Selinux and kernel-2.6.12-1.1381 Fedora Core 3
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 7 17:21:33 UTC 2005
Antonio Olivares wrote:
> --- Rahul Sundaram <sundaram at redhat.com> wrote:
>
>
>> Antonio Olivares wrote:
>>
>>
>>> Dear Kind Folks,
>>> I recently updated one of my machines at work
>>>
>> which
>>
>>> was running Fedora Core 3 to kernel-2.6.12-1.1381
>>>
>> via
>>
>>> yum. When I rebooted and booted to the new kernel,
>>>
>> I
>>
>>> fired up firefox and could not load yahoo webpage.
>>>
>> I
>>
>>> tried google, Fedorafaq, Distrowatch and nothing.
>>>
>> I
>>
>>> suspected Selinux could be the culprit, so I did:
>>> Hat -> System Settings -> Security Level and
>>>
>> disabled
>>
>>> selinux. Rebooted with new settings and viola I
>>>
>> could
>>
>>> see yahoo, distrowatch, google, etc. I went to
>>> terminal fired up yum and yum update selinux and
>>>
>> gave
>>
>>> me error message. I tried again this time with
>>> selinux-targetpolicy? (not to sure) but it went
>>> through. I reenabled selinux, and rebooted and
>>>
>> could
>>
>>> not view any webpages again. I will get back to
>>>
>> the
>>
>>> machine on Monday, and it makes me wonder about
>>>
>> what
>>
>>> do I need to do, which updates I need to run.
>>>
>>> kernel installed -> [kernel-2.6.12-1.1381_FC3.i686]
>>>
>>> I read very carefully the FAQ for SELinux from
>>> http://www.nsa.gov/selinux/info/faq.cfm
>>> but I am still clueless. I would like to keep
>>>
>> selinux
>>
>>> enabled and still view webpages. How can I still
>>>
>> do
>>
>>> that?
>>>
>>>
>>>
>> post to the fedora-selinux list with the AVC denied
>> messages in
>> /var/log/messages. Fedora SELinux FAQ is available
>> from
>>
>> http://fedoraproject.org/wiki/Communicate
>> http://fedora.redhat.com/docs/selinux-faq/
>>
>> regards
>> Rahul
>>
>> --
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe:
>> https://www.redhat.com/mailman/listinfo/fedora-list
>>
>>
>
> I'll do that come Monday, thanks for helping. In any
> case, at home same thing happened, here are some avc
> messages
>
> audit(1131052412.181:2): avc: denied { name_connect
> } for pid=4314 comm="gkrellm" dest=7634
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:port_t tclass=tcp_socket
> audit(1131052412.349:3): avc: denied { name_connect
> } for pid=4317 comm="eggcups" dest=631
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:reserved_port_t
> tclass=tcp_socket
> audit(1131052412.349:4): avc: denied { name_connect
> } for pid=4317 comm="eggcups" dest=631
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:reserved_port_t
> tclass=tcp_socket
> CSLIP: code copyright 1989 Regents of the University
> of California
> PPP generic driver version 2.4.2
> PPP Deflate Compression module registered
> audit(1131052690.058:5): avc: denied { name_connect
> } for pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052692.227:6): avc: denied { name_connect
> } for pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052699.727:7): avc: denied { name_connect
> } for pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052702.155:8): avc: denied { name_connect
> } for pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052713.032:9): avc: denied { name_connect
> } for pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052718.472:10): avc: denied { name_connect
> } for pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052726.685:11): avc: denied { name_connect
> } for pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052730.917:12): avc: denied { name_connect
> } for pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052743.510:13): avc: denied { name_connect
> } for pid=4617 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052746.942:14): avc: denied { name_connect
> } for pid=4617 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052843.092:15): avc: denied { name_connect
> } for pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052848.928:16): avc: denied { name_connect
> } for pid=4692 comm="mozilla-bin" dest=443
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> [root at localhost ~]#
>
> [root at localhost ~]# tail /var/log/messages
> Nov 3 21:20:37 localhost pppd[4658]: local IP
> address 66.201.8.152
> Nov 3 21:20:37 localhost pppd[4658]: remote IP
> address 66.201.8.6
> Nov 3 21:20:37 localhost pppd[4658]: primary DNS
> address 168.215.176.2
> Nov 3 21:20:37 localhost pppd[4658]: secondary DNS
> address 12.176.80.9
> Nov 3 21:20:43 localhost kernel:
> audit(1131052843.092:15): avc: denied { name_connect
> } for pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov 3 21:20:48 localhost kernel:
> audit(1131052848.928:16): avc: denied { name_connect
> } for pid=4692 comm="mozilla-bin" dest=443
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov 3 21:23:01 localhost kernel:
> audit(1131052981.865:17): avc: denied { name_connect
> } for pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov 3 21:23:03 localhost kernel:
> audit(1131052983.717:18): avc: denied { name_connect
> } for pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov 3 21:25:01 localhost crond(pam_unix)[4703]:
> session opened for user root by (uid=0)
> Nov 3 21:25:02 localhost crond(pam_unix)[4703]:
> session closed for user root
>
> Regards,
>
> Antonio
>
>
>
>
> __________________________________
> Start your day with Yahoo! - Make it your home page!
> http://www.yahoo.com/r/hs
>
>
YOu have a policy mismatch. Have you update to the latest policy
available for FC3?
Please try selinux-policy-targeted-1.17.30-3.19
<https://porkchop.devel.redhat.com/fedora-updates/show.py?pkg=selinux-policy-targeted-1.17.30-3.19&update=Testing>
available in the fedora-test yum repository to see if it solves your problem
--
More information about the fedora-selinux-list
mailing list