SE Linux Questions

Jim Cornette redhat-jc at insight.rr.com
Tue Apr 13 23:05:40 UTC 2004


Jason Montleon wrote:
> First off I profess total newbie when it comes to SE Linux, I've been 
> reading SE Linux and SE Linux Policy HOWTO's and FAQ's for the last 
> couple days and my head is spinning, so bare with me.
> 
> I have my system running in runlevel 3, which is how I prefer.
> When I log in with my account on my system I get the following:
> 
> Your default context is user_u:sysadm_r:sysadm_t.
> 
> Do you want to choose a different one? [n]
> 

Same here!

> I choose no and move on, fair enough.  However, if I try to run startx I 
> get the following :
> Apr 13 11:21:01 fc2 kernel: audit(1081869661.602:0): avc:  denied  { 
> search } for  pid=8996 exe=/usr/X11R6/bin/xauth name=jason dev=hda4 
> ino=581186 scontext=user_u:sysadm_r:sysadm_xauth_t 
> tcontext=system_u:object_r:user_home_dir_t tclass=dir
> 

I got a blank screen that was in graphical mode and no response from 
eyboard entries. Originally, my lockup happened after fully updating my 
system, then trying to power off. The screen locked up in graphical mode 
and made lots of bad noises.

> 
> So I logged out (newrole doesn't seem to be playing nice but that could 
> be matter of PEBCAK)
> and back in this time selecting user_u:user_r:user:t
> Now I can run startx but when I try to run the system-control-network 
> program, I just get tons of these messages on the screen if I hit 
> Ctrl-Alt-F[1-6]:

Same here, but it was the worst when changing directories. mc crashed a 
few times and other times hung tough, but needed to have "clear" ran to 
restore the screen to a usable state.

> Apr 13 11:11:12 fc2 kernel: audit(1081869072.436:0): avc:  denied  { 
> setuid } for  pid=1237 exe=/bin/bash capability=7 
> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
> tclass=capability
> Apr 13 11:11:12 fc2 kernel: audit(1081869072.471:0): avc:  denied  { 
> setuid } for  pid=1237 exe=/usr/sbin/usernetctl capability=7 
> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
> tclass=capability
> 
> Using su to login as me again I choose user_u:sysadm_r:sysadm_t in a 
> gnome-terminal or xterm or whatever and now when I run 
> system-control-network from that terminal and it runs as expected (as a 
> user, which I have by the way configured users to be able to 
> activate/deactive the network interface)
> 
> Also I originally had sendmail installed and did 'rpm -e --nodeps 
> sendmail' then 'yum install postfix' Now when postfix starts at system 
> boot up it is giving this error message:
> Apr 13 10:27:24 fc2 kernel: audit(1081866443.844:0): avc:  denied  { 
> write } for  pid=1356 exe=/usr/sbin/postalias name=postfix dev=hda4 
> ino=1904993 scontext=system_u:system_r:postfix_master_t 
> tcontext=system_u:object_r:postfix_etc_t tclass=dir
> 
> I'm not asking how to fix all this per se; when my head stops swimming 
> in info and sorts it out I'll manage that, but how much of this is 
> bad/unsorted out default policy problems that needs to be told to the 
> proper person/bugzilla'd and how much is just getting used to the ways 
> of SE Linux?

Handling of these avc error probably needs to be handles by some 
automated feedback, such as bug-buddy. These outputs could be emailed to 
the developers and they could run the proper processes on reciept. I'd 
like to help, but my head spins and the frustration level of massive 
failure for "used to work alright" processes.

If the bug-buddy idea would overload mail servers.Maybe a cron job set 
to parse repeated errors locally and to mail the reports periodically 
might work to reduce all of the policy related security linux errors.

Jim

> 
> This is with all RPM's updated as of 30 minutes or so ago...
> 
> Thanks,
> Jason
> 





More information about the fedora-test-list mailing list