Problem upgrading FC2 -> FC3

Jouni Viikari jouni.viikari at vip.fi
Sun Nov 14 10:06:38 UTC 2004 

Hi,

I upgraded my FC2 system (which did not have selinux enabled) to FC3.
After the upgrade selinux was not enabled.

First I tried to enable it by using system-config-securitylevel.  On
boot I got plenty of error messages on console (nothing showed up in the
system logs).  I immediately rebooted again with selinux disadled.

Nest I installed selinux-policy-targeted-sources package and did: 

cd /etc/selinux/targeted/src/policy 
make
make relabel

Now when I reboot things looks quite ok except:

1)  Contrary to http://fedora.redhat.com/docs/selinux-faq-fc3/ pages:
id -Z shows:
root:system_r:unconfined_t
 (not root:sysadm_r:sysadm_t)

(After su -)

I tried only to remove and reinstall pam package (system-auth was
changed but there was no system-auth.rpmnew).  
This had no influence.

2) ISDN does not start correctly on boot:

First problem was that even without selinux the test in isdn rc-script
failed on:

isdnctrl list all >/dev/null 2>&1
    if [ $? = 0 ] ; then

(prints Can't open /dev/isdnctrl or /dev/isdn/isdnctrl: No such file or
directory)

I guess this is udev related problem?

However disabling this test it works without selinux.  With selinux I
get on boot:

kernel: audit(1100423485.839:0): avc:  denied  { create }
for  pid=2610 exe=/sbin/MAKEDEV name=isdnctrl
scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:tty_device_t tclass=lnk_file

'mgetty ttyI':s do open but do not work.

After boot "service isdn start" works even with selinux (I need to make
it work in boot) and devices operate properly.

3)  Now if I try to start "system-config-securitylevel" *with selinux
enabled* I just get:
Traceback (most recent call last):
  File "/usr/share/system-config-securitylevel/system-config-
securitylevel.py", line 18, in ?
    app.stand_alone()
  File "/usr/share/system-config-securitylevel/securitylevel.py", line
427, in stand_alone
    self.selinuxPage = selinuxPage.selinuxPage()
  File "/usr/share/system-config-securitylevel/selinuxPage.py", line
329, in __init__
    self.refreshTunables(self.initialtype)
  File "/usr/share/system-config-securitylevel/selinuxPage.py", line
427, in refreshTunables
    self.loadBooleans()
  File "/usr/share/system-config-securitylevel/selinuxPage.py", line
418, in loadBooleans
    on=rec[3]=="1"
IndexError: list index out of range

Never have I seen there a way to make httpd work without selinux.  When
running box with selinux disabled I see only named (rndc option) and
get... option on screen).

4)  Most of my web pages do not work (most of these are PHP based
pages):

Nov 14 11:20:53 srv kernel: audit(1100424053.389:0): avc:  denied
{ execute } for  pid=4416 exe=/usr/sbin/httpd name=rrdcgi dev=dm-0
ino=3542815 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:usr_t tclass=file
Nov 14 11:20:59 srv kernel: audit(1100424059.745:0): avc:  denied
{ getattr } for  pid=4415 exe=/usr/sbin/httpd path=/opt/bb/bb1.9e-
btf/www/bb.html dev=dm-0
ino=1491992 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:file_t tclass=file
Nov 14 11:20:59 srv kernel: audit(1100424059.745:0): avc:  denied
{ getattr } for  pid=4415 exe=/usr/sbin/httpd path=/opt/bb/bb1.9e-
btf/www/bb.html dev=dm-0
ino=1491992 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:file_t tclass=file
Nov 14 11:21:50 srv kernel: audit(1100424110.999:0): avc:  denied
{ write } for  pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:52 srv kernel: audit(1100424112.001:0): avc:  denied
{ write } for  pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:53 srv kernel: audit(1100424113.003:0): avc:  denied
{ write } for  pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:54 srv kernel: audit(1100424114.004:0): avc:  denied
{ write } for  pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:22:09 srv kernel: audit(1100424129.740:0): avc:  denied
{ read } for  pid=4421 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=3443116
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file
Nov 14 11:22:09 srv kernel: audit(1100424129.741:0): avc:  denied
{ read } for  pid=4422 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=3443116
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file
Nov 14 11:22:13 srv kernel: audit(1100424133.029:0): avc:  denied
{ execute } for  pid=4423 exe=/usr/sbin/httpd name=rrdcgi dev=dm-0
ino=3542815 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:usr_t tclass=file

I wonder how could I make these work without opening selinux too much?


What is the best way to upgrade selinux to same state where it would be
after fresh install of FC3 (Reinstalling my server is unfortunately no
option)?  This would also be good material for the FAQ pages.

Tia,

Jouni

More information about the fedora-selinux-list mailing list