I have a couple of systems I've just upgraded from FC15 to FC17. I installed setroubleshoot and setroubleshoot-server.
FC17 is obviously too new for an old fart like me - I can't find any normal way to start setroubleshootd. Nothing in /etc/init.d....
mark
On Tue, 2012-07-03 at 13:22 -0400, m.roth@5-cent.us wrote:
I have a couple of systems I've just upgraded from FC15 to FC17. I installed setroubleshoot and setroubleshoot-server.
FC17 is obviously too new for an old fart like me - I can't find any normal way to start setroubleshootd. Nothing in /etc/init.d....
mark
forget /etc/init.d thats a relik of the sysv init/upstart era. Systemd stores its unit files in /lib|etc/systemd/system i believe.
But nonetheless setroubleshoot is neither a init daemon nor a systemd daemon i believe.
Instead its run by DBUS system bus automagically i think (probably only when i event occurs) (maybe by audispd?)
I am not sure abou the details as i dont use it myself
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Well, I went looking for setroubleshoot because we were getting a lot of crap in the logs after I upgraded one system to FC17. I installed it, and Dominick says is ought to be autorun on an event.
Wellllll, I'm not seeing the usual "avc, blah, blah, run sealert ....".
I thought I'd try another way, and found one immediate problem, that use_nfs_home_dirs was off. I tried to set it on, as root....
setsebool -P use_nfs_home_dirs on libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). Could not change policy booleans
Bug?
mark
On 07/03/2012 08:53 PM, m.roth@5-cent.us wrote:
Well, I went looking for setroubleshoot because we were getting a lot of crap in the logs after I upgraded one system to FC17. I installed it, and Dominick says is ought to be autorun on an event.
Wellllll, I'm not seeing the usual "avc, blah, blah, run sealert ....".
I thought I'd try another way, and found one immediate problem, that use_nfs_home_dirs was off. I tried to set it on, as root....
setsebool -P use_nfs_home_dirs on libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). Could not change policy booleans
Bug?
Could you try to run
semodule -n -s targeted -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor
Which is supposed to be done in the package.
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Miroslav Grepl wrote:
On 07/03/2012 08:53 PM, m.roth@5-cent.us wrote:
Well, I went looking for setroubleshoot because we were getting a lot of crap in the logs after I upgraded one system to FC17. I installed it, and Dominick says is ought to be autorun on an event.
Wellllll, I'm not seeing the usual "avc, blah, blah, run sealert ....".
I thought I'd try another way, and found one immediate problem, that use_nfs_home_dirs was off. I tried to set it on, as root....
setsebool -P use_nfs_home_dirs on libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). Could not change policy booleans
Bug?
Could you try to run
semodule -n -s targeted -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor
Which is supposed to be done in the package.
That worked. After running that, I could do my setsebool.
I will note that both the semodule and the setsebool took a truly ridiculous amount of time. It was at *least* one full minute or more for the setsebool.
mark
On 07/03/2012 10:16 PM, m.roth@5-cent.us wrote:
Miroslav Grepl wrote:
On 07/03/2012 08:53 PM, m.roth@5-cent.us wrote:
Well, I went looking for setroubleshoot because we were getting a lot of crap in the logs after I upgraded one system to FC17. I installed it, and Dominick says is ought to be autorun on an event.
Wellllll, I'm not seeing the usual "avc, blah, blah, run sealert ....".
I thought I'd try another way, and found one immediate problem, that use_nfs_home_dirs was off. I tried to set it on, as root....
setsebool -P use_nfs_home_dirs on libsepol.scope_copy_callback: entropyd: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). Could not change policy booleans
Bug?
Could you try to run
semodule -n -s targeted -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor
Which is supposed to be done in the package.
That worked. After running that, I could do my setsebool.
I will note that both the semodule and the setsebool took a truly ridiculous amount of time. It was at *least* one full minute or more for the setsebool.
mark
Yes, we know about that. You can execute
# semodule -d unconfined
which will disable unconfined domains but unconfined user will still exist. Then try to run semodule. It should be faster.
On 07/03/2012 07:22 PM, m.roth@5-cent.us wrote:
I have a couple of systems I've just upgraded from FC15 to FC17. I installed setroubleshoot and setroubleshoot-server.
FC17 is obviously too new for an old fart like me - I can't find any normal way to start setroubleshootd. Nothing in /etc/init.d....
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
setroubleshootd is the dbus service now.
You can read more info using
# man setroubleshootd
Regards, Miroslav
selinux@lists.fedoraproject.org