Dear fellow selinux experts,
I am running rawhide on three machines one recently installed via old xfce spin, the new ones (F12-Alpha isos, dvd and livecd's) don't work because of bugs :(, I see lots of selinux denials, some deal with wine, wineserver, ..., windows applications that I need to use at school with my students. I see firefox stack, and I see others that have been reported. At the beginning there were only two or three erros, but when I started running the windows based programs I got the messages. I am thinking that it is not becoming fun anymore when I have to report those errors/bugs and they are reported back with CLOSED Repeated bug or fixed in selinux-policy, and I still see them again even though I have updated the machine[after I saw there there were indeed updates, because of a confusion with rawhide reports, broken deps was first and I thougnt there were no updates :( ]
I don't know but I am getting a little bit upset at this situation, I tried to get a repository suggested by another member of the selinux-list to see if it would help me, but it is for x86_64 and not x86. It failed to work and I disabled it. I am seeing why many folks are disabling selinux, is there any reason as to why there are many changes taking place that *it is not worth filing bugs reports* because they will be CLOSED (NOT A BUG) or already a (DUPLICATE BUG).
I appreciate the help that many users on this list have provided through many situations, but this is not getting any easier and my feeling is that if the trend continues Fedora 12 will not play nice to many users because selinux gets in the way of their computing :(,
Thanks for any suggestions, advice and/or consolating words.
I hope that things come back to normal a bit and sorry for venting out my frustrations. I had been trouble free since a good while but now it is becoming a pain, just starting up and I see the selinux star at the bottom of the panel, and I click on it and *many times I could not file bug reports*, when I did *they were DUPLICATE, or CLOSED, or fixed in selinux-policy-?????* Only to apply updates and start again and I see the bugs again :(, and have like 50 sealerts many of them related :(
Regards,
Antonio
Antonio Olivares wrote:
Dear fellow selinux experts,
I am running rawhide on three machines one recently installed via old xfce spin, the new ones (F12-Alpha isos, dvd and livecd's) don't work because of bugs :(, I see lots of selinux denials, some deal with wine, wineserver, ..., windows applications that I need to use at school with my students. I see firefox stack, and I see others that have been reported. At the beginning there were only two or three erros, but when I started running the windows based programs I got the messages. I am thinking that it is not becoming fun anymore when I have to report those errors/bugs and they are reported back with CLOSED Repeated bug or fixed in selinux-policy, and I still see them again even though I have updated the machine[after I saw there there were indeed updates, because of a confusion with rawhide reports, broken deps was first and I thougnt there were no updates :( ]
I don't know but I am getting a little bit upset at this situation, I tried to get a repository suggested by another member of the selinux-list to see if it would help me, but it is for x86_64 and not x86. It failed to work and I disabled it. I am seeing why many folks are disabling selinux, is there any reason as to why there are many changes taking place that *it is not worth filing bugs reports* because they will be CLOSED (NOT A BUG) or already a (DUPLICATE BUG).
I appreciate the help that many users on this list have provided through many situations, but this is not getting any easier and my feeling is that if the trend continues Fedora 12 will not play nice to many users because selinux gets in the way of their computing :(,
Thanks for any suggestions, advice and/or consolating words.
I hope that things come back to normal a bit and sorry for venting out my frustrations. I had been trouble free since a good while but now it is becoming a pain, just starting up and I see the selinux star at the bottom of the panel, and I click on it and *many times I could not file bug reports*, when I did *they were DUPLICATE, or CLOSED, or fixed in selinux-policy-?????* Only to apply updates and start again and I see the bugs again :(, and have like 50 sealerts many of them related :(
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Not exactly sure whats happening. keep in mind if your using a development versions of fedora, then you will run into issues.(if your on stable then you should be fine).
As for the avc's being generated, tough to say As of now I'm running the latest policy, with a custom built system(LFS). One thing for sure, is if I move to a newer system there will be issues with gnome and the latest refpolicy due to the heavy development with refpolicy, and gnome.
Have you tried using a different policy other than what fedora has?
Justin P. Mattock
Not exactly sure whats happening. keep in mind if your using a development versions of fedora, then you will run into issues.(if your on stable then you should be fine).
I knew that ahead of time, but it did not seem to be this troublesome this time with Fedora 12. I have been testing since Fedora 5 Test 2 release and have not encountered as many denials as I have in this Fedora 12 testing phase. Guess many don't complain because they run selinux disabled selinux=0, or enforcing=0 so they don't care to report the issues?
As for the avc's being generated, tough to say As of now I'm running the latest policy, with a custom built system(LFS). One thing for sure, is if I move to a newer system there will be issues with gnome and the latest refpolicy due to the heavy development with refpolicy, and gnome.
Have you tried using a different policy other than what fedora has?
I don't know much about this :(, I am just using default Fedora policies. I guess I just need to be patient and let things work out one by one. When I get more pops and alerts, I should post here and to bugzilla and hope that the illness' are cured :)
Regards,
Antonio
Antonio Olivares wrote:
Not exactly sure whats happening. keep in mind if your using a development versions of fedora, then you will run into issues.(if your on stable then you should be fine).
I knew that ahead of time, but it did not seem to be this troublesome this time with Fedora 12. I have been testing since Fedora 5 Test 2 release and have not encountered as many denials as I have in this Fedora 12 testing phase. Guess many don't complain because they run selinux disabled selinux=0, or enforcing=0 so they don't care to report the issues?
depends, some people dislike SELinux, and some use it without issues. I personally have taken a liking to using SELinux, although sometimes do get myself in a jam, with some wrong configuration that causes a bit of frustration.
As for the latest fedora(haven't tried 12) thought the system was very well built.
As for the avc's being generated, tough to say As of now I'm running the latest policy, with a custom built system(LFS). One thing for sure, is if I move to a newer system there will be issues with gnome and the latest refpolicy due to the heavy development with refpolicy, and gnome.
Have you tried using a different policy other than what fedora has?
I don't know much about this :(, I am just using default Fedora policies. I guess I just need to be patient and let things work out one by one. When I get more pops and alerts, I should post here and to bugzilla and hope that the illness' are cured :)
Regards,
Antonio
That's fine. Sometimes these avc's might be being generated by a mislabel somewhere. If you can try and locate the location of what is being fired off(the avc denial should show you) then use: restorecon -R /tosomedir and see if this fixes your issue. if not try the #selinux irc list to see if somebody can help or the SELinux mailing lists(but keep in mind it is the weekend and those guys are normally off of work).
And also don't worry, Ill try and help you out as much as I can.(doing a git bisect so I have plenty of time).
Justin P. Mattock
On Sat, 2009-09-12 at 13:55 -0700, Antonio Olivares wrote:
Not exactly sure whats happening. keep in mind if your using a development versions of fedora, then you will run into issues.(if your on stable then you should be fine).
I knew that ahead of time, but it did not seem to be this troublesome this time with Fedora 12. I have been testing since Fedora 5 Test 2 release and have not encountered as many denials as I have in this Fedora 12 testing phase. Guess many don't complain because they run selinux disabled selinux=0, or enforcing=0 so they don't care to report the issues?
No, the vast majority of the 'denials' aren't actually denials. Dan removed all unconfined domains and replaced them with permissive domains. An unconfined domain allows everything and audits nothing. A permissive domain allows everything but audits every time there is no allow rule for a given request.
This has helped to define the actual needs of many of the unconfined domains. And hopefully we can remove them entirely in the future. Please keep filing bugs.
It's no surprise you are getting more messages, but it shouldn't be really different than in previous development for the number of problems it actually causes.
-Eric
--- On Sat, 9/12/09, Eric Paris eparis@redhat.com wrote:
From: Eric Paris eparis@redhat.com Subject: Re: too many sealerts, most have been reported, and still see denials To: "Antonio Olivares" olivares14031@yahoo.com Cc: "Justin P. Mattock" justinmattock@gmail.com, fedora-selinux-list@redhat.com Date: Saturday, September 12, 2009, 4:07 PM On Sat, 2009-09-12 at 13:55 -0700, Antonio Olivares wrote:
Not exactly sure whats happening. keep in mind if your using a development versions of fedora, then you will run into issues.(if your on stable
then
you should be fine).
I knew that ahead of time, but it did not seem to be
this troublesome this time with Fedora 12. I have been testing since Fedora 5 Test 2 release and have not encountered as many denials as I have in this Fedora 12 testing phase. Guess many don't complain because they run selinux disabled selinux=0, or enforcing=0 so they don't care to report the issues?
No, the vast majority of the 'denials' aren't actually denials. Dan removed all unconfined domains and replaced them with permissive domains. An unconfined domain allows everything and audits nothing. A permissive domain allows everything but audits every time there is no allow rule for a given request.
This has helped to define the actual needs of many of the unconfined domains. And hopefully we can remove them entirely in the future. Please keep filing bugs.
Thanks for encouraging me to keep filing bugs. I will continue running it and report errors whenever I can. I hope that the bug reporter works, because it breaks once in a while :(
It's no surprise you are getting more messages, but it shouldn't be really different than in previous development for the number of problems it actually causes.
-Eric
Regards,
Antonio
No, the vast majority of the 'denials' aren't
actually
denials. Dan removed all unconfined domains and replaced them with permissive domains. An unconfined domain allows everything and audits nothing. A permissive domain allows everything but audits every
time
there is no allow rule for a given request.
This has helped to define the actual needs of many of
the
unconfined domains. And hopefully we can remove them entirely
in
the future. Please keep filing bugs.
Here's one for modprobe.d
https://bugzilla.redhat.com/show_bug.cgi?id=523039
https://bugzilla.redhat.com/show_bug.cgi?id=523040
some from dmesg to support ones on top
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts type=1403 audit(1252857173.233:3): policy loaded auid=4294967295 ses=4294967295 load_policy used greatest stack depth: 5448 bytes left dracut: Switching root type=1305 audit(1252857175.267:6): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 udev: starting version 145 type=1400 audit(1252857180.016:7): avc: denied { read } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857180.017:8): avc: denied { open } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir end_request: I/O error, dev fd0, sector 0 sis900.c: v1.08.10 Apr. 2 2006 sis900 0000:00:04.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19 0000:00:04.0: Realtek RTL8201 PHY transceiver found at address 1. 0000:00:04.0: Using transceiver found at address 1 as default eth0: SiS 900 PCI Fast Ethernet at 0xb000, IRQ 19, 00:16:ec:7d:be:bd parport_pc 00:09: reported by Plug and Play ACPI parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP,TRISTATE] ppdev: user-space parallel port driver Intel ICH 0000:00:02.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18 intel8x0_measure_ac97_clock: measured 50745 usecs (2442 samples) intel8x0: clocking to 48000 type=1400 audit(1252857184.249:9): avc: denied { read } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857184.249:10): avc: denied { open } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir device-mapper: multipath: version 1.1.0 loaded EXT4-fs (dm-0): internal journal on dm-0:8 kjournald starting. Commit interval 5 seconds EXT3 FS on sda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev sda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 950264k swap on /dev/mapper/vg_n63552-lv_swap. Priority:-1 extents:1 across:950264k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts microcode: CPU0 sig=0xf29, pf=0x4, revision=0x0 platform microcode: firmware: requesting intel-ucode/0f-02-09 type=1400 audit(1252857189.780:11): avc: denied { read } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857189.780:12): avc: denied { open } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir microcode: CPU1 sig=0xf29, pf=0x4, revision=0x0 platform microcode: firmware: requesting intel-ucode/0f-02-09 Microcode Update Driver: v2.00 tigran@aivazian.fsnet.co.uk, Peter Oruba microcode: CPU0 updated to revision 0x2e, date = 2004-08-11 microcode: CPU1 updated to revision 0x2e, date = 2004-08-11 Microcode Update Driver: v2.00 removed. p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available type=1400 audit(1252857190.717:13): avc: denied { read } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857190.717:14): avc: denied { open } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir NET: Registered protocol family 10 lo: Disabled Privacy Extensions ip6_tables: (C) 2000-2006 Netfilter Core Team RPC: Registered udp transport module. RPC: Registered tcp transport module. SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts eth0: Media Link On 100mbps full-duplex Installing knfsd (copyright (C) 1996 okir@monad.swb.de). SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts eth0: no IPv6 routers present CPU0 attaching NULL sched-domain. CPU1 attaching NULL sched-domain. CPU0 attaching sched-domain: domain 0: span 0-1 level SIBLING groups: 0 1 CPU1 attaching sched-domain: domain 0: span 0-1 level SIBLING groups: 1 0 canberra-gtk-pl used greatest stack depth: 5236 bytes left fuse init (API version 7.12) SELinux: initialized (dev fuse, type fuse), uses genfs_contexts [root@n6355-2 ~]# uname -r 2.6.31-2.fc12.i686
Another one filed,but cut + paste failed :(
Regards,
Antonio
On 09/13/2009 12:03 PM, Antonio Olivares wrote:
No, the vast majority of the 'denials' aren't
actually
denials. Dan removed all unconfined domains and replaced them with permissive domains. An unconfined domain allows everything and audits nothing. A permissive domain allows everything but audits every
time
there is no allow rule for a given request.
This has helped to define the actual needs of many of
the
unconfined domains. And hopefully we can remove them entirely
in
the future. Please keep filing bugs.
Here's one for modprobe.d
https://bugzilla.redhat.com/show_bug.cgi?id=523039
https://bugzilla.redhat.com/show_bug.cgi?id=523040
some from dmesg to support ones on top
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts type=1403 audit(1252857173.233:3): policy loaded auid=4294967295 ses=4294967295 load_policy used greatest stack depth: 5448 bytes left dracut: Switching root type=1305 audit(1252857175.267:6): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 udev: starting version 145 type=1400 audit(1252857180.016:7): avc: denied { read } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857180.017:8): avc: denied { open } for pid=334 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir end_request: I/O error, dev fd0, sector 0 sis900.c: v1.08.10 Apr. 2 2006 sis900 0000:00:04.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19 0000:00:04.0: Realtek RTL8201 PHY transceiver found at address 1. 0000:00:04.0: Using transceiver found at address 1 as default eth0: SiS 900 PCI Fast Ethernet at 0xb000, IRQ 19, 00:16:ec:7d:be:bd parport_pc 00:09: reported by Plug and Play ACPI parport0: PC-style at 0x378 (0x778), irq 7 [PCSPP,TRISTATE] ppdev: user-space parallel port driver Intel ICH 0000:00:02.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18 intel8x0_measure_ac97_clock: measured 50745 usecs (2442 samples) intel8x0: clocking to 48000 type=1400 audit(1252857184.249:9): avc: denied { read } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857184.249:10): avc: denied { open } for pid=587 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir device-mapper: multipath: version 1.1.0 loaded EXT4-fs (dm-0): internal journal on dm-0:8 kjournald starting. Commit interval 5 seconds EXT3 FS on sda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev sda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 950264k swap on /dev/mapper/vg_n63552-lv_swap. Priority:-1 extents:1 across:950264k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts microcode: CPU0 sig=0xf29, pf=0x4, revision=0x0 platform microcode: firmware: requesting intel-ucode/0f-02-09 type=1400 audit(1252857189.780:11): avc: denied { read } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857189.780:12): avc: denied { open } for pid=725 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir microcode: CPU1 sig=0xf29, pf=0x4, revision=0x0 platform microcode: firmware: requesting intel-ucode/0f-02-09 Microcode Update Driver: v2.00 tigran@aivazian.fsnet.co.uk, Peter Oruba microcode: CPU0 updated to revision 0x2e, date = 2004-08-11 microcode: CPU1 updated to revision 0x2e, date = 2004-08-11 Microcode Update Driver: v2.00 removed. p4-clockmod: P4/Xeon(TM) CPU On-Demand Clock Modulation available type=1400 audit(1252857190.717:13): avc: denied { read } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir type=1400 audit(1252857190.717:14): avc: denied { open } for pid=795 comm="modprobe" name="modprobe.d" dev=dm-0 ino=14985 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir NET: Registered protocol family 10 lo: Disabled Privacy Extensions ip6_tables: (C) 2000-2006 Netfilter Core Team RPC: Registered udp transport module. RPC: Registered tcp transport module. SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts eth0: Media Link On 100mbps full-duplex Installing knfsd (copyright (C) 1996 okir@monad.swb.de). SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts eth0: no IPv6 routers present CPU0 attaching NULL sched-domain. CPU1 attaching NULL sched-domain. CPU0 attaching sched-domain: domain 0: span 0-1 level SIBLING groups: 0 1 CPU1 attaching sched-domain: domain 0: span 0-1 level SIBLING groups: 1 0 canberra-gtk-pl used greatest stack depth: 5236 bytes left fuse init (API version 7.12) SELinux: initialized (dev fuse, type fuse), uses genfs_contexts [root@n6355-2 ~]# uname -r 2.6.31-2.fc12.i686
Another one filed,but cut + paste failed :(
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Just imagine if you are on the recieving end of all these bugs.
Wine is a huge culpret and is being turned back into unconfined_domain.
abrt was also causing lots of these denials. Most of which are fixed in the latest policy builds.
THe bugs I received this weekend including the modules_conf_t are legitimate.
selinux@lists.fedoraproject.org