Created attachment 359703 [details] Output of sealert -l for all of the alerts. Description of problem: On an newly upgraded laptop from Fedora 10 -> Fedora 11 followed by installing all updates, I am getting a lot of access denials from selinux. selinux is running in permissive mode and I have already tried both relabeling on boot and running restorecon recursively on the entire filesystem (except for /home). Examples include SELinux is preventing rsyslogd (syslogd_t) "syslog_mod" kernel_t. SELinux is preventing crond (crond_t) "create" system_crond_t. SELinux is preventing sedispatch (auditd_t) "search" to / (security_t). SELinux is preventing sedispatch (auditd_t) "read" security_t. SELinux is preventing crond (crond_t) "search" unconfined_t. SELinux is preventing crond (crond_t) "read" inotifyfs_t. SELinux is preventing ntpd (ntpd_t) "search" root_t. Version-Release number of selected component (if applicable): selinux-policy-3.6.12-80.fc11.noarch How reproducible: Steps to Reproduce: 1. up-to-date fedora 10, only extra repo is rpm-fusion 2. upgrade (via DVD, not live via yum) to Fedora 11 3. yum clean all 4. yum -y update (and wait a long time) 5. reboot and log in Actual results: Expected results: I expect no avc denials from core utilities like sedispatch(!), crond, ntpd, and rsyslog. Additional info:
Could you try execute # yum reinstall selinux-policy-targeted and make sure there aren't issues during re-install
I've got an error during reinstall: 284 roland> sudo yum reinstall selinux-policy-targeted [sudo] password for roland: /usr/lib/yum-plugins/fedorakmod.py:25: DeprecationWarning: the sets module is deprecated from sets import Set Loaded plugins: allowdowngrade, dellsysidplugin2, downloadonly, fastestmirror, fedorakmod, kernel-module, kmdl, list-data, priorities, protect-packages, protectbase, refresh-packagekit, verify Setting up Reinstall Process Loading mirror speeds from cached hostfile * fedora: mirrors.ptd.net * rpmfusion-free: lordmorgul.net * rpmfusion-free-updates: lordmorgul.net * rpmfusion-nonfree: lordmorgul.net * rpmfusion-nonfree-updates: lordmorgul.net * updates: mirrors.ptd.net 0 packages excluded due to repository protections Resolving Dependencies --> Running transaction check ---> Package selinux-policy-targeted.noarch 0:3.6.12-80.fc11 set to be erased ---> Package selinux-policy-targeted.noarch 0:3.6.12-80.fc11 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================================================ Installing: selinux-policy-targeted noarch 3.6.12-80.fc11 updates 2.2 M Removing: selinux-policy-targeted noarch 3.6.12-80.fc11 installed 2.3 M Transaction Summary ============================================================================================================================================================================================================================================ Install 1 Package(s) Update 0 Package(s) Remove 1 Package(s) Total download size: 2.2 M Is this ok [y/N]: y Downloading Packages: selinux-policy-targeted-3.6.12-80.fc11.noarch.rpm | 2.2 MB 00:06 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Erasing : selinux-policy-targeted-3.6.12-80.fc11.noarch 1/2 Installing : selinux-policy-targeted-3.6.12-80.fc11.noarch 1/2 libsepol.scope_copy_callback: unconfined: Duplicate declaration in module: type/attribute unconfined_devpts_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! Removed: selinux-policy-targeted.noarch 0:3.6.12-80.fc11 Installed: selinux-policy-targeted.noarch 0:3.6.12-80.fc11 Complete!
Try to install policy 81, it will add back the unconfineduser which should solve your problem.
Okay, I reinstalled policy 81, then reinstalled selinux-policy-targeted, this time without any errors. I then ran restorecon -v -R on the directories that were giving me trouble (e.g., /var, /sbin, /bin, /etc). I have since rebooted and am still getting numerous warnings in the past couple of hours (but far fewer than before!). [root@aristarchus ~]# grep -E 'Sep 10 (09|10|11):.*setroubleshoot:' /var/log/messages | cut -b29- | sort -u setroubleshoot: [program.ERROR] audit event#012node=aristarchus.rlent.pnet type=AVC msg=audit(1252587752.983:56): avc: granted { sys_chroot } for pid=2677 comm="avahi-daemon" capability=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability#012#012node=aristarchus.rlent.pnet type=SYSCALL msg=audit(1252587752.983:56): arch=40000003 syscall=61 success=yes exit=0 a0=805b222 a1=4ea380 a2=1 a3=856e5f0 items=1 ppid=1 pid=2677 auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70 egid=70 sgid=70 fsgid=70 tty=(none) ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" subj=system_u:system_r:init_t:s0 key=(null)#012#012node=aristarchus.rlent.pnet type=CWD msg=audit(1252587752.983:56): cwd="/"#012#012node=aristarchus.rlent.pnet type=PATH msg=audit(1252587752.983:56): item=0 name="/etc/avahi" inode=6783196 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 setroubleshoot: [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:init_t:s0, AVC scontext=system_u:system_r:init_t:s0 setroubleshoot: SELinux is preventing crond (crond_t) "search" dir_root_t. For complete SELinux messages. run sealert -l 5a8acedc-325d-4064-9d0f-3486d126dc76 setroubleshoot: SELinux is preventing crond (crond_t) "search" dir_var_www_t. For complete SELinux messages. run sealert -l 71057106-5253-4a3d-ab08-07c610455290 setroubleshoot: SELinux is preventing crond (crond_t) "search" system_crond_t. For complete SELinux messages. run sealert -l c8bd6aef-33ea-48dd-91f0-7ddf9f2301c5 setroubleshoot: SELinux is preventing crond (crond_t) "setkeycreate" crond_t. For complete SELinux messages. run sealert -l 9ad5a617-601e-4295-ab1c-d7f0fcdf59a6 setroubleshoot: SELinux is preventing dhclient (dhclient_t) "read" to /var/run/nm-dhclient-eth0.conf (dir_var_run_t). For complete SELinux messages. run sealert -l 1380f222-d08c-430f-8163-fa28c676c3d8 setroubleshoot: SELinux is preventing nm-dhcp-client. (dhclient_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l 06fac788-8857-429c-b580-b4476790080c setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "read" proc_kmsg_t. For complete SELinux messages. run sealert -l 951fb7e8-f666-481f-992b-7c2608e296ea setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "sys_admin" syslogd_t. For complete SELinux messages. run sealert -l d5384fb8-d439-423d-90cc-4367a7c883df setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "syslog_mod" kernel_t. For complete SELinux messages. run sealert -l e59b4a5c-e94b-4993-a12d-450fd2af8fe1 setroubleshoot: SELinux is preventing sedispatch (auditd_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l c125c2ef-533b-4155-bbfe-f279f7309e0e setroubleshoot: SELinux is preventing the nm-dhcp-client. (dhclient_t) from executing /usr/libexec/nm-dhcp-client.action. For complete SELinux messages. run sealert -l 7e065ee7-e146-421b-bb40-180bd121de44 setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 8245e4bc-b310-45c0-b61f-5c51218d8d01 I'm also attaching the output of sealert -l for all of the above
Created attachment 360530 [details] sealert -l output for issues after policy 81 reinstall
Still seem to have some labeling issue. Run fixfiles restore and let it relabel the entire machine.
Created attachment 360749 [details] Latest sealert -l output post fixfiles restore Okay, fixfiles ran, rebooted, got more errors like the above. In fact, indistinguishable from the above. Syslog stuff below, sealert -l attached. I'm really puzzled. Is there a sequence to the reinstalls I should be following? Or something I should not be reinstalling? Note that last time I reinstalled policy 81 and then reinstall selinux-policy-targeted. Should I have not done the latter? Sep 11 21:57:29 aristarchus setroubleshoot: SELinux is preventing auditd (auditd_t) "nlmsg_read" auditd_t. For complete SELinux messages. run sealert -l 2e6bb133-91cc-43f2-ac3f-0a79c5d140c9 Sep 11 21:57:30 aristarchus setroubleshoot: SELinux is preventing audispd (auditd_t) "execute" usr_sbin_t. For complete SELinux messages. run sealert -l b8ee3117-5d1d-452c-b6a9-34237fb55359 Sep 11 21:57:30 aristarchus setroubleshoot: SELinux is preventing audispd (auditd_t) "execute" usr_sbin_t. For complete SELinux messages. run sealert -l b8ee3117-5d1d-452c-b6a9-34237fb55359 Sep 11 21:57:30 aristarchus setroubleshoot: SELinux is preventing audispd (auditd_t) "execute" usr_sbin_t. For complete SELinux messages. run sealert -l b8ee3117-5d1d-452c-b6a9-34237fb55359 Sep 11 21:57:35 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "search" to /etc/selinux/config (dir_etc_selinux_t). For complete SELinux messages. run sealert -l 4ecc60c5-6f4f-40fb-ba35-02174e18c58c Sep 11 21:57:35 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "search" to /etc/selinux/config (dir_etc_selinux_t). For complete SELinux messages. run sealert -l 4ecc60c5-6f4f-40fb-ba35-02174e18c58c Sep 11 21:57:36 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "search" security_t. For complete SELinux messages. run sealert -l 8b30689f-65a4-43f9-a913-d9734fbd4d2d Sep 11 21:57:36 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "read" security_t. For complete SELinux messages. run sealert -l 68d103ef-3f42-4753-8a2e-bac7e92f5805 Sep 11 21:57:36 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l c125c2ef-533b-4155-bbfe-f279f7309e0e Sep 11 21:57:36 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l c125c2ef-533b-4155-bbfe-f279f7309e0e Sep 11 21:58:04 aristarchus setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "read" proc_kmsg_t. For complete SELinux messages. run sealert -l 951fb7e8-f666-481f-992b-7c2608e296ea Sep 11 21:58:04 aristarchus setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "read" proc_kmsg_t. For complete SELinux messages. run sealert -l 951fb7e8-f666-481f-992b-7c2608e296ea Sep 11 21:58:04 aristarchus setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "read" proc_kmsg_t. For complete SELinux messages. run sealert -l 951fb7e8-f666-481f-992b-7c2608e296ea Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing dhclient (dhclient_t) "read" to /var/run/nm-dhclient-wlan0.conf (dir_var_run_t). For complete SELinux messages. run sealert -l 555d19b8-c988-4b4e-8ad0-4ec519924970 Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing the nm-dhcp-client. (dhclient_t) from executing /usr/libexec/nm-dhcp-client.action. For complete SELinux messages. run sealert -l 7e065ee7-e146-421b-bb40-180bd121de44 Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing the nm-dhcp-client. (dhclient_t) from executing /usr/libexec/nm-dhcp-client.action. For complete SELinux messages. run sealert -l 7e065ee7-e146-421b-bb40-180bd121de44 Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing the nm-dhcp-client. (dhclient_t) from executing /usr/libexec/nm-dhcp-client.action. For complete SELinux messages. run sealert -l 7e065ee7-e146-421b-bb40-180bd121de44 Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing nm-dhcp-client. (dhclient_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l 06fac788-8857-429c-b580-b4476790080c Sep 11 21:58:13 aristarchus setroubleshoot: SELinux is preventing nm-dhcp-client. (dhclient_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l 06fac788-8857-429c-b580-b4476790080c Sep 11 22:00:01 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03 Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03 Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute_no_trans" sbin_t. For complete SELinux messages. run sealert -l 09171bd7-8b4e-4d5e-b3e6-7c09ebc09e55 Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "setkeycreate" crond_t. For complete SELinux messages. run sealert -l 2974976e-ccda-4030-a624-c71f071d2dfd Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "setkeycreate" crond_t. For complete SELinux messages. run sealert -l 2974976e-ccda-4030-a624-c71f071d2dfd Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "search" system_crond_t. For complete SELinux messages. run sealert -l 63c17f67-3fd4-4830-869d-f7f35278a0f6 Sep 11 22:00:03 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "search" dir_var_www_t. For complete SELinux messages. run sealert -l f751045c-423c-4a22-9155-5731d4d43c99 Sep 11 22:00:03 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "search" dir_root_t. For complete SELinux messages. run sealert -l 17cc2d83-5b8f-4e64-b1e0-eef0a9fc7094 Sep 11 22:01:01 aristarchus setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03 Sep 11 22:01:01 aristarchus setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03 Sep 11 22:01:01 aristarchus setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03 Sep 11 22:01:01 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "setkeycreate" crond_t. For complete SELinux messages. run sealert -l 2974976e-ccda-4030-a624-c71f071d2dfd
You have some strange policy installed on your machine. Are you running seedit? Please remove that policy and just use selinux-policy-targeted. If you want to use that policy, then switch to it. You can not run targeted policy and seedit at the same time.
Yes, I did have seedit installed. While I can appreciate that the two policies are incompatible, I'd like to point out (1) under Fedora 10 I was not having this problem and I have no idea whether or not I actually had both of them installed then, and (2) this was a straight-forward upgrade. So perhaps this issue should be recategorized as an upgrade issue or put in an upgrade FAQ like "you should remove either selinux-policy-targeted or seedit before upgrading as you cannot run both." I've removed seedit, but now everything is totally whacked. After removing the, I CAN'T run fixfiles. Nor can I reinstall selinux-policy or selinux-policy-targeted [root@aristarchus ~]# yum -y reinstall selinux-policy selinux-policy-targeted Loaded plugins: allowdowngrade, dellsysidplugin2, downloadonly, fastestmirror, kernel-module, kmdl, list-data, priorities, protect-packages, protectbase, refresh-packagekit, verify Setting up Reinstall Process Loading mirror speeds from cached hostfile * fedora: mirror.liberty.edu * rpmfusion-free: mirror.liberty.edu * rpmfusion-free-updates: mirror.liberty.edu * rpmfusion-nonfree: mirror.liberty.edu * rpmfusion-nonfree-updates: mirror.liberty.edu * updates: mirror.liberty.edu 0 packages excluded due to repository protections No package selinux-policy available. * Maybe you meant: selinux-policy No package selinux-policy-targeted available. * Maybe you meant: selinux-policy-targeted Nothing to do Note that it "suggests" the exact package I attempted to install(!) [root@aristarchus ~]# fixfiles restore /etc/selinux/targeted/contexts/files/file_contexts: line 3 has invalid context system_u:object_r:quota_db_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 4 has invalid context system_u:object_r:xen_image_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 5 has invalid context system_u:object_r:mnt_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 6 has invalid context system_u:object_r:mnt_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 15 has invalid context system_u:object_r:device_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 18 has invalid context system_u:object_r:admin_home_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 19 has invalid context system_u:object_r:usb_device_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 21 has invalid context system_u:object_r:mouse_device_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 23 has invalid context system_u:object_r:fixed_disk_device_t:s0 Exiting after 10 errors.
The workaround to the reinstall problem was to uninstall them. This also remove policycore-utils and setroubleshoot which had to be reinstalled. I'm now running fixfiles restore.
I am adding a conflicts statement to selinux-policy-targeted and friends so you can not install both at the same time.