Selinux and kernel-2.6.12-1.1381 Fedora Core 3

Daniel J Walsh dwalsh at redhat.com
Mon Nov 7 17:21:33 UTC 2005


Antonio Olivares wrote:
> --- Rahul Sundaram <sundaram at redhat.com> wrote:
>
>   
>> Antonio Olivares wrote:
>>
>>     
>>> Dear Kind Folks,
>>>   I recently updated one of my machines at work
>>>       
>> which
>>     
>>> was running Fedora Core 3 to kernel-2.6.12-1.1381
>>>       
>> via
>>     
>>> yum.  When I rebooted and booted to the new kernel,
>>>       
>> I
>>     
>>> fired up firefox and could not load yahoo webpage. 
>>>       
>> I
>>     
>>> tried google, Fedorafaq, Distrowatch and nothing. 
>>>       
>> I
>>     
>>> suspected Selinux could be the culprit, so I did:
>>> Hat -> System Settings -> Security Level and
>>>       
>> disabled
>>     
>>> selinux.  Rebooted with new settings and viola I
>>>       
>> could
>>     
>>> see yahoo, distrowatch, google, etc.  I went to
>>> terminal fired up yum and yum update selinux and
>>>       
>> gave
>>     
>>> me error message.  I tried again this time with
>>> selinux-targetpolicy? (not to sure) but it went
>>> through.  I reenabled selinux, and rebooted and
>>>       
>> could
>>     
>>> not view any webpages again.  I will get back to
>>>       
>> the
>>     
>>> machine on Monday, and it makes me wonder about
>>>       
>> what
>>     
>>> do I need to do, which updates I need to run.  
>>>
>>> kernel installed ->	[kernel-2.6.12-1.1381_FC3.i686]
>>>
>>> I read very carefully the FAQ for SELinux from 
>>> http://www.nsa.gov/selinux/info/faq.cfm
>>> but I am still clueless.  I would like to keep
>>>       
>> selinux
>>     
>>> enabled and still view webpages.  How can I still
>>>       
>> do
>>     
>>> that?  
>>>  
>>>
>>>       
>> post to the fedora-selinux list with the AVC denied
>> messages in 
>> /var/log/messages. Fedora SELinux FAQ is available
>> from
>>
>> http://fedoraproject.org/wiki/Communicate
>> http://fedora.redhat.com/docs/selinux-faq/
>>
>> regards
>> Rahul
>>
>> -- 
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe:
>> https://www.redhat.com/mailman/listinfo/fedora-list
>>
>>     
>
> I'll do that come Monday, thanks for helping.  In any
> case, at home same thing happened, here are some avc
> messages
>
> audit(1131052412.181:2): avc:  denied  { name_connect
> } for  pid=4314 comm="gkrellm" dest=7634
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:port_t tclass=tcp_socket
> audit(1131052412.349:3): avc:  denied  { name_connect
> } for  pid=4317 comm="eggcups" dest=631
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:reserved_port_t
> tclass=tcp_socket
> audit(1131052412.349:4): avc:  denied  { name_connect
> } for  pid=4317 comm="eggcups" dest=631
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:reserved_port_t
> tclass=tcp_socket
> CSLIP: code copyright 1989 Regents of the University
> of California
> PPP generic driver version 2.4.2
> PPP Deflate Compression module registered
> audit(1131052690.058:5): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052692.227:6): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052699.727:7): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052702.155:8): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052713.032:9): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052718.472:10): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052726.685:11): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052730.917:12): avc:  denied  { name_connect
> } for  pid=4602 comm="firefox-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052743.510:13): avc:  denied  { name_connect
> } for  pid=4617 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052746.942:14): avc:  denied  { name_connect
> } for  pid=4617 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052843.092:15): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> audit(1131052848.928:16): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=443
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> [root at localhost ~]#  
>
> [root at localhost ~]# tail /var/log/messages
> Nov  3 21:20:37 localhost pppd[4658]: local  IP
> address 66.201.8.152
> Nov  3 21:20:37 localhost pppd[4658]: remote IP
> address 66.201.8.6
> Nov  3 21:20:37 localhost pppd[4658]: primary   DNS
> address 168.215.176.2
> Nov  3 21:20:37 localhost pppd[4658]: secondary DNS
> address 12.176.80.9
> Nov  3 21:20:43 localhost kernel:
> audit(1131052843.092:15): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov  3 21:20:48 localhost kernel:
> audit(1131052848.928:16): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=443
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov  3 21:23:01 localhost kernel:
> audit(1131052981.865:17): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov  3 21:23:03 localhost kernel:
> audit(1131052983.717:18): avc:  denied  { name_connect
> } for  pid=4692 comm="mozilla-bin" dest=80
> scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:http_port_t
> tclass=tcp_socket
> Nov  3 21:25:01 localhost crond(pam_unix)[4703]:
> session opened for user root by (uid=0)
> Nov  3 21:25:02 localhost crond(pam_unix)[4703]:
> session closed for user root
>
> Regards,
>
> Antonio
>
>
>
> 		
> __________________________________ 
> Start your day with Yahoo! - Make it your home page! 
> http://www.yahoo.com/r/hs
>
>   
YOu have a policy mismatch.  Have you update to the latest policy 
available for FC3?

Please try selinux-policy-targeted-1.17.30-3.19 
<https://porkchop.devel.redhat.com/fedora-updates/show.py?pkg=selinux-policy-targeted-1.17.30-3.19&update=Testing> 
available in the fedora-test yum repository to see if it solves your problem



-- 





More information about the fedora-selinux-list mailing list