Was, Re: FC17 and setroubleshoot, is policy bugs

[Miroslav Grepl]

On 07/03/2012 10:16 PM, m.roth at 5-cent.us wrote:
> Miroslav Grepl wrote:
>> On 07/03/2012 08:53 PM, m.roth at 5-cent.us wrote:
>>> Well, I went looking for setroubleshoot because we were getting a lot of
>>> crap in the logs after I upgraded one system to FC17. I installed it,
>>> and Dominick says is ought to be autorun on an event.
>>>
>>> Wellllll, I'm not seeing the usual "avc, blah, blah, run sealert ....".
>>>
>>> I thought I'd try another way, and found one immediate problem, that
>>> use_nfs_home_dirs was off. I tried to set it on, as root....
>>>
>>> setsebool -P use_nfs_home_dirs on
>>> libsepol.scope_copy_callback: entropyd: Duplicate declaration in module:
>>> type/attribute entropyd_var_run_t (No such file or directory).
>>> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
>>> directory).
>>> Could not change policy booleans
>>>
>>> Bug?
>> Could you try to run
>>
>> semodule -n -s targeted -r xfs kudzu kerneloops execmem openoffice ada
>> tzdata hal hotplug howl java mono moilscanner gamin audio_entropy
>> audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager
>> telepathysofiasip ethereal passanger qpidd pyzor razor
>>
>> Which is supposed to be done in the package.
> That worked. After running that, I could do my setsebool.
>
> I will note that both the semodule and the setsebool took a truly
> ridiculous amount of time. It was at *least* one full minute or more for
> the setsebool.
>
>       mark
>
Yes, we know about that. You can execute

# semodule -d unconfined

which will disable unconfined domains but unconfined user will still 
exist. Then try to run semodule. It should be faster.