Steve wrote:
Max,
To answer your question from yesterday, I had been getting the same errors even before I installed the policies yesterday which is strange because the messages indicate that a policy was loaded.
Is there a built-in default policy?
Yes there is a default policy that comes with fedora. You did however
set SELinux in permissive so its going to be hard to tell when exactly
the problem began, whether it started before or after the upgrade. You
used preupgrade so its possible this screwed the pooch somehow, I used
preupgrade on a box but all went smoothly, at least it appeared that
way, I had other qualms with preupgrade so I blew that upgrade away and
did a fresh install. However I don't run SELinux in permissive and this
may be the deciding factor, I just don't know.
Where do I go from here?
0 - Well one option, that I don't generally encourage unless your in
hurry, is to do a fresh install of F9. You won't learn anything and
you've expressed interest in SELinux so I would encourage you to take
advantage of the learning oppurtunity, especially if your dual booting
and its a very minor inconvenience to reboot a desktop/laptop machine,
at least as far as I am concerned.
1 - Check for bugs against preupgrade that relate to SELinux and check
for bugs against SETroubleshoot. I'm pretty sure SEtroubleshoot is a
symptom not a cause of your problem but it doesn't hurt to check.
https://bugzilla.redhat.com/
2 - The only other sane thing I could advise you too do is bounce your
question off the fedora-selinux list. I would include a reference to
this thread and all the relevant details. The kernel your running, the
policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot
version, the error messages below , and that you run in permissive and
used preupgrade to go from f8 to f9.
This will ensure that the right people see your message, this list is
also monitored but I think when they get busy fedora-selinux is likely
to still get checked more often than fedora-list.
I don't have any other sane suggestions left. I feel like the answer is
right there but I can't quite put my finger on it. If you feel like
being a guinea pig and are willing to absolve me of all responsibility
then let me know:^) My curiosity is peaked so I will try to dig up what
I can and I'll let you know if I feel like I have found a good answer.
Take it easy,
Max
P.S. - this line from the output below :
SELinux: policy loaded with handle_unknown=deny
Something about this is bugging me, I am checking with google but so far
I haven't found what I am looking for, try searching for this and see
what you come up with... I think it should be set to allow on fedora but
I am not sure of the circumstances under which it would be set to
allow/deny so I could be wrong....it has to do, IIRC, with other
security checks in the kernel? I am not finding the same info I did
before on this and my memory isn't playing ball.
--
Fortune favors the BOLD
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
