SELinux Understanding

Daniel J Walsh dwalsh at redhat.com
Mon Oct 15 15:14:34 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Karl Larsen wrote:
> Daniel J Walsh wrote:
> Karl Larsen wrote:
>  
>>>> Thomas Cameron wrote:
>>>>    
>>>>> On Sat, 2007-10-13 at 05:38 -0600, Karl Larsen wrote:
>>>>>
>>>>>  
>>>>>      
>>>>>>> That's called coincidence, not proof.
>>>>>>>
>>>>>>>                   
>>>>>>     I think your trying to protect SELinux. I don't know why.
>>>>>>             
>>>>> No, it's pointing out the obvious.  The issue you had was NOT - repeat
>>>>> NOT - an issue with SELinux.
>>>>>
>>>>> A lot of people a lot smarter than you have said so, you bring NO proof
>>>>> to the list, just supposition based on coincidence.
>>>>>
>>>>> I've tried to be polite to you out of respect to my elders, but you are
>>>>> just full of shit and won't listen to folks who know a bunch more than
>>>>> you do.
>>>>>
>>>>> Get this through your head:  Your issues are NOT due to SELinux.  I
>>>>> don't know what you did, but you are the kind of user that sysadmins
>>>>> HATE because you go in and jack up your system and then blame the
>>>>> system
>>>>> or the admin.
>>>>>
>>>>> Listen to those who know more than you do, OK?
>>>>>
>>>>> Thomas
>>>>>
>>>>>         
>>>>    Listen you fat head jerk! You brought nothing but your gut feeling
>>>> that SELinux can't be the cause period.
>>>>
>>>>    Well your almost right. But you have no idea why. You do not know why
>>>> your right. Or what that means. I will not turn SELinux back on until a
>>>> Bug is fixed in F7 8-)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>     
> Karl,
> 
> When you turned on SELinux the AVC's were being logged to
> /var/log/audit/audit.log  This is where setroubleshoot and other tools
> grab the AVC messages.
>   
>>    Those that I presented are from /var/log/messages.
> When you go from disable to enabled, the entire system needs to be
> relabeled.  This can take a long time to happen since the entire file
> system is walked.   After relabeling your system should work properly.
>   
>>    Yesterday I changed SELinux from off to full enforce. It booted up
>> fine this morning and I really can't tell it is on. But it did take 30
>> minutes to label all the directories.
> I would make sure that you have updated to the latest policy for Fedora
> 7, and if you are running something like NIS you might need to turn on
> certain selinux booleans.
>   
>>    I have every update for F7 on this machine now. I have no idea what
>> NIS is.
> setsebool -P allow_ypbind 1
> 
> Which will allow your system to use NIS.
> 
> The  bugs/avc's you reported earlier do not look like SELinux was going
> nuts.
> 
>   
>>    SELinux was not nuts. It was sending endless messages to dbox which
>> was mal-functioning. There is a bug in dbox.

> It is also feasable that you are running a file system reiser?  that
> SElinux does not support.  Or there is some problem that adding of file
> context to your machine triggered.
> 
>   
>>    Nope all my file systems are EXT3.
> I have not heard of SELinux in permissive mode causing the types of
> problems that you say occured on your machine.
> 
>   
>>    I think I got a SELinux update the day before the problem. This
>> caused SELinux to send out new data and the bug hit. Every time I get a
>> SELinux update I will relabel the files.
> 
No need to do this.  The labeling should be fine.
> 
> 
> Dan
> 
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHE4PZrlYvE4MpobMRAqwaAJ9Oe8un03B4L4PFFRjtdECYAVFv7wCgk/PI
yxu7K7QkIT5uAppyACyMTYY=
=oXrT
-----END PGP SIGNATURE-----




More information about the users mailing list