Fedora Linux Support Community & Resources Center
  #1  
Old 26th May 2012, 02:53 PM
lmcogs Offline
Registered User
 
Join Date: Dec 2007
Posts: 247
linuxfirefox
Selinux problems again?

I have selinux on permissive and I keep getting alot, alot of detected problems, sometimes 30 and I have worked my way thru them several times but keep coming back. I use the suggestion from the notify admin where it says
allow this access for now by executing:
# grep sendmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

But the problems reappear Selinux avc denial. I can't be expected to go thru this all the time, I would end up doing nothing else. I did have selinux switched off at one point. I have 3.3.7-1.fc17.x86_64. Between selinux and abrt I am being hassled big time. I do like the idea of protection but this has been going on for years. Do I really need these 2 programs since I am the only one using computer.
Reply With Quote
  #2  
Old 26th May 2012, 03:01 PM
lklaus Offline
Registered User
 
Join Date: Feb 2009
Posts: 81
linuxfirefox
Re: Selinux problems again?

Well, if you had selinux turned of for some time, you most probably have some mislabelled files and directories. You should do a "touch /.autorelabel" and reboot. Then your problems should go away, as f17 policy isn't too bad, I'd say. It's good to have selinux active, even if you are the only person using the machine. I use selinux in enforcing mode, and don't have problems.

Klaus
Reply With Quote
  #3  
Old 26th May 2012, 03:17 PM
rclark Offline
Registered User
 
Join Date: Nov 2004
Location: MT USA
Posts: 689
linuxfirefox
Re: Selinux problems again?

Quote:
I did have selinux switched off at one point
First thing after I boot up a new system is disable selinux and don't use LVM. Two things I want no hassle with.
Reply With Quote
  #4  
Old 26th May 2012, 04:45 PM
lmcogs Offline
Registered User
 
Join Date: Dec 2007
Posts: 247
linuxfirefox
Re: Selinux problems again?

Klaus thanks for reply. I did that and rebooted, went thru 'Recreate Volatile Files and Dirs' on boot. But, I got 35 selinux problems. How come It says in Selinux alert browser
"
If you believe that dbus-daemon should be allowed getattr access on the 1.ref fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp"

I have gone thru all problems with above but doesn't seem to do any good. I notice at the bottom of the Notify Admin alert
"Hash: dbus-daemon,system_dbusd_t,systemd_logind_sessions_t,fi fo_file,getattr

audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied"
Reply With Quote
  #5  
Old 26th May 2012, 05:09 PM
lklaus Offline
Registered User
 
Join Date: Feb 2009
Posts: 81
linuxfirefox
Re: Selinux problems again?

Ok, first thing, you have to create (or at least insert) policies as root. Also, your log files might not be readable for the normal user. So root necessary, too...

I don't know where this 1.ref file comes from. You might have installed some app that is selinux ignorant and puts files somewhere where they are not expected. It might be interesting if you post the denials "in the clear", i.e. you only use:
grep dbus-daemon /var/log/audit/audit.log
and paste the output
Reply With Quote
  #6  
Old 26th May 2012, 05:14 PM
lmcogs Offline
Registered User
 
Join Date: Dec 2007
Posts: 247
linuxfirefox
Re: Selinux problems again?

Ah I think that might be the case. I was trying Dr Web, because I need to check some files I downloaded for viruses. I removed it and did the relabel and rebooted and it looks like I have no denials so far after reboot.
Reply With Quote
  #7  
Old 26th May 2012, 09:18 PM
AdamW Offline
Fedora QA Community Monkey
 
Join Date: Dec 2008
Location: Vancouver, BC
Posts: 4,176
linuxfirefox
Re: Selinux problems again?

In general, you do have to assume that if you install third party apps or run a public server, you're going to have to do some adjustment of SELinux policies. That's not really a flaw in SELinux, because...it's a security mechanism. It's just like if you run a public server you have to manually configure your firewall carefully, to allow only the minimum necessary amount of access. SELinux by default locks down stuff you might actually want to do if you're really running a mailserver or whatever, because if you _aren't_ running one you don't want that stuff to be allowed. So if you are, you have to carefully allow the specific actions you want. For common use cases like a mail/web server, you'll be able to find guides and docs quite easily with Google.
__________________
Adam Williamson | awilliam AT redhat DOT com
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
Reply With Quote
  #8  
Old 26th May 2012, 10:47 PM
lklaus Offline
Registered User
 
Join Date: Feb 2009
Posts: 81
linuxfirefox
Re: Selinux problems again?

Also necessary to mention is that many (most?) apps from the fedora repository do have corresponding policies in selinux-targeted. As I said before, I'm running enforcing, with a few tweaks for non fedora apps.
Reply With Quote
  #9  
Old 27th May 2012, 01:01 AM
DBelton Offline
Administrator
 
Join Date: Aug 2009
Posts: 7,320
linuxfirefox
Re: Selinux problems again?

I m running with selinux set to enforcing and targeted here, and have no issues with it.

There are a few things, though..

1: You said you have selinux set to permissive, so the warnings you get are just that.. warnings.. selinux isn't preventing anything from running if it is in permissive mode.

2: As Iklaus mentioned, if you have ever run with selinux disabled, then you need to completely relabel your filesystem. Any files created, etc... while selinux was disabled will not have proper contexts defined.

3: As Adam mentioned, if you install third party applications, then you may have to create your own selinux policies for those applications. Fedora doesn't read your mind and include policies for applications that you might install that aren't in the Fedora repos.

4: The selinux messages you are getting tell you exactly what to do to fix the problem if you wish to allow the application to have the access that it is trying to get. Just follow the directions in the messages.

5: Any other problems?
Reply With Quote
  #10  
Old 27th May 2012, 01:50 AM
lmcogs Offline
Registered User
 
Join Date: Dec 2007
Posts: 247
linuxfirefox
Re: Selinux problems again?

Thanks everyone. I have no messages for some time now. I might try enforcing if I can get Samba to work properly so my media player can access shares which I had running ok on f16.
Reply With Quote
  #11  
Old 27th May 2012, 02:00 AM
DBelton Offline
Administrator
 
Join Date: Aug 2009
Posts: 7,320
linuxfirefox
Re: Selinux problems again?

To get samba to work properly with selinux, read your /etc/samba/smb.conf file. It tells you everything you need to set samba and selinux up to work together.

copied from /etc/samba/smb.conf:
Code:
# Note: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
# and groupadd family of binaries. Run the following command as the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
Reply With Quote
  #12  
Old 29th May 2012, 09:02 PM
Magickman Offline
Registered User
 
Join Date: Oct 2008
Posts: 326
linuxfirefox
Re: Selinux problems again?

I too was having SELinux problems. Here is a solution: yum remove selinux* then reboot. Solves the problems for good.
Reply With Quote
  #13  
Old 30th May 2012, 05:08 AM
lklaus Offline
Registered User
 
Join Date: Feb 2009
Posts: 81
linuxfirefox
Re: Selinux problems again?

Which is not the "officially supported" solution :-)
Reply With Quote
Reply

Tags
problems, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux causing Problems shahdharmit Security and Privacy 3 8th March 2009 06:53 PM
SELinux problems Uzelth Using Fedora 0 1st January 2008 04:34 PM
selinux problems? bigmacbb63 Security and Privacy 2 29th November 2007 04:54 AM
A collection of SELinux problems bobbitt Security and Privacy 3 22nd June 2007 04:18 PM


Current GMT-time: 10:11 (Thursday, 21-08-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat