On Monday 15 October 2007 16:33, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Karl Larsen wrote: > > Thomas Cameron wrote: > >> On Sat, 2007-10-13 at 05:38 -0600, Karl Larsen wrote: > >>>> That's called coincidence, not proof. > >>> > >>> I think your trying to protect SELinux. I don't know why. > >> > >> No, it's pointing out the obvious. The issue you had was NOT - repeat > >> NOT - an issue with SELinux. > >> > >> A lot of people a lot smarter than you have said so, you bring NO proof > >> to the list, just supposition based on coincidence. > >> > >> I've tried to be polite to you out of respect to my elders, but you are > >> just full of shit and won't listen to folks who know a bunch more than > >> you do. > >> > >> Get this through your head: Your issues are NOT due to SELinux. I > >> don't know what you did, but you are the kind of user that sysadmins > >> HATE because you go in and jack up your system and then blame the system > >> or the admin. > >> > >> Listen to those who know more than you do, OK? > >> > >> Thomas > > > > Listen you fat head jerk! You brought nothing but your gut feeling > > that SELinux can't be the cause period. > > > > Well your almost right. But you have no idea why. You do not know why > > your right. Or what that means. I will not turn SELinux back on until a > > Bug is fixed in F7 8-) > > Karl, > > When you turned on SELinux the AVC's were being logged to > /var/log/audit/audit.log This is where setroubleshoot and other tools > grab the AVC messages. > > When you go from disable to enabled, the entire system needs to be > relabeled. This can take a long time to happen since the entire file > system is walked. After relabeling your system should work properly. > > I would make sure that you have updated to the latest policy for Fedora > 7, and if you are running something like NIS you might need to turn on > certain selinux booleans. > > setsebool -P allow_ypbind 1 > > Which will allow your system to use NIS. > > The bugs/avc's you reported earlier do not look like SELinux was going > nuts. > > It is also feasable that you are running a file system reiser? that > SElinux does not support. Or there is some problem that adding of file > context to your machine triggered. > > I have not heard of SELinux in permissive mode causing the types of > problems that you say occured on your machine. > > Dan Well I've held back for many days on replying to the multiple SELinux threads that Karl has running at present, but I may as well poke my nose in. The problem really, is that to prove that an app/program is responsible for some problem or other, it needs to be reproducible. For example. I have a Smoothwall Express2 firewall on an old machine that gives me some protection from the Internet, but I also use Guarddog on the various distros on the 2 machines on my LAN, because you can configure that to prevent outgoing stuff, as well as incoming. If I have a problem connecting to the other machine, FTP, SSH, or whatever, I can disable the firewall on both machines, and if the problem goes away, I can re-enable the firewall on one machine, knowing that it is being enabled with the same setup, as when I disabled it. Ok. The problem hasn't returned, so I enable the firewall on the other machine, again knowing that the firewall has the same setup as when it was disabled. Now the problem has returned, so I know I need to look at the config for the firewall, and in this case it is my faulty configuration of the firewall on this machine. For the first time when installing a distro, I left Fedora 7's SELinux enabled in enforcing mode, just to see how it went. I've only had one problem up to now, and that was trying to FTP into it from my other machine. I first suspected that I didn't have vsftpd running on Fedora 7, but that was up and running. As Fedora 7 is the only distro I have SELinux enabled on, and having just read the link to a magazine article that Rahul had posted about SELinux, I ran setroubleshoot, and sure enough the FTP problem was identified, with a simple fix offered. I ran the command for the FTP fix, and no more FTP problems. Going back to Karls suspected SELinux problem. It isn't possible to disable, then re-enable SELinux in the same way as my firewall example above. The firewall example showed that the problem was reproducible, as the config for the firewall was unchanged, but as re-enabling SELinux, in either permissive, or enforcing mode results in the relabelling process being run, it's almost impossible to know if the relabelling has resolved a genuine problem or not. It would be only by being able to disable, then re-enable SELinux, so that SELinux was in the same state as it was before you disabled it, that you could truly reproduce a suspected problem that would narrow it down to SELinux being the culprit. Just one last unreproducible problem. This time involving udev, and the ordering of video devices. My TV PCI card uses /dev/video0, and the USB webcam /dev/video1. At least that is the order in which I installed them (TV card first, and some time later the webcam) , and on non udev kernels they are ordered that way each time I bootup. The only proviso I put on this, is that the original kernel installed when I installed Fedora 7, is also a udev one, and unless it's just coincidence the video devices are always ordered correctly. The later udev using kernels are always hit and miss, and that's both on Fedora, and Debian installs. Sometimes the TV card is /dev/video0, sometimes it's /dev/video1, and the same for the webcam. It's a bit like throwing a slice of buttered bread up into to air, and seeing how it lands. Buttered side up? It's anybodies guess, and totally unreproducible. Murphy's law says it will always end up with the buttered side on the carpet. Apologies for the extremely long post, and are just some of my observations from a first time SELinux user. This is likely to be my one and only post on this series of SELinux threads that Karl has started, but Karl, I do hope you have resolved the problem all the same. 2¢ worth of extremely long rambling. Nigel.
