setroub;eshoot problem

max maximilianbianco at gmail.com
Fri Jul 18 14:24:56 UTC 2008 

max wrote:
> Steve wrote:
>>
>>> ---- max <maximilianbianco at gmail.com> wrote: 
>>
>>>> 2 - The only other sane thing I could advise you too do is bounce 
>>>> your question off the fedora-selinux list. I would include a 
>>>> reference to this thread and all the relevant details. The kernel 
>>>> your running, the policy version (rpm -qa | grep 
>>>> selinux...setrouble) , setroubleshoot version, the error messages 
>>>> below , and that you run in permissive and used preupgrade to go 
>>>> from f8 to f9.
>>>> This will ensure that the right people see your message, this list 
>>>> is also monitored but I think when they get busy fedora-selinux is 
>>>> likely to still get checked more often than fedora-list.
>>> I was trying to avoid this. I already get several hundred e-mails per 
>>> day  and I would guess that the selinux list is pretty busy too. Oh 
>>> well, I'll just have to deal with it for a while.
>>
>> I found this in the SELinux list archives:
>>
>> http://www.nsa.gov/SELinux/list-archive/0801/thread_body36.cfm
>>
>> which appears to say there was a problem but it was fixed in a patch. 
>> I wonder if it has not made it to F9 yet?
>>
>> Steve
> It could be related but they seem to have been running mls policy which 
> is not the default policy in f9. I think the patch would have made it 
> into F9 by now, the thread dates back to January and F9 released in May 
> if memory serves. I think in the end you will have to rebuild the 
> policy. The only way that I know of to change the handle_unknown=deny to 
> allow is at policy build time. This is set to allow in F8 and F9. Why 
> yours is not this way is something I don't understand, unless mine is 
> screwed up somehow but I doubt it. I have looked at two f9 boxes and an 
> f8 box. All of them have the handle_unknown=allow. Maybe a third party 
> could confirm this :
> 
> dmesg | grep -i selinux
> 
> 
> Use the Force,
> 
> Max
Steve,

Try semodule -B . It had completely slipped  past me. It will force a 
rebuild and reload of policy.
Checkout man semodule.


Max

-- 
Fortune favors the BOLD

More information about the users mailing list