On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
Greetings all;
I have just upgraded then updated as much as possible, an F8
install to
F10. selinux is now denying ConsoleKit and friends, and awstats.
F10 will
run without console-kit-daemon I find, but I went so far as to
touch
/.autorelabel & reboot & leave it to contemplate its sins for an
hour or
so as there is nearly 2TB of drives here. Didn't help.
So Now I have selinux disabled, and everything it working. Can
this be
addressed?
Can you show use the avc denials related to your issues? avc denials
are
sent to /var/log/audit/audit.log and can be retrieved with the
ausearch
command. For example use: ausearch -m avc -ts today, to retrieve
today's
avc denials.
None today, I turned it off, yesterdays is attached.
You state that you updated as much as possible. What did you not
update?
About 70 packages are left, all the java stuff cuz I've installed from
Sun,
I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
up by
hand and some of the menus are still fubar) and anytime I do a -devel,
it
barfs over strigi. What the heck does that thing do anywho?
I also am not running the F10 kernel cuz I have to set stakes and call
a
surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
and am
building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
says
275-300 fps and I can tolerate it. Anyway, from the yumex screen:
14:05:14 : Error in Dependency Resolution 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
by
package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
(rpmfusion-free-
updates) Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
needed by
package
kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
(rpmfusion-nonfree-updates) Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
strigi-
devel-0.5.11-1.fc10.i386 (fedora)
I might be able to get a list of updates (if you need them) not done
from yum.
I use yumex most of the time.
Thanks Dominick
No that is fine, thanks. Which version of selinux-policy is currently installed?
I picked a few of the denials out of there and both were allowed in the rawhide policy.
This leads me to think that either you are running a old version of the selinux-policy or that the fixes in rawhide policy have not been pushed to Fedora 10 policy yet.
I either case you can create custom policies to allow these denials.
A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M mydenials; /usr/sbin/semodule -i mydenials.pp
caution: i did not review all denials in your list, however most look like they should be allowed.
You should not let issues like these persuade you to disable SELinux. You can also run SELinux is permissive mode which will act as an intrusion detection system but will not prevent policy violations.
hth , Dominick
selinux@lists.fedoraproject.org
-
Dominick Grift