setroub;eshoot problem

Steve zephod at cfl.rr.com
Wed Jul 16 13:16:16 UTC 2008


---- max bianco <maximilianbianco at gmail.com> wrote: 
> On Tue, Jul 15, 2008 at 9:20 AM, Steve <zephod at cfl.rr.com> wrote:
> >
> > ---- max bianco <maximilianbianco at gmail.com> wrote:
> >> On Mon, Jul 14, 2008 at 8:55 AM, Steve <zephod at cfl.rr.com> wrote:
> >> > I went to start setroubleshoot, Applications->System Tools->SE Linux Troubleshooter and I get this message:
> >> >
> >> > connection failed at /var/run/setroubleshoot/setroubleshoo_tserver. Connection refused
> >> >
> >> > #ls -lZ /var/run/setroubleshoot/setroubleshoot_server
> >> > srw-rw-rw-  root root system_u:object_r:setroubleshoot_var_run_t /var/run/setroubleshoot/setroubleshoot_server
> >> >
> >> That looks right. Is it F8 or F9?
> >> SETroubleshoot is usually on, do you remember why you turned it off?
> >
> > This is F9 and I didn't turm setroubleshoot off - not on purpose.anyway  }-P
> > If I look in System->Administration->Services at setroubleshootd, it says that it is enabled but the status is unknown
> >
> It usually runs in the background and only wakes up when needed,
> however you should stil be able to run it from Applications-->System
> Tools-->SELinux Troubleshooter with out a problem. I can in fact do
> that here. 

# ps -ef | grep setroubleshoot
root      4380  4331  0 08:48 pts/0    00:00:00 grep setroubleshoot

# chkconfig --list | grep setroubleshoot 
setroubleshoot 	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Hmmm. so why isn'y it running? ..Ah-ha! Found this in /var/log/messages:
setroubleshoot: [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:setroubleshootd_t:s0, AVC scontext=system_u:system_r:setroubleshootd_t:s0
... 
setroubleshoot: [rpc.ERROR] attempt to open server connection failed: Connection refused

> Do you have all current updates? 
Yes.

> Do you know what version of policy you are running? 
Don't know.

> Have you recently installed any custom policy? 
No.

> Did you switch SELinux to permissive recently ?  
No. I have always run in permissive mode.

> I assume you have stopped and restarted the service. 
Seems like the service can never start. See above.

> Which kernel are you running?
# uname -sr  Linux 2.6.25.6-55.fc9.x86_64

> Have you checked for bugs filed against setroubleshoot? There are
> quite a few bugs filed against it, maybe one of these is related to
> the problem your having.
I will look.

> Try these commands:
> 
> rpm -qa 'selinux*'
# rpm -qa "selinux*"
#
# rpm-qa | grep selinux
libselinux-devel-2.0.64-2.fc9.i386
libselinux-python-2.0.64-2.fc9.x86_64
libselinux-devel-2.0.64-2.fc9.x86_64
libselinux-2.0.64-2.fc9.i386
libselinux-2.0.64-2.fc9.x86_64
#

Huh. Seems that there is no selinux policy installed.

# yum search selinux-policy
Loaded plugins: fedorakmod, refresh-packagekit
===================================================================== Matched: selinux-policy =====================================================================
selinux-policy.noarch : SELinux policy configuration
selinux-policy-devel.noarch : SELinux policy development
selinux-policy-mls.noarch : SELinux mls base policy
selinux-policy-targeted.noarch : SELinux targeted base policy

# yum install selinux-policy.noarch selinux-policy-targeted.noarch
...

  Installing     : selinux-policy-targeted                           [2/2] 
libsepol.scope_copy_callback: moilscanner: Duplicate declaration in module: type/attribute mailscanner_spool_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
libsepol.sepol_user_modify: undefined role unconfined_r for user unconfined_u
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local modifications into policy
/usr/sbin/semanage: Could not add SELinux user unconfined_u
libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [__default__ -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not modify login mapping for __default__
libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not modify login mapping for root
libsepol.sepol_user_modify: undefined role guest_r for user guest_u
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local modifications into policy
/usr/sbin/semanage: Could not add SELinux user guest_u
libsepol.sepol_user_modify: undefined role xguest_r for user xguest_u
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local modifications into policy
/usr/sbin/semanage: Could not add SELinux user xguest_u
warning: /etc/selinux/targeted/contexts/customizable_types saved as /etc/selinux/targeted/contexts/customizable_types.rpmorig
warning: /etc/selinux/targeted/contexts/default_contexts saved as /etc/selinux/targeted/contexts/default_contexts.rpmorig
warning: /etc/selinux/targeted/contexts/default_type created as /etc/selinux/targeted/contexts/default_type.rpmnew
warning: /etc/selinux/targeted/contexts/initrc_context created as /etc/selinux/targeted/contexts/initrc_context.rpmnew
warning: /etc/selinux/targeted/contexts/securetty_types created as /etc/selinux/targeted/contexts/securetty_types.rpmnew
warning: /etc/selinux/targeted/contexts/users/root created as /etc/selinux/targeted/contexts/users/root.rpmnew

Installed: selinux-policy.noarch 0:3.3.1-74.fc9 selinux-policy-targeted.noarch 0:3.3.1-74.fc9
Complete!
#
Lots of warnings there.

> rpm -qa 'setrouble*'
# rpm -qa | grep 'setrouble*'
setroubleshoot-2.0.8-2.fc9.noarch
setroubleshoot-plugins-2.0.4-5.fc9.noarch
setroubleshoot-server-2.0.8-2.fc9.noarch
#

> sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 22
Policy from config file:        targeted
#
Well that answers the earlier question about the policy version.
> uname -a
Linux xxxxx 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 16:05:21 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

> 
> Post the results, with that info there might be more help to be had.
That'a a lot of data. Hope its not too much.

Steve




More information about the fedora-list mailing list