Bug 141028 - selinux fails without warning
Summary: selinux fails without warning
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 3
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-11-28 14:55 UTC by Need Real Name
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-08 21:26:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
warnings from selinux (21.18 KB, text/plain)
2004-12-08 15:55 UTC, Need Real Name
no flags Details
selinux errors after reboot and policy switch (685 bytes, text/plain)
2004-12-08 20:00 UTC, Need Real Name
no flags Details
spamassassin reading resolv.conf (!) (226 bytes, text/plain)
2004-12-11 13:06 UTC, Need Real Name
no flags Details
java failing (246 bytes, text/plain)
2004-12-12 13:05 UTC, Need Real Name
no flags Details
cd burn errors (482 bytes, text/plain)
2004-12-12 14:45 UTC, Need Real Name
no flags Details

Description Need Real Name 2004-11-28 14:55:46 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20041020 Epiphany/1.4.4

Description of problem:
During install, selinux was off.

Today, I wanted to turn it on.
I now have these two lines in /etc/selinux/config:

A reboot, later:

# id -Z
Sorry, --context (-Z) can be used only on a selinux-enabled kernel.

Oh dear.

Maybe a relabel is needed:

# fixfiles relabel

    Files in the /tmp directory may be labeled incorrectly, this command
    can remove all files in /tmp.  If you choose to remove files from
    a reboot will be required after completion.

    Do you wish to clean out the /tmp directory [N]? y
/etc/selinux/strict/contexts/files/file_contexts: No such file or

The problem is that selinux-policy-strict is not installed, and the
bigger problem is that selinux didn't complain on boot about this.

(Also: Is this a security problem? )

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Additional info:

Comment 1 Daniel Walsh 2004-11-29 14:46:00 UTC
You booted in permissive mode with says just run SELinux in testing
mode, so all it will do is log errors, if you change it to strict
mode, the kernel will crash.

So this is not a security issue.


Comment 2 Need Real Name 2004-11-29 15:25:22 UTC
It didn't log an error.

Comment 3 Daniel Walsh 2004-11-29 16:30:43 UTC
Do you see anything if you use dmesg.  Problem is this is happening in
/sbin/init before the rc scripts start.  So init should be reporting
an error to the screen, and maybe dmesg will catch it.

Comment 4 Need Real Name 2004-11-30 17:42:44 UTC
I'm afraid I can't look - /var/log/dmesg has a timestamp of today, and
there don't seem to be any other dmesg logs.

I guess we have to hope it does log it :)

Comment 5 Need Real Name 2004-12-08 14:22:49 UTC
Who should all the selinux error messages I get on boot go to?

Comment 6 Daniel Walsh 2004-12-08 15:36:25 UTC
Ok I just reread your original error message.  Do you wish to run with
strict or targeted policy (targeted is the default for FC3).  
If you want to run targeted change the line in /etc/selinux/config to
targeted and touch /.autorelabel and reboot.  Machine will relabel on

If you want strict, you must install selinux-policy-strict and touch
the /.autorelabel file and reboot.

Comment 7 Need Real Name 2004-12-08 15:42:44 UTC
> The problem is that selinux-policy-strict is not installed
After I installed selinux-policy-strict (which should have been
installed anyway, or at least everything should be aware that it might
not be installed), and running fixfiles relabel, I now have strict
permissive mode on.

I get a ton of selinux messages on boot though, and I'd like to know
who would like them.

Hopefully it's not the same response as bug 138843: "file a bug for
each package". Euck :/

Comment 8 Daniel Walsh 2004-12-08 15:46:41 UTC
No you can attach the avc messages here, although I would prefer the
avc messages in enforcing mode,  permissive mode gives off lots of
false messages.

Comment 9 Need Real Name 2004-12-08 15:55:25 UTC
Created attachment 108117 [details]
warnings from selinux

These are warnings produced after going to runlevel 5 from 1.
I can't turn on enforcing mode for the moment, sorry about that.

Comment 10 Daniel Walsh 2004-12-08 16:56:50 UTC
Ok first off are you updated to the latest strict policy?

1.19.11-1 should be available.

Secondly, you do-not have everything labeled correctly.  
Change permissive to enforcing in the /etc/selinux/config file.
So touch /.autorelabel and reboot.  Which should be able to get you to
a good state.  

Does this work.

Comment 11 Need Real Name 2004-12-08 17:38:03 UTC
I'm using selinux-policy-strict-1.19.10-2
1.19.11-1 isn't available yet.

As a side note, Red Hat people always seem to think rpms are available
way before they do become available. I suppose slow mirrors don't help

Anyway, switching to enforcing mode gave me two errors which worried
me enough to switch back. Here they are:
A permission denied error trying to (read from?) /dev/zero
and a permission denied error at line 65 of /etc/rc.d/rc.sysinit
mentioning /selinux/enforce

# ls -laZ --lcontext /selinux/enforce
-rw-r--r--  1                                  root root 0 Dec  8 
2004 /selinux/enforce

Comment 12 Daniel Walsh 2004-12-08 18:13:35 UTC
Sorry about that, it usually takes 24 hours for rpms to get out to the
main site, then longer to get to mirrors.  I usually throw SELinux
packages on ftp://people.redhat.com/dwalsh/SELinux/Fedora

Try to run the machine in strict mode, even if it produces some errors
and then submit the errors to me, so we can get them fixed.  I run
with strict policy all the time and it works fairly well.  


Comment 13 Need Real Name 2004-12-08 20:00:15 UTC
Created attachment 108144 [details]
selinux errors after reboot and policy switch

New policy installed, enforcing mode set on... failure!

Well not quite.. :)
The previous "touch /.autorelabel" didn't work, and it hasn't worked the
previous two times I used it either.

So I switched to runlevel 1, ran a fixfiles relabel, rebooted, and now I have
just three errors. Better than the previous fifty!

But I'm not convinced that selinux is logging everything. I see these errors in
Dec  8 20:49:41 localhost xfs[2520]: ignoring font path element
/usr/X11R6/lib/X11/fonts/Speedo (unreadable)
Dec  8 20:49:50 localhost kernel: drivers/usb/input/hid-input.c: event field
not found
Dec  8 20:49:50 localhost kernel: drivers/usb/input/hid-input.c: event field
not found
Dec  8 20:52:54 localhost ntpd[2442]: synchronized to, stratum 2
Dec  8 20:52:54 localhost ntpd[2442]: kernel time sync disabled 0041

Comment 14 Need Real Name 2004-12-08 20:01:03 UTC
Trying to attach that attachment kept giving "the file is empty"
errors from epiphany. Maybe I should file a bug for that too.

Comment 15 Need Real Name 2004-12-11 13:06:34 UTC
Created attachment 108385 [details]
spamassassin reading resolv.conf (!)

Comment 16 Need Real Name 2004-12-12 13:05:39 UTC
Created attachment 108402 [details]
java failing

Comment 17 Need Real Name 2004-12-12 14:45:40 UTC
Created attachment 108405 [details]
cd burn errors

k3b and nautilus fail to burn to disk, despite trying as root.
How do you manager to burn disks with selinux enabled?

Comment 18 Need Real Name 2004-12-12 16:52:28 UTC
java doesn't crash if I "setenforce 0 && java"

Comment 19 Need Real Name 2004-12-12 19:36:13 UTC
Re: #17
k3b will burn as root now, but only after refreshing the utils page so
it can find growisofs

Comment 20 Need Real Name 2004-12-13 21:20:49 UTC
/usr/share/ssl/misc/CA.pl from openssl-perl can't run.
perl /usr/share/ssl/misc/CA.pl works.

This is getting ridiculous.

Comment 21 Need Real Name 2004-12-13 21:57:55 UTC
apachectrl configtest has not output unless setenforce is 0

Comment 22 Colin Walters 2004-12-13 22:47:15 UTC
Need Real Name: The reason that occurs is because files marked as
usr_t cannot be executed by default.  I think the rationale here is
simply that binaries should be in /usr/bin or the like.  Basically
it's an openssl packaging bug; if CA.pl is useful it should be in
/usr/bin, otherwise put it in /usr/share/doc/openssl or something.

Comment 23 Need Real Name 2004-12-13 23:06:50 UTC
Fair enough.
You asked me to post any errors I got, and I have.

Fedora ships with either:
 i) a bad policy that prevents a script from running
 ii) a bad package that has a script in the wrong place

Either way it a Fedora package that is broken and needs to be fixed.

These are the kinds of annoyances that will lead SAs to turn off the
selinux thing because it gets in the way of doing work.

Comment 24 Colin Walters 2004-12-13 23:31:07 UTC
Need Real Name: I agree there is a bug.  We could just give up and
allow userdomains to exec usr_t in the default policy, but it'd be
better to fix the packages.

As for turning SELinux off, well, the thing to remember is that the
strict policy tries to describe how an entire Linux system works, and
it is far from complete.  Some of the issues you've found are
difficult to fix; for example the Java one is an interaction between
older binaries and a change in the way the kernel does memory
permission checking.  Others are easier - the cdrecord needing access
to etc_t looks like a simple policy bug.

We are working on fixing these issues though; please do keep reporting

Comment 25 Need Real Name 2005-02-02 08:52:22 UTC
minicom fails to connect to a serial line when running as root.
I'll post the error later.

Comment 26 Need Real Name 2005-03-22 11:17:56 UTC
I can't restest minicom, so can't close this bug.

Comment 27 Need Real Name 2005-04-08 21:26:14 UTC
No response. Closing. Would be good if minicom worked.

Comment 28 Daniel Walsh 2005-04-09 10:50:04 UTC
You never submitted AVC Messages for the mincom bug?

/usr/share/ssl/misc/CA.pl should be bin_t with the latest policy.
apachectrl should work with the httpd_tty_comm turned on .

Comment 29 Need Real Name 2005-04-09 11:14:45 UTC
Great. Unfortunately I can't retest minicom because I have no serial cable atm.
I've upped to FC4T1 so I no longer have the AVC messages. Sorry.

Note You need to log in before you can comment on or make changes to this bug.