Can't open system message bus connection...
 

SeLinux is giving me fits. When enabled 'nfs' services fail to start. Looking at messages in the system monitor, 'Can't open system message bus connection: Failed to connect to socket /var/run/dbus/system_bus_socket: Connection refused', is the first error message that jump out at me. I've no idea what it means tho.

I've had problems with SELinux since April. Disabling it seems to be a temporary/partial fix. I tried to enable it this morning only to have a repeat of old issues. I disabled it agin and most issues seem to resolve. Of course, this is not ideal.

Since this forum will not allow me to post attachments, I've a copy of the messages log for the boot-up with and without SELinux enabled at: http://forums.fedoraforum.org/attach...chmentid=12985. (you may have to copy'n'paste the url into your browser locator field). Would someone please take a look at it and give me some idea as to how to get myself out of the woods here. I can post additional info as needed. Thanks. phil

What version of Fedora?

Oops, FedoraCore6. Kernel-2.6.20-1.2962.fc6. Thanks. phil

Try "audit2allow -M mysemanage < /var/log/audit/audit.log; semodule -i mysemanage.pp"?

As 'su -' the results were:

[root@philsfc6 ~]# audit2allow -M mysemanage < /var/log/audit/audit.log; semodule -i mysemanage.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!

phil

libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
Maybe OT, but do you run MLS for a specific reason? (I have an FC6 box but I can't remember it offering me MLS at the time...) Maybe relabelling could be the easy way out.

unSpawn, I hate to admit this but, I don't have a clue as to what a 'MLS module' is. I've played around the edges of linux for the past two or so years and only recently have tried to get into the thick of things.

I 'upgraded' from FedoraCore4 to FedoraCore6. Not sure that was wise but I have tinkered a lot and so have much I don't want to revisit. I run 'Software Updater' weekly and accept all updates. I prefer 'updater' due to it's ability to deal with dependencies. (Gawd, I feel like I'm at an AA meeting! he says sheepishly). Early on they drove me nuts. Using 'updater' seemed to keep my life uncomplcated and so I stuck with it accepting all SELinux policy update w/o question. As far as I know I'm pretty much running a default OS which is why I'm a bit puzzled by these issues. I do include livna and freshrpms when updating.

I'm trying to run down these niggling issues so I can go on to VMware and maybe Beryl. One other issue that's been bugging me is that my system can't seem to kill 'nscd' services on shutdown but, that's for another post.

When I re-enabled SELinux, didn't that 're-label'? For now I want to re-enable SELinux and maybe along the way get a better understanding of its functioning and of course my OS. Hopefully others can benefit from my pain. phil

I don't have a clue as to what a 'MLS module' is.
It stands for "Multi-Level Security".


I 'upgraded' from FedoraCore4 to FedoraCore6. Not sure that was wise
Yes it was: FC4 is unmaintained and F6 isn't (yet).


When I re-enabled SELinux, didn't that 're-label'?
AFAIK not automagically.

Well I've heard some grumblings about upgrades as opposed to clean installs. Mine seemed to go uneventfully, I think.

After reading Morris' article it looks like I'll be doing some more digging. First the SELinux faq.

Also:
[philtr@philsfc6 ~]$ rpm -q selinux-policy
selinux-policy-2.4.6-80.fc6
[philtr@philsfc6 ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.4.6-80.fc6

[philtr@philsfc6 ~]$ rpm -q selinux-policy-mls
package selinux-policy-mls is not installed

[philtr@philsfc6 ~]$ rpm -q selinux-policy-strict
package selinux-policy-strict is not installed

And I don't know how I got a 'MLS base'. I sure didn't order it!

Aslo,

[root@philsfc6 ~]# system-config-securitylevel
bad image index
/usr/share/system-config-securitylevel/securitylevel.py:498: GtkWarning: Icon cache '/usr/share/icons/hicolor/icon-theme.cache' is invalid

self.mainWindow.show_all()

I had a similar issue when trying to run 'gedit' from the commmand prompt which told me that 'icon-theme.cashe' was invalid. I made a copy of the file and deleted the original then renamed the copy. The problem as far as gedit resoleved.

Hmmmmm...got the old problem with gedit back. bummer.

phil

I've been able to narrow down the policys that seem to cause problems with my system. They're in 'SELinux, SELinux Service Protection' catagory.

There seem to be policies that affect five services: nfsd, nrpe, ntpd, portmap and rhgb. I need to re-verify but at the moment I'm burnt out. (Update-8-15-07) It seems that with 'openvpn' enforcing I'm not able to establish a internet connection. Disabling it allows me to connect to the internet.

When these services are protected with SELinux policies my system has problems and is not able to either run the service and/or takes forever to get to the login screen. nfs services and portmap are the two most obvious services affected.

To narrow down the possible suspects I first noted the settings in SELinux so that I could return the system to its current settings. Then I disabled every service that I could except in the 'other' catagory. I left all boxes that were checked allowed or that were unchecked and not a disabling box (in other words the unchecked allowed boxes). After checking all the disabling boxes I enabled SELinux and rebooted. If this didn't allow the system to boot in its usual time I was going to look at unchecking selected allowed boxes that seemed appropriate. Fortunately the system booted quickly and the login screen came up after what seemed a normal time interval.

I then began unchecking disabled boxes rechecking when the system hung.

In reading the SELinux faq for FC5 I noted that FC4 used 'MLS (multi-level security)' but was dropped for 'targetd' with FC5. I'm not sure that when I upgraded to FC6 the MLS was effectively removed/disabled. I'm not yet able to distinguish between a MLS policy and a targeted policy.

I'd appreciate any help. Thanks. phil

A bit more. In the process of using my system I discovered that I could not print or even access "System, Printing" menu. Disabling all SELinux Printing policies allowed me to resume printing. phil

While it wouldn't hurt it's a bit of a sledgehammer thing, but how about a full system relabelling?

I did:

[root@philsfc6 philtr]# fixfiles relabel

before going through the policy 'disable' exercise w/o a good outcome. Would it make any difference if I did it again now? Would the above command be sufficient? I can't think of any harm that could be done. I'd cravp if I trashed my sys tho even though like jesus, I save. Thanks. phil

Would it make any difference if I did it again now?
No, I guess not. I tried to find anything about this on Fedora Core 6 or CentOS-5 but I couldn't find anything to replicate this error with.

For some reason I can imagine the upgrade from FC4 to FC6 somehow didn't cover it all, so one approach could be to readicate everything SELinux* from your box (should unlabel everything I hope), make sure all references and files are erased, and then reinstall those packages again. Of course there's no guarantee it will work, so before you do best consult FC bugtracker and/or SELinux users mailing list.

Looking around for "libsepol.link_modules: Tried to link in a non-MLS module with an MLS base." related user reports I have seen some patches moving over the SELinux mailinglist, but I doubt it fixed any of your problems since they where mostly (IIGC) 2006-ish or pertaining another policy version. So if the above option is too radical for you then if there's a knob for turning this off I'd do that for now, at least you got your services working right then I hope, up the access restrictions a notch and post to FC bugtracker and/or SELinux users mailing list.