Re: setroub;eshoot problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Steve wrote:
Max,

To answer your question from yesterday, I had been getting the same errors even before I installed the policies yesterday which is strange because the messages indicate that a policy was loaded.


Is there a built-in default policy?

Yes there is a default policy that comes with fedora. You did however set SELinux in permissive so its going to be hard to tell when exactly the problem began, whether it started before or after the upgrade. You used preupgrade so its possible this screwed the pooch somehow, I used preupgrade on a box but all went smoothly, at least it appeared that way, I had other qualms with preupgrade so I blew that upgrade away and did a fresh install. However I don't run SELinux in permissive and this may be the deciding factor, I just don't know.

Where do I go from here?

0 - Well one option, that I don't generally encourage unless your in hurry, is to do a fresh install of F9. You won't learn anything and you've expressed interest in SELinux so I would encourage you to take advantage of the learning oppurtunity, especially if your dual booting and its a very minor inconvenience to reboot a desktop/laptop machine, at least as far as I am concerned.

1 - Check for bugs against preupgrade that relate to SELinux and check for bugs against SETroubleshoot. I'm pretty sure SEtroubleshoot is a symptom not a cause of your problem but it doesn't hurt to check.

https://bugzilla.redhat.com/

2 - The only other sane thing I could advise you too do is bounce your question off the fedora-selinux list. I would include a reference to this thread and all the relevant details. The kernel your running, the policy version (rpm -qa | grep selinux...setrouble) , setroubleshoot version, the error messages below , and that you run in permissive and used preupgrade to go from f8 to f9. This will ensure that the right people see your message, this list is also monitored but I think when they get busy fedora-selinux is likely to still get checked more often than fedora-list.

I don't have any other sane suggestions left. I feel like the answer is right there but I can't quite put my finger on it. If you feel like being a guinea pig and are willing to absolve me of all responsibility then let me know:^) My curiosity is peaked so I will try to dig up what I can and I'll let you know if I feel like I have found a good answer.

Take it easy,

Max

P.S. - this line from the output below :

SELinux: policy loaded with handle_unknown=deny

Something about this is bugging me, I am checking with google but so far I haven't found what I am looking for, try searching for this and see what you come up with... I think it should be set to allow on fedora but I am not sure of the circumstances under which it would be set to allow/deny so I could be wrong....it has to do, IIRC, with other security checks in the kernel? I am not finding the same info I did before on this and my memory isn't playing ball.


--
Fortune favors the BOLD

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux