running today's policy, have boot/network problems.
Fixed boot problems by turning off hplip/cups.
Appears more 'netif' work is needed:
[root@tlondon ~]# ausearch -m avc,selinux_err -ts 12/16/2005 |audit2allow -l allow avahi_t null_device_t:netif udp_send; allow cupsd_t null_device_t:netif tcp_send; allow hplip_t null_device_t:netif tcp_send; allow kernel_t null_device_t:netif rawip_send; allow ntpd_t null_device_t:netif udp_send; allow ntpd_t policy_config_t:udp_socket node_bind; allow ping_t null_device_t:netif rawip_recv; allow ping_t policy_config_t:node rawip_recv; allow unconfined_t null_device_t:netif tcp_recv; allow unconfined_t policy_config_t:node udp_recv; allow unconfined_t sysctl_t:tcp_socket recv_msg; allow unconfined_t sysctl_t:udp_socket send_msg; [root@tlondon ~]#
Here are a few AVCs: ---- time->Fri Dec 16 07:06:31 2005 type=AVC msg=audit(1134745591.755:5): avc: denied { tcp_send } for pid=2686 comm="python" saddr=127.0.0.1 src=37866 daddr=127.0.0.1 dest=50000 netif=lo scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=netif ---- time->Fri Dec 16 07:06:34 2005 type=AVC msg=audit(1134745594.243:6): avc: denied { tcp_send } for pid=2713 comm="hp" saddr=127.0.0.1 src=37867 daddr=127.0.0.1 dest=50000 netif=lo scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:null_device_t:s0 tclass=netif ---- time->Fri Dec 16 07:06:34 2005 type=AVC msg=audit(1134745594.755:7): avc: denied { tcp_send } for saddr=127.0.0.1 src=37866 daddr=127.0.0.1 dest=50000 netif=lo scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=netif ------- time->Fri Dec 16 07:16:44 2005 type=SOCKETCALL msg=audit(1134746204.111:5): nargs=4 a0=4 a1=bfbf3450 a2=20 a3=0type=SYSCALL msg=audit(1134746204.111:5): arch=40000003 syscall=102 success=no exit=-1 a0=9 a1=bfbf30e4 a2=771ff4 a3=20 items=0 pid=2731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ntpdate" exe="/usr/sbin/ntpdate" type=AVC msg=audit(1134746204.111:5): avc: denied { udp_send } for pid=2731 comm="ntpdate" saddr=192.168.1.101 src=32768 daddr=68.87.76.178 dest=53 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=netif ---- time->Fri Dec 16 07:16:57 2005 type=SOCKETCALL msg=audit(1134746217.580:190): nargs=3 a0=d a1=bfae85ec a2=0 type=SOCKADDR msg=audit(1134746217.580:190): saddr=020014E9E00000FB0000000000000000 type=SYSCALL msg=audit(1134746217.580:190): arch=40000003 syscall=102 success=no exit=-1 a0=10 a1=bfae8590 a2=af5134 a3=d items=0 pid=2814 auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70 egid=70 sgid=70 fsgid=70 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" type=AVC msg=audit(1134746217.580:190): avc: denied { udp_recv } for pid=2814 comm="avahi-daemon" saddr=192.168.1.101 src=5353 daddr=224.0.0.251 dest=5353 netif=eth0 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=netif type=AVC msg=audit(1134746217.580:190): avc: denied { udp_send } for pid=2814 comm="avahi-daemon" saddr=192.168.1.101 src=5353 daddr=224.0.0.251 dest=5353 netif=eth0 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=netif ---- <<<<<Many more>>>>>
tom -
-- Tom London
On Fri, 2005-12-16 at 07:34 -0800, Tom London wrote:
running today's policy, have boot/network problems.
Fixed boot problems by turning off hplip/cups.
Appears more 'netif' work is needed:
Dan removed what he thought were obsolete initial SIDs from the policy, but you can't do that without rebuilding the kernel to match. Thus, rawhide policy is busted, revert and reboot and wait for an update.
Stephen Smalley wrote:
On Fri, 2005-12-16 at 07:34 -0800, Tom London wrote:
running today's policy, have boot/network problems.
Fixed boot problems by turning off hplip/cups.
Appears more 'netif' work is needed:
Dan removed what he thought were obsolete initial SIDs from the policy, but you can't do that without rebuilding the kernel to match. Thus, rawhide policy is busted, revert and reboot and wait for an update.
Fixed policy is on ftp://people.redhat.com/dwalsh/SELinux/Fedora
On 12/16/05, Daniel J Walsh dwalsh@redhat.com wrote:
Stephen Smalley wrote:
On Fri, 2005-12-16 at 07:34 -0800, Tom London wrote:
running today's policy, have boot/network problems.
Fixed boot problems by turning off hplip/cups.
Appears more 'netif' work is needed:
Dan removed what he thought were obsolete initial SIDs from the policy, but you can't do that without rebuilding the kernel to match. Thus, rawhide policy is busted, revert and reboot and wait for an update.
Fixed policy is on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Uhh... get the following messages with 'yum --enablerepo=dwalsh update selinux-policy-targeted'. Do I need the updated libsepol, etc. too?
tom
(1/1): selinux-policy-tar 100% |=========================| 235 kB 00:00 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : selinux-policy-targeted ######################### [1/2] libsepol.mls_from_string: invalid MLS context s0) libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:var_run_t:s0) to sid /etc/selinux/targeted/contexts/files/file_contexts: line 808 has invalid context system_u:object_r:var_run_t:s0) libsemanage.semanage_install_active: setfiles returned error code 1. Failed! Cleanup : selinux-policy-targeted ######################### [2/2]
Updated: selinux-policy-targeted.noarch 0:2.1.6-6 Complete!
-- Tom London
Tom London wrote:
On 12/16/05, Daniel J Walsh dwalsh@redhat.com wrote:
Stephen Smalley wrote:
On Fri, 2005-12-16 at 07:34 -0800, Tom London wrote:
running today's policy, have boot/network problems.
Fixed boot problems by turning off hplip/cups.
Appears more 'netif' work is needed:
Dan removed what he thought were obsolete initial SIDs from the policy, but you can't do that without rebuilding the kernel to match. Thus, rawhide policy is busted, revert and reboot and wait for an update.
Fixed policy is on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Uhh... get the following messages with 'yum --enablerepo=dwalsh update selinux-policy-targeted'. Do I need the updated libsepol, etc. too?
tom
(1/1): selinux-policy-tar 100% |=========================| 235 kB 00:00 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : selinux-policy-targeted ######################### [1/2] libsepol.mls_from_string: invalid MLS context s0) libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:var_run_t:s0) to sid /etc/selinux/targeted/contexts/files/file_contexts: line 808 has invalid context system_u:object_r:var_run_t:s0) libsemanage.semanage_install_active: setfiles returned error code 1. Failed! Cleanup : selinux-policy-targeted ######################### [2/2]
Updated: selinux-policy-targeted.noarch 0:2.1.6-6 Complete!
-- Tom London
Could you try semodule -b /usr/share/selinux/targeted/base.pp
See if the previous error is just caused by the bad policy.
Dan
Could you try semodule -b /usr/share/selinux/targeted/base.pp
See if the previous error is just caused by the bad policy.
When I run that command, I get the same errors.
-Steve
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 12/16/05, Daniel J Walsh dwalsh@redhat.com wrote:
Tom London wrote:
On 12/16/05, Daniel J Walsh dwalsh@redhat.com wrote:
Stephen Smalley wrote:
On Fri, 2005-12-16 at 07:34 -0800, Tom London wrote:
running today's policy, have boot/network problems.
Fixed boot problems by turning off hplip/cups.
Appears more 'netif' work is needed:
Dan removed what he thought were obsolete initial SIDs from the policy, but you can't do that without rebuilding the kernel to match. Thus, rawhide policy is busted, revert and reboot and wait for an update.
Fixed policy is on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Uhh... get the following messages with 'yum --enablerepo=dwalsh update selinux-policy-targeted'. Do I need the updated libsepol, etc. too?
tom
(1/1): selinux-policy-tar 100% |=========================| 235 kB 00:00 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : selinux-policy-targeted ######################### [1/2] libsepol.mls_from_string: invalid MLS context s0) libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:var_run_t:s0) to sid /etc/selinux/targeted/contexts/files/file_contexts: line 808 has invalid context system_u:object_r:var_run_t:s0) libsemanage.semanage_install_active: setfiles returned error code 1. Failed! Cleanup : selinux-policy-targeted ######################### [2/2]
Updated: selinux-policy-targeted.noarch 0:2.1.6-6 Complete!
-- Tom London
Could you try semodule -b /usr/share/selinux/targeted/base.pp
See if the previous error is just caused by the bad policy.
Dan
[root@tlondon packages]# semodule -b /usr/share/selinux/targeted/base.pp libsepol.mls_from_string: invalid MLS context s0) libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:var_run_t:s0) to sid /etc/selinux/targeted/contexts/files/file_contexts: line 808 has invalid context system_u:object_r:var_run_t:s0) libsemanage.semanage_install_active: setfiles returned error code 1. Failed! [root@tlondon packages]#
-- Tom London
On Fri, 2005-12-16 at 10:05 -0800, Tom London wrote:
[root@tlondon packages]# semodule -b /usr/share/selinux/targeted/base.pp libsepol.mls_from_string: invalid MLS context s0)
Looks like macro-processing error at policy build time - you have a terminating parenthesis there after the s0.
libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:var_run_t:s0) to sid /etc/selinux/targeted/contexts/files/file_contexts: line 808 has invalid context system_u:object_r:var_run_t:s0) libsemanage.semanage_install_active: setfiles returned error code 1. Failed! [root@tlondon packages]#
Stephen Smalley wrote:
On Fri, 2005-12-16 at 10:05 -0800, Tom London wrote:
[root@tlondon packages]# semodule -b /usr/share/selinux/targeted/base.pp libsepol.mls_from_string: invalid MLS context s0)
Looks like macro-processing error at policy build time - you have a terminating parenthesis there after the s0.
libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:var_run_t:s0) to sid /etc/selinux/targeted/contexts/files/file_contexts: line 808 has invalid context system_u:object_r:var_run_t:s0) libsemanage.semanage_install_active: setfiles returned error code 1. Failed! [root@tlondon packages]#
New policy on people to fix this problem. Should have been caught during build.
On 12/16/05, Daniel J Walsh dwalsh@redhat.com wrote:
Stephen Smalley wrote:
On Fri, 2005-12-16 at 10:05 -0800, Tom London wrote:
[root@tlondon packages]# semodule -b /usr/share/selinux/targeted/base.pp libsepol.mls_from_string: invalid MLS context s0)
Looks like macro-processing error at policy build time - you have a terminating parenthesis there after the s0.
libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:var_run_t:s0) to sid /etc/selinux/targeted/contexts/files/file_contexts: line 808 has invalid context system_u:object_r:var_run_t:s0) libsemanage.semanage_install_active: setfiles returned error code 1. Failed! [root@tlondon packages]#
New policy on people to fix this problem. Should have been caught during build.
This works for me.
Thanks! tom -- Tom London
Dan removed what he thought were obsolete initial SIDs from the policy, but you can't do that without rebuilding the kernel to match. Thus, rawhide policy is busted, revert and reboot and wait for an update.
Fixed policy is on ftp://people.redhat.com/dwalsh/SELinux/Fedora
I get this when installing:
[root@localhost ~]# rpm -Uvh ~sgrubb/selinux-policy-targeted-2.1.6-6.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy-targeted########################################### [100%] libsepol.mls_from_string: invalid MLS context s0) libsepol.mls_from_string: could not construct mls context structure libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:var_run_t:s0) to sid /etc/selinux/targeted/contexts/files/file_contexts: line 808 has invalid context system_u:object_r:var_run_t:s0) libsemanage.semanage_install_active: setfiles returned error code 1. Failed!
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
type=SOCKADDR msg=audit(1134746217.580:190): saddr=020014E9E00000FB0000000000000000
If you add the -i parameter to ausearch, it will interpret this so we can see what it means. Dan already has a new policy, so its not needed this time. But its helpful to see this field next time.
Thanks, -Steve
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
selinux@lists.fedoraproject.org