LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-05-2007, 04:55 AM   #1
PhilTR
Member
 
Registered: Jun 2004
Location: Birmingham, AL
Distribution: FC6, FC8, FC11
Posts: 102

Rep: Reputation: 16
Can't open system message bus connection...


SeLinux is giving me fits. When enabled 'nfs' services fail to start. Looking at messages in the system monitor, 'Can't open system message bus connection: Failed to connect to socket /var/run/dbus/system_bus_socket: Connection refused', is the first error message that jump out at me. I've no idea what it means tho.

I've had problems with SELinux since April. Disabling it seems to be a temporary/partial fix. I tried to enable it this morning only to have a repeat of old issues. I disabled it agin and most issues seem to resolve. Of course, this is not ideal.

Since this forum will not allow me to post attachments, I've a copy of the messages log for the boot-up with and without SELinux enabled at: http://forums.fedoraforum.org/attach...chmentid=12985. (you may have to copy'n'paste the url into your browser locator field). Would someone please take a look at it and give me some idea as to how to get myself out of the woods here. I can post additional info as needed. Thanks. phil
 
Old 08-06-2007, 10:38 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,172
Blog Entries: 54

Rep: Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809
What version of Fedora?
 
Old 08-06-2007, 10:46 PM   #3
PhilTR
Member
 
Registered: Jun 2004
Location: Birmingham, AL
Distribution: FC6, FC8, FC11
Posts: 102

Original Poster
Rep: Reputation: 16
Oops, FedoraCore6. Kernel-2.6.20-1.2962.fc6. Thanks. phil

Last edited by PhilTR; 08-06-2007 at 10:52 PM.
 
Old 08-07-2007, 01:28 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,172
Blog Entries: 54

Rep: Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809
Try "audit2allow -M mysemanage < /var/log/audit/audit.log; semodule -i mysemanage.pp"?
 
Old 08-07-2007, 05:30 AM   #5
PhilTR
Member
 
Registered: Jun 2004
Location: Birmingham, AL
Distribution: FC6, FC8, FC11
Posts: 102

Original Poster
Rep: Reputation: 16
As 'su -' the results were:

[root@philsfc6 ~]# audit2allow -M mysemanage < /var/log/audit/audit.log; semodule -i mysemanage.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!

phil
 
Old 08-08-2007, 12:55 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,172
Blog Entries: 54

Rep: Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
Maybe OT, but do you run MLS for a specific reason? (I have an FC6 box but I can't remember it offering me MLS at the time...) Maybe relabelling could be the easy way out.
 
Old 08-08-2007, 05:45 AM   #7
PhilTR
Member
 
Registered: Jun 2004
Location: Birmingham, AL
Distribution: FC6, FC8, FC11
Posts: 102

Original Poster
Rep: Reputation: 16
unSpawn, I hate to admit this but, I don't have a clue as to what a 'MLS module' is. I've played around the edges of linux for the past two or so years and only recently have tried to get into the thick of things.

I 'upgraded' from FedoraCore4 to FedoraCore6. Not sure that was wise but I have tinkered a lot and so have much I don't want to revisit. I run 'Software Updater' weekly and accept all updates. I prefer 'updater' due to it's ability to deal with dependencies. (Gawd, I feel like I'm at an AA meeting! he says sheepishly). Early on they drove me nuts. Using 'updater' seemed to keep my life uncomplcated and so I stuck with it accepting all SELinux policy update w/o question. As far as I know I'm pretty much running a default OS which is why I'm a bit puzzled by these issues. I do include livna and freshrpms when updating.

I'm trying to run down these niggling issues so I can go on to VMware and maybe Beryl. One other issue that's been bugging me is that my system can't seem to kill 'nscd' services on shutdown but, that's for another post.

When I re-enabled SELinux, didn't that 're-label'? For now I want to re-enable SELinux and maybe along the way get a better understanding of its functioning and of course my OS. Hopefully others can benefit from my pain. phil

Last edited by PhilTR; 08-08-2007 at 09:02 AM.
 
Old 08-08-2007, 12:23 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,172
Blog Entries: 54

Rep: Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809
I don't have a clue as to what a 'MLS module' is.
It stands for "Multi-Level Security".


I 'upgraded' from FedoraCore4 to FedoraCore6. Not sure that was wise
Yes it was: FC4 is unmaintained and F6 isn't (yet).


When I re-enabled SELinux, didn't that 're-label'?
AFAIK not automagically.
 
Old 08-08-2007, 01:06 PM   #9
PhilTR
Member
 
Registered: Jun 2004
Location: Birmingham, AL
Distribution: FC6, FC8, FC11
Posts: 102

Original Poster
Rep: Reputation: 16
Well I've heard some grumblings about upgrades as opposed to clean installs. Mine seemed to go uneventfully, I think.

After reading Morris' article it looks like I'll be doing some more digging. First the SELinux faq.

Also:
[philtr@philsfc6 ~]$ rpm -q selinux-policy
selinux-policy-2.4.6-80.fc6
[philtr@philsfc6 ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.4.6-80.fc6

[philtr@philsfc6 ~]$ rpm -q selinux-policy-mls
package selinux-policy-mls is not installed

[philtr@philsfc6 ~]$ rpm -q selinux-policy-strict
package selinux-policy-strict is not installed

And I don't know how I got a 'MLS base'. I sure didn't order it!

Aslo,

[root@philsfc6 ~]# system-config-securitylevel
bad image index
/usr/share/system-config-securitylevel/securitylevel.py:498: GtkWarning: Icon cache '/usr/share/icons/hicolor/icon-theme.cache' is invalid

self.mainWindow.show_all()

I had a similar issue when trying to run 'gedit' from the commmand prompt which told me that 'icon-theme.cashe' was invalid. I made a copy of the file and deleted the original then renamed the copy. The problem as far as gedit resoleved.

Hmmmmm...got the old problem with gedit back. bummer.

phil

Last edited by PhilTR; 08-08-2007 at 02:46 PM.
 
Old 08-14-2007, 11:22 AM   #10
PhilTR
Member
 
Registered: Jun 2004
Location: Birmingham, AL
Distribution: FC6, FC8, FC11
Posts: 102

Original Poster
Rep: Reputation: 16
I've been able to narrow down the policys that seem to cause problems with my system. They're in 'SELinux, SELinux Service Protection' catagory.

There seem to be policies that affect five services: nfsd, nrpe, ntpd, portmap and rhgb. I need to re-verify but at the moment I'm burnt out. (Update-8-15-07) It seems that with 'openvpn' enforcing I'm not able to establish a internet connection. Disabling it allows me to connect to the internet.

When these services are protected with SELinux policies my system has problems and is not able to either run the service and/or takes forever to get to the login screen. nfs services and portmap are the two most obvious services affected.

To narrow down the possible suspects I first noted the settings in SELinux so that I could return the system to its current settings. Then I disabled every service that I could except in the 'other' catagory. I left all boxes that were checked allowed or that were unchecked and not a disabling box (in other words the unchecked allowed boxes). After checking all the disabling boxes I enabled SELinux and rebooted. If this didn't allow the system to boot in its usual time I was going to look at unchecking selected allowed boxes that seemed appropriate. Fortunately the system booted quickly and the login screen came up after what seemed a normal time interval.

I then began unchecking disabled boxes rechecking when the system hung.

In reading the SELinux faq for FC5 I noted that FC4 used 'MLS (multi-level security)' but was dropped for 'targetd' with FC5. I'm not sure that when I upgraded to FC6 the MLS was effectively removed/disabled. I'm not yet able to distinguish between a MLS policy and a targeted policy.

I'd appreciate any help. Thanks. phil

Last edited by PhilTR; 08-19-2007 at 05:08 PM.
 
Old 08-15-2007, 03:39 PM   #11
PhilTR
Member
 
Registered: Jun 2004
Location: Birmingham, AL
Distribution: FC6, FC8, FC11
Posts: 102

Original Poster
Rep: Reputation: 16
A bit more. In the process of using my system I discovered that I could not print or even access "System, Printing" menu. Disabling all SELinux Printing policies allowed me to resume printing. phil
 
Old 08-15-2007, 04:39 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,172
Blog Entries: 54

Rep: Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809
While it wouldn't hurt it's a bit of a sledgehammer thing, but how about a full system relabelling?
 
Old 08-16-2007, 08:19 PM   #13
PhilTR
Member
 
Registered: Jun 2004
Location: Birmingham, AL
Distribution: FC6, FC8, FC11
Posts: 102

Original Poster
Rep: Reputation: 16
I did:

[root@philsfc6 philtr]# fixfiles relabel

before going through the policy 'disable' exercise w/o a good outcome. Would it make any difference if I did it again now? Would the above command be sufficient? I can't think of any harm that could be done. I'd cravp if I trashed my sys tho even though like jesus, I save. Thanks. phil

Last edited by PhilTR; 08-19-2007 at 05:05 PM.
 
Old 08-19-2007, 08:40 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,172
Blog Entries: 54

Rep: Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809
Would it make any difference if I did it again now?
No, I guess not. I tried to find anything about this on Fedora Core 6 or CentOS-5 but I couldn't find anything to replicate this error with.

For some reason I can imagine the upgrade from FC4 to FC6 somehow didn't cover it all, so one approach could be to readicate everything SELinux* from your box (should unlabel everything I hope), make sure all references and files are erased, and then reinstall those packages again. Of course there's no guarantee it will work, so before you do best consult FC bugtracker and/or SELinux users mailing list.

Looking around for "libsepol.link_modules: Tried to link in a non-MLS module with an MLS base." related user reports I have seen some patches moving over the SELinux mailinglist, but I doubt it fixed any of your problems since they where mostly (IIGC) 2006-ish or pertaining another policy version. So if the above option is too radical for you then if there's a knob for turning this off I'd do that for now, at least you got your services working right then I hope, up the access restrictions a notch and post to FC bugtracker and/or SELinux users mailing list.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora system stuck at system message bus service upon bootup guy_ripper Linux - Software 4 02-16-2009 01:54 PM
FC5- System Stops at "Starting System Message BUS " athreyavc Linux - Hardware 5 08-19-2007 11:46 AM
FC5 ---message bus -initialization --x server not starting narendra.pant Fedora 4 09-19-2006 05:47 AM
IDE system bus speed moger Slackware 6 02-14-2004 12:16 PM
System Bus Speed CoffinDancer Linux - Software 3 01-24-2002 11:59 PM


All times are GMT -5. The time now is 12:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration