installation of selinux on non-selinux system

Daniel J Walsh dwalsh at redhat.com
Sun Nov 21 15:46:31 UTC 2004 

Jim Cornette wrote:

> Daniel J Walsh wrote:
>
>> Jim Cornette wrote:
>>
>>> After upgrading a computer from FC2 to FC3, I decided to give 
>>> SELinux a shot and used up2date to retrieve the rpm for 
>>> selinux-policy-targeted  and expected for all needed deps to be 
>>> pulled in. The other dependent ackages did not get pulled in with 
>>> this selection. I ended up having system messages not being 
>>> accessable and also httpd being damened with errors. I supposed that 
>>> there was an abnormality on my particular system. Within recent 
>>> days, I have noted others experiencing similar failures on the 
>>> fedora-list. I then decided that this might e a more common prblem 
>>> than first expected.
>>>
>>> Another Fedora user was asking questions regarding running fixfiles 
>>> relabel. I noticed that I also did not have fixfiles installed.
>>> <>
>>
>>
>> You need to install policycoreutils and relabel the file system.
>>
> Thanks Dan for the name of the rpm that is needed for fixfiles so 
> relabeling can be performed. My main question is for those systems 
> that are upgraded from non-selinux to systems where selinux is desired 
> to be added.
> If one was to install selinux-policy-targeted via a repository 
> installation, up2date in my case. I would expect the inclusion of 
> other deps being pulled in.
> Selinux gives sort of a working system when using 
> system-config-securitylevel to enable selinux via the gui. I am not 
> too sure if this would introduce "dep hell" if having policycoreutils 
> pulled in when selinux-policy for targeted or strict is pulled from a 
> repo.
>
I have changed selinux-policy-targeted to require policycoreutils so it 
will be pulled in in the future.  Secondly from the looks of it you are 
running strict policy.  Please either run system-config-securitylevel 
and select targeted policy and reboot.  (/.autorelabel) should be 
created and
or you can edit /etc/selinux/config and change SELINUXTYPE=strict to 
SELINUXTYPE=targeted and touch /.autorelabel then reboot.

The init scripts will take care of relabeling.

> After relabeling my filesystem again in runlevel 1, I seem to get the 
> same type of errors as experienced before. .mozilla related files 
> seemed to be the major files that content was tried to be changed, 
> when  relabeling for strict. See attached avc for today.
> In order to bring up X, running setenforce 0 at a root shell was 
> needed, in order to launch X successfully. If there is  some lingering 
> config file, either systemwide or hanging out in the per user 
> directory that is blocking X, I don't know.
>
The strict policy you are running 1.17.30 is way out of date.  If you 
want to run strict policy you need to grab the one off of Rawhide or my 
people page and update and relabel.  Upgrades from not SELinux boxes are 
not supported for SELinux for the simple reason that relabeling is 
required.  So your machine ended up in a rather strange state.

> Thanks,
> Jim
>
>> Dan
>
>
>------------------------------------------------------------------------
>
>Nov 21 00:29:59 localhost kernel:  <3>audit(1101014999.006:0): avc:  denied  { remove_name } for  pid=3156 exe=/usr/sbin/userhelper name=.xauthclDLiD dev=hda3 ino=391919 scontext=user_u:user_r:user_userhelper_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 00:29:59 localhost kernel: audit(1101014999.006:0): avc:  denied  { unlink } for  pid=3156 exe=/usr/sbin/userhelper name=.xauthclDLiD dev=hda3 ino=391919 scontext=user_u:user_r:user_userhelper_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 00:30:05 localhost kernel: audit(1101015005.924:0): avc:  denied  { search } for  pid=3032 exe=/usr/bin/gnome-session name=console dev=hda3 ino=408043 scontext=user_u:user_r:user_t tcontext=system_u:object_r:pam_var_console_t tclass=dir
>Nov 21 00:30:33 localhost kernel: audit(1101015033.363:0): avc:  denied  { write } for  pid=2973 exe=/usr/X11R6/bin/xinit path=/dev/tty2 dev=tmpfs ino=1864 scontext=user_u:user_r:user_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
>Nov 21 00:30:35 localhost dbus: avc:  7 AV entries and 6/512 buckets used, longest chain length 2 
>Nov 21 08:00:19 localhost kernel: audit(1101023972.861:0): avc:  denied  { ioctl } for  pid=613 exe=/bin/bash path=/proc/ide/ide0/hda/media dev=proc ino=-268435122 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:proc_t tclass=file
>Nov 21 08:00:19 localhost kernel: audit(1101023973.069:0): avc:  denied  { ioctl } for  pid=613 exe=/bin/bash path=/proc/ide/ide1/hdc/media dev=proc ino=-268435110 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:proc_t tclass=file
>Nov 21 08:00:19 localhost kernel: audit(1101041993.110:0): avc:  denied  { search } for  pid=1583 exe=/sbin/alsactl name=root dev=hda3 ino=424321 scontext=system_u:system_r:udev_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:00:19 localhost kernel: audit(1101041993.180:0): avc:  denied  { search } for  pid=1580 exe=/sbin/alsactl name=root dev=hda3 ino=424321 scontext=system_u:system_r:udev_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:00:19 localhost kernel: audit(1101041993.191:0): avc:  denied  { search } for  pid=1577 exe=/sbin/alsactl name=root dev=hda3 ino=424321 scontext=system_u:system_r:udev_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:00:19 localhost kernel: audit(1101042010.642:0): avc:  denied  { read } for  pid=1646 exe=/usr/sbin/cpuspeed name=mtab dev=hda3 ino=557700 scontext=system_u:system_r:cpuspeed_t tcontext=system_u:object_r:etc_runtime_t tclass=file
>Nov 21 08:00:19 localhost kernel: audit(1101042010.642:0): avc:  denied  { read } for  pid=1646 exe=/usr/sbin/cpuspeed name=fstab dev=hda3 ino=555388 scontext=system_u:system_r:cpuspeed_t tcontext=system_u:object_r:etc_t tclass=file
>Nov 21 08:00:25 localhost kernel: audit(1101042025.563:0): avc:  denied  { search } for  pid=2197 exe=/usr/sbin/clamd name=clamav dev=hda3 ino=473684 scontext=system_u:system_r:clamd_t tcontext=system_u:object_r:freshclam_log_t tclass=dir
>Nov 21 08:00:27 localhost kernel: audit(1101042027.875:0): avc:  denied  { fowner } for  pid=2250 exe=/sbin/restorecon capability=3 scontext=system_u:system_r:restorecon_t tcontext=system_u:system_r:restorecon_t tclass=capability
>Nov 21 08:00:35 localhost kernel: audit(1101042035.247:0): avc:  denied  { getattr } for  pid=2406 exe=/bin/mount path=/tos1 dev=hda3 ino=489601 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:default_t tclass=dir
>Nov 21 08:00:38 localhost kernel: audit(1101042038.076:0): avc:  denied  { search } for  pid=2388 exe=/usr/sbin/hald name=lib dev=hda3 ino=408002 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:var_lib_t tclass=dir
>Nov 21 08:00:38 localhost kernel: audit(1101042038.076:0): avc:  denied  { search } for  pid=2388 exe=/usr/sbin/hald name=lib dev=hda3 ino=408002 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:var_lib_t tclass=dir
>Nov 21 08:00:38 localhost kernel: audit(1101042038.077:0): avc:  denied  { search } for  pid=2388 exe=/usr/sbin/hald name=lib dev=hda3 ino=408002 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:var_lib_t tclass=dir
>Nov 21 08:04:09 localhost kernel: audit(1101042249.690:0): avc:  denied  { search } for  pid=2894 exe=/usr/X11R6/bin/Xorg name=selinux dev=hda3 ino=603892 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:selinux_config_t tclass=dir
>Nov 21 08:04:09 localhost kernel: audit(1101042249.731:0): avc:  denied  { search } for  pid=2894 exe=/usr/X11R6/bin/Xorg name=console dev=hda3 ino=408043 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:pam_var_console_t tclass=dir
>Nov 21 08:04:51 localhost kernel: audit(1101042291.658:0): avc:  granted  { setenforce } for  pid=2896 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security
>Nov 21 08:05:08 localhost kernel: audit(1101042308.913:0): avc:  denied  { search } for  pid=2910 exe=/usr/X11R6/bin/Xorg name=selinux dev=hda3 ino=603892 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:selinux_config_t tclass=dir
>Nov 21 08:05:08 localhost kernel: audit(1101042308.913:0): avc:  denied  { read } for  pid=2910 exe=/usr/X11R6/bin/Xorg name=config dev=hda3 ino=603908 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:selinux_config_t tclass=file
>Nov 21 08:05:08 localhost kernel: audit(1101042308.914:0): avc:  denied  { getattr } for  pid=2910 exe=/usr/X11R6/bin/Xorg path=/etc/selinux/config dev=hda3 ino=603908 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:selinux_config_t tclass=file
>Nov 21 08:05:08 localhost kernel: audit(1101042308.922:0): avc:  denied  { search } for  pid=2910 exe=/usr/X11R6/bin/Xorg name=console dev=hda3 ino=408043 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:pam_var_console_t tclass=dir
>Nov 21 08:05:17 localhost kernel: audit(1101042317.967:0): avc:  denied  { read } for  pid=2986 exe=/usr/bin/ssh-agent name=config dev=hda3 ino=603908 scontext=user_u:user_r:user_ssh_agent_t tcontext=system_u:object_r:selinux_config_t tclass=file
>Nov 21 08:05:17 localhost kernel: audit(1101042317.968:0): avc:  denied  { getattr } for  pid=2986 exe=/usr/bin/ssh-agent path=/etc/selinux/config dev=hda3 ino=603908 scontext=user_u:user_r:user_ssh_agent_t tcontext=system_u:object_r:selinux_config_t tclass=file
>Nov 21 08:05:28 localhost kernel: audit(1101042328.992:0): avc:  denied  { search } for  pid=2910 exe=/usr/X11R6/bin/Xorg name=.gnome2 dev=hda3 ino=1338661 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:user_home_t tclass=dir
>Nov 21 08:05:28 localhost kernel: audit(1101042328.992:0): avc:  denied  { read } for  pid=2910 exe=/usr/X11R6/bin/Xorg name=fonts.dir dev=hda3 ino=1338668 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:user_home_t tclass=file
>Nov 21 08:05:28 localhost kernel: audit(1101042328.992:0): avc:  denied  { getattr } for  pid=2910 exe=/usr/X11R6/bin/Xorg path=/home/jim/.gnome2/share/cursor-fonts/fonts.dir dev=hda3 ino=1338668 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:user_home_t tclass=file
>Nov 21 08:05:38 localhost dbus: avc:  received setenforce notice (enforcing=0) 
>Nov 21 08:05:38 localhost kernel: audit(1101042338.848:0): avc:  denied  { use } for  pid=3046 exe=/bin/mount path=/dev/tty2 dev=tmpfs ino=1864 scontext=user_u:user_r:user_mount_t tcontext=system_u:system_r:local_login_t tclass=fd
>Nov 21 08:09:29 localhost kernel: audit(1101042569.604:0): avc:  denied  { write } for  pid=3093 exe=/usr/sbin/userhelper name=root dev=hda3 ino=424321 scontext=user_u:user_r:user_userhelper_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:09:29 localhost kernel: audit(1101042569.604:0): avc:  denied  { add_name } for  pid=3093 exe=/usr/sbin/userhelper name=.xauthDMglgN scontext=user_u:user_r:user_userhelper_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:09:29 localhost kernel: audit(1101042569.604:0): avc:  denied  { create } for  pid=3093 exe=/usr/sbin/userhelper name=.xauthDMglgN scontext=user_u:user_r:user_userhelper_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 08:09:29 localhost kernel: audit(1101042569.630:0): avc:  denied  { setattr } for  pid=3093 exe=/usr/sbin/userhelper name=.xauthDMglgN dev=hda3 ino=424711 scontext=user_u:user_r:user_userhelper_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 08:09:29 localhost kernel: audit(1101042569.641:0): avc:  denied  { search } for  pid=3095 exe=/usr/X11R6/bin/xauth name=root dev=hda3 ino=424321 scontext=user_u:user_r:user_xauth_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:09:29 localhost kernel: audit(1101042569.642:0): avc:  denied  { write } for  pid=3095 exe=/usr/X11R6/bin/xauth name=root dev=hda3 ino=424321 scontext=user_u:user_r:user_xauth_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:09:29 localhost kernel: audit(1101042569.642:0): avc:  denied  { add_name } for  pid=3095 exe=/usr/X11R6/bin/xauth name=.xauthDMglgN-c scontext=user_u:user_r:user_xauth_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:09:29 localhost kernel: audit(1101042569.642:0): avc:  denied  { create } for  pid=3095 exe=/usr/X11R6/bin/xauth name=.xauthDMglgN-c scontext=user_u:user_r:user_xauth_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 08:09:29 localhost kernel: audit(1101042569.655:0): avc:  denied  { link } for  pid=3095 exe=/usr/X11R6/bin/xauth name=.xauthDMglgN-c dev=hda3 ino=425338 scontext=user_u:user_r:user_xauth_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 08:09:29 localhost kernel: audit(1101042569.656:0): avc:  denied  { write } for  pid=3095 exe=/usr/X11R6/bin/xauth name=.xauthDMglgN dev=hda3 ino=424711 scontext=user_u:user_r:user_xauth_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 08:09:29 localhost kernel: audit(1101042569.657:0): avc:  denied  { read } for  pid=3095 exe=/usr/X11R6/bin/xauth name=.xauthDMglgN dev=hda3 ino=424711 scontext=user_u:user_r:user_xauth_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 08:09:29 localhost kernel: audit(1101042569.657:0): avc:  denied  { getattr } for  pid=3095 exe=/usr/X11R6/bin/xauth path=/root/.xauthDMglgN dev=hda3 ino=424711 scontext=user_u:user_r:user_xauth_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 08:09:29 localhost kernel: audit(1101042569.660:0): avc:  denied  { remove_name } for  pid=3095 exe=/usr/X11R6/bin/xauth name=.xauthDMglgN dev=hda3 ino=424711 scontext=user_u:user_r:user_xauth_t tcontext=root:object_r:staff_home_dir_t tclass=dir
>Nov 21 08:09:29 localhost kernel: audit(1101042569.660:0): avc:  denied  { unlink } for  pid=3095 exe=/usr/X11R6/bin/xauth name=.xauthDMglgN dev=hda3 ino=424711 scontext=user_u:user_r:user_xauth_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
>Nov 21 08:09:30 localhost kernel: audit(1101042570.492:0): avc:  denied  { connectto } for  pid=3096 exe=/usr/bin/python path=/tmp/.X11-unix/X0 scontext=root:sysadm_r:sysadm_t tcontext=user_u:user_r:user_xserver_t tclass=unix_stream_socket
>Nov 21 08:09:35 localhost kernel: audit(1101042575.295:0): avc:  denied  { unix_read unix_write } for  pid=2910 exe=/usr/X11R6/bin/Xorg key=0 scontext=user_u:user_r:user_xserver_t tcontext=root:sysadm_r:sysadm_t tclass=shm
>Nov 21 08:09:35 localhost kernel: audit(1101042575.295:0): avc:  denied  { read write } for  pid=2910 exe=/usr/X11R6/bin/Xorg key=0 scontext=user_u:user_r:user_xserver_t tcontext=root:sysadm_r:sysadm_t tclass=shm
>Nov 21 08:09:35 localhost kernel: audit(1101042575.295:0): avc:  denied  { use } for  pid=2910 path=/SYSV00000000 (deleted) dev=tmpfs ino=557072 scontext=user_u:user_r:user_xserver_t tcontext=root:sysadm_r:sysadm_t tclass=fd
>Nov 21 08:09:35 localhost kernel: audit(1101042575.295:0): avc:  denied  { read write } for  pid=2910 path=/SYSV00000000 (deleted) dev=tmpfs ino=557072 scontext=user_u:user_r:user_xserver_t tcontext=root:object_r:sysadm_tmpfs_t tclass=file
>Nov 21 08:09:35 localhost kernel: audit(1101042575.295:0): avc:  denied  { getattr associate } for  pid=2910 exe=/usr/X11R6/bin/Xorg key=0 scontext=user_u:user_r:user_xserver_t tcontext=root:sysadm_r:sysadm_t tclass=shm
>  
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list