornette
no flags Details
Using kernel-2.6.8-1.526 relabel (4.48 KB, text/plain)
2004-08-27 07:31 EDT, Jim Cornette
no flags Details
Final info - success - cron message (9.73 KB, text/plain)
2004-08-27 23:32 EDT, Jim Cornette
no flags Details

  None (edit)
Description Jim Cornette 2004-08-15 10:20:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2)
Gecko/20040809

Description of problem:
After running 'fixfiles relabel' in runlevel 3 from tty1 as root and
changing 
SELINUX=permissive
 
# SELINUXTYPE= can take one of these two values:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=strict

I booted up the computer and got messages related to avc errors. I got
messages during boot, which will be attached in a file called onboot.txt

The latest error file will be attached that contains avc errors that
are after launching the GUI (startx from tty2, as regular user)

I hope that running fixfile relabel from runlevel 3 is sufficient to
start testing selinux. Mozilla, thunderbird, disk mounting tools and
other programs seem to work correctly after the initial setup. This
was not the case when testing during FC2test phase. Great job!

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.15.14-1

How reproducible:
Didn't try

Steps to Reproduce:
1.Decide to start testing selinux on system that was not setup for
SELinux during install.
2. Read FAQ on required steps to initialize SELinux.
3. set /etc/sysconfig file to info listed above. Then close down all
apps except tty1 as root (runlevel 3).
4. at the tty1 term run fixfiles relabel and wait for relabeling to
complete overnight.
5. start system up in the morning to see results.
    

Actual Results:  System booted normally. Errors noted during booting
up and logging in seemed to issue a few as root. Regular user worked
without errors.

Expected Results:  avc erros expected.The question is what errors are
related to my lack of knowledge and what errors are legitimate and
need fixing.

Additional info:

I expected errors related to mozilla and other application. I cannot
really detect or decript the avc errors. Here they are!
Comment 1 Jim Cornette 2004-08-15 10:22:03 EDT
Created attachment 102743 [details]
This is booting in runlevel 3 before initializing GUI
Comment 2 Jim Cornette 2004-08-15 10:23:53 EDT
Created attachment 102744 [details]
this is after mounting disks, testing apps running up2date

This attachment is currently reflecting the avc errors that I have recorded in
/var/log/messages.
Comment 3 Leonard den Ottolander 2004-08-26 10:55:31 EDT
Am I correct in assuming you did the fixfiles relabel *after* you
changed the policy? The way you state it this is not clear.
Comment 4 Jim Cornette 2004-08-26 20:32:25 EDT
The file was as shown in the cut and pasted file excerpt.
 The system was set to strict policy and in permissive mode before
relabeling.
I cannot recall if the relabeling was performed before SELinux was
activated. I seem to recall that SELinux was enabled after the
fixfiles relabel were preformed.

I'm attaching a log from august 19th when relabeling was done with the
strict policy selected and SELinux was set to enforce and using the
permissive policy.

Comment 5 Jim Cornette 2004-08-26 20:35:49 EDT
Created attachment 103148 [details]
August 19th errors that caused system lock on boot

This is related to conversations from the SELinux list. Relabeling was
performed while the policy was set to strict. After relabeling, the policy was
set to permissive mode.

I hope this helps.
Comment 6 Leonard den Ottolander 2004-08-27 04:21:49 EDT
Hm. First get some facts straigth: "permissive policy" is the
"targeted" policy? Or are you speaking of enforcing? Reports should
usually be based on a system in enforcing mode (unless explicitely
requested).

So after setting the policy to permissive (= targeted?) you did *not*
relabel again? The point of relabeling is to make the file permissions
match the policy, so you need to do that directly after a policy change.

But maybe I am just misunderstanding you.
Comment 7 Leonard den Ottolander 2004-08-27 04:28:56 EDT
I should have read your initial comment with more care. Indeed you are
not speaking of the targeted policy, but running in permissive mode.

As I said in my previous comment you should not file reports based on
running in permissive mode. You will get all kinds of avc denials that
you would not see in enforcing mode, because the system allows you to
perform tasks (and thus generate avc messages) that you would not be
able to perform when running in enforcing mode.

Maybe I am still missing something here, but I would say this is
NOTABUG. If you are still having issues when running in enforcing mode
you should file them.
Comment 8 Jim Cornette 2004-08-27 07:31:48 EDT
Created attachment 103159 [details]
Using kernel-2.6.8-1.526 relabel

This is the attached avc errors after performing a relabel using targeted
policy and permissive mode.

If this is not helpful, I guess not a bug is acceptable.

I had problems w/ this kernel and SELinux letting me login, I could not login
as root or user. On shutdown, I believe the loopback device locked up.
I then booted up using kernel-2.6.7-1.517 and did not see any errors other than
messaged regarding areas not labeled correctly.

--- /etc/sysconfig/selinux file contains ------------------------------------

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE= can take one of these two values:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted

----- end report -----------------
Comment 9 Jim Cornette 2004-08-27 07:35:19 EDT
policy and SELInux rpm versions installed at relabeling time.

selinux-policy-targeted-1.17.4-2
policycoreutils-1.17.3-3
selinux-policy-strict-1.17.4-2
libselinux-1.17.1-1
libselinux-devel-1.17.1-1

Comment 10 Jim Cornette 2004-08-27 17:24:51 EDT
After getting the kernel lockup and reading problems since corrected
w/ things like loopback devices, I uninstalled and reinstalled the kernel.
Booting today showed ABSOLUTELY no avc errors. Many thanks to the team!

Bug can be officially closed. I'll try enforcing mode again with
permissive policy.

Thanks,

Jim
Comment 11 Jim Cornette 2004-08-27 23:32:34 EDT
Created attachment 103197 [details]
Final info - success - cron message

JUst as confirmation that I now am able to run SELinux in enforcing mode and
noticed a relabeling operation in a cron mail. This is attached in case
successful operations is of any value.

Thanks!

Jim
Comment 12 Leonard den Ottolander 2004-08-30 05:14:33 EDT
> I'll try enforcing mode again with permissive policy.

Policy: targeted or strict
State: enforcing or permissive

Reporting bugs is usually done in enforcing mode. See also
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id3102366
. 
Comment 13 Jim Cornette 2004-08-30 07:20:52 EDT
Policy: Targeted
State: enforcing

I can't seem to communicate the two correctly. The file entries are
correct.

Things seem to be working fine. No errors reported in badcontent.txt

and 

/etc/cron.daily/fixfiles.cron:

logging to /dev/null
/usr/sbin/setfiles:  conflicting specifications for
/etc/sysconfig/networking/profiles/default/resolv.conf and
/etc/resolv.conf, using 
+system_u:object_r:net_conf_t.
/usr/sbin/setfiles:  read 444 specifications
WARNING: Multiple same specifications for /dev/hdc.
/usr/sbin/setfiles:  labeling files under /
/usr/sbin/setfiles:  relabeling /dev/hdd from
system_u:object_r:fixed_disk_device_t to
system_u:object_r:removable_device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp15 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp9 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp4 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp1 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp12 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdspstat from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp3 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp11 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp5 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp2 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp7 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp13 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp14 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp6 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp16 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp10 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /dev/mdsp8 from
system_u:object_r:fixed_disk_device_t to system_u:object_r:device_t
/usr/sbin/setfiles:  relabeling /var/named/slaves from
system_u:object_r:named_cache_t to system_u:object_r:named_zone_t
/usr/sbin/setfiles:  relabeling /var/named/data from
system_u:object_r:named_cache_t to system_u:object_r:named_zone_t
/usr/sbin/setfiles:  relabeling /var/run/utmp from
user_u:object_r:var_run_t to system_u:object_r:initrc_var_run_t
/usr/sbin/setfiles:  relabeling /.autofsck from user_u:object_r:root_t
to system_u:object_r:etc_runtime_t
/usr/sbin/setfiles:  relabeling /etc/rndc.key from
system_u:object_r:named_conf_t to system_u:object_r:rndc_conf_t
/usr/sbin/setfiles:  relabeling /etc/rndc.conf from
system_u:object_r:named_conf_t to system_u:object_r:rndc_conf_t
/usr/sbin/setfiles:  relabeling /etc/fstab from user_u:object_r:tmp_t
to system_u:object_r:etc_t
/usr/sbin/setfiles:  relabeling /etc/mtab from user_u:object_r:etc_t
to system_u:object_r:etc_runtime_t
/usr/sbin/setfiles:  relabeling /etc/hotplug/usb.usermap from
root:object_r:etc_t to system_u:object_r:hotplug_etc_t
/usr/sbin/setfiles:  relabeling /etc/named.custom from
system_u:object_r:etc_t to system_u:object_r:named_conf_t
/usr/sbin/setfiles:  hash table stats: 263055 elements, 52019/65536
buckets used, longest chain length 12
/usr/sbin/setfiles:  labeling files under /boot
/usr/sbin/setfiles:  hash table stats: 32 elements, 32/65536 buckets
used, longest chain length 1
/usr/sbin/setfiles:  labeling files under /hda-boot
/usr/sbin/setfiles:  hash table stats: 43 elements, 43/65536 buckets
used, longest chain length 1
/usr/sbin/setfiles:  labeling files under /hdb-boot
/usr/sbin/setfiles:  hash table stats: 33 elements, 33/65536 buckets
used, longest chain length 1
/usr/sbin/setfiles:  labeling files under /hdb-root
/usr/sbin/setfiles:  hash table stats: 308375 elements, 48454/65536
buckets used, longest chain length 20
/usr/sbin/setfiles:  Done.
Null message body; hope that's ok

Note You need to log in before you can comment on or make changes to this bug.