Re: Selinux and kernel-2.6.12-1.1381 Fedora Core 3

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Antonio Olivares wrote:
> --- Rahul Sundaram <sundaram@xxxxxxxxxx> wrote:
>
>   
> > Antonio Olivares wrote:
> >
> >     
> > > Dear Kind Folks,
> > >   I recently updated one of my machines at work
> > >       
> > which
> >     
> > > was running Fedora Core 3 to kernel-2.6.12-1.1381
> > >       
> > via
> >     
> > > yum.  When I rebooted and booted to the new kernel,
> > >       
> > I
> >     
> > > fired up firefox and could not load yahoo webpage. 
> > >       
> > I
> >     
> > > tried google, Fedorafaq, Distrowatch and nothing. 
> > >       
> > I
> >     
> > > suspected Selinux could be the culprit, so I did:
> > > Hat -> System Settings -> Security Level and
> > >       
> > disabled
> >     
> > > selinux.  Rebooted with new settings and viola I
> > >       
> > could
> >     
> > > see yahoo, distrowatch, google, etc.  I went to
> > > terminal fired up yum and yum update selinux and
> > >       
> > gave
> >     
> > > me error message.  I tried again this time with
> > > selinux-targetpolicy? (not to sure) but it went
> > > through.  I reenabled selinux, and rebooted and
> > >       
> > could
> >     
> > > not view any webpages again.  I will get back to
> > >       
> > the
> >     
> > > machine on Monday, and it makes me wonder about
> > >       
> > what
> >     
> > > do I need to do, which updates I need to run.  
> > >
> > > kernel installed ->	[kernel-2.6.12-1.1381_FC3.i686]
> > >
> > > I read very carefully the FAQ for SELinux from 
> > > http://www.nsa.gov/selinux/info/faq.cfm
> > > but I am still clueless.  I would like to keep
> > >       
> > selinux
> >     
> > > enabled and still view webpages.  How can I still
> > >       
> > do
> >     
> > > that?  
> > >  
> > >
> > >       
> > post to the fedora-selinux list with the AVC denied
> > messages in 
> > /var/log/messages. Fedora SELinux FAQ is available
> > from
> >
> > http://fedoraproject.org/wiki/Communicate
> > http://fedora.redhat.com/docs/selinux-faq/
> >
> > regards
> > Rahul
> >
> > --
> > fedora-list mailing list
> > fedora-list@xxxxxxxxxx
> > To unsubscribe:
> > https://www.redhat.com/mailman/listinfo/fedora-list
> >
> >     
>
> I'll do that come Monday, thanks for helping.  In any
> case, at home same thing happened, here are some avc
> messages
>
> audit(1131052412.181:2): avc:  denied  { name_connect
> } for  pid=4314 comm="gkrellm" dest=7634
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:port_t tclass=tcp_socket
> audit(1131052412.349:3): avc:  denied  { name_connect
> } for  pid=4317 comm="eggcups" dest=631
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:reserved_port_t
> tclass=tcp_socket
> audit(1131052412.349:4): avc:  denied  { name_connect
> } for  pid=4317 comm="eggcups" dest=631
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:reserved_port_t
> tclass=tcp_socket
> CSLIP: code copyright 1989 Regents of the University
> of California
> PPP generic driver version 2.4.2
> PPP Deflate Compression module registered
> audit(1131052690.058:5): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052692.227:6): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052699.727:7): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052702.155:8): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052713.032:9): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052718.472:10): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052726.685:11): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052730.917:12): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052743.510:13): avc:  denied  { name_connect
> } for  pid=4617 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052746.942:14): avc:  denied  { name_connect
> } for  pid=4617 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052843.092:15): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052848.928:16): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=443
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> [root@localhost ~]#  
>
> [root@localhost ~]# tail /var/log/messages
> Nov  3 21:20:37 localhost pppd[4658]: local  IP
> address 66.201.8.152
> Nov  3 21:20:37 localhost pppd[4658]: remote IP
> address 66.201.8.6
> Nov  3 21:20:37 localhost pppd[4658]: primary   DNS
> address 168.215.176.2
> Nov  3 21:20:37 localhost pppd[4658]: secondary DNS
> address 12.176.80.9
> Nov  3 21:20:43 localhost kernel:
> audit(1131052843.092:15): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov  3 21:20:48 localhost kernel:
> audit(1131052848.928:16): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=443
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov  3 21:23:01 localhost kernel:
> audit(1131052981.865:17): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov  3 21:23:03 localhost kernel:
> audit(1131052983.717:18): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov  3 21:25:01 localhost crond(pam_unix)[4703]:
> session opened for user root by (uid=0)
> Nov  3 21:25:02 localhost crond(pam_unix)[4703]:
> session closed for user root
>
> Regards,
>
> Antonio
>
>
>
> 		
> __________________________________ 
> Start your day with Yahoo! - Make it your home page! 
> http://www.yahoo.com/r/hs
>
>   
YOu have a policy mismatch.  Have you update to the latest policy 
available for FC3?

Please try selinux-policy-targeted-1.17.30-3.19 
<https://porkchop.devel.redhat.com/fedora-updates/show.py?pkg=selinux-policy-targeted-1.17.30-3.19&update=Testing> 
available in the fedora-test yum repository to see if it solves your problem



--