Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
SeLinux is giving me fits. When enabled 'nfs' services fail to start. Looking at messages in the system monitor, 'Can't open system message bus connection: Failed to connect to socket /var/run/dbus/system_bus_socket: Connection refused', is the first error message that jump out at me. I've no idea what it means tho.
I've had problems with SELinux since April. Disabling it seems to be a temporary/partial fix. I tried to enable it this morning only to have a repeat of old issues. I disabled it agin and most issues seem to resolve. Of course, this is not ideal.
Since this forum will not allow me to post attachments, I've a copy of the messages log for the boot-up with and without SELinux enabled at: http://forums.fedoraforum.org/attach...chmentid=12985. (you may have to copy'n'paste the url into your browser locator field). Would someone please take a look at it and give me some idea as to how to get myself out of the woods here. I can post additional info as needed. Thanks. phil
[root@philsfc6 ~]# audit2allow -M mysemanage < /var/log/audit/audit.log; semodule -i mysemanage.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
Maybe OT, but do you run MLS for a specific reason? (I have an FC6 box but I can't remember it offering me MLS at the time...) Maybe relabelling could be the easy way out.
unSpawn, I hate to admit this but, I don't have a clue as to what a 'MLS module' is. I've played around the edges of linux for the past two or so years and only recently have tried to get into the thick of things.
I 'upgraded' from FedoraCore4 to FedoraCore6. Not sure that was wise but I have tinkered a lot and so have much I don't want to revisit. I run 'Software Updater' weekly and accept all updates. I prefer 'updater' due to it's ability to deal with dependencies. (Gawd, I feel like I'm at an AA meeting! he says sheepishly). Early on they drove me nuts. Using 'updater' seemed to keep my life uncomplcated and so I stuck with it accepting all SELinux policy update w/o question. As far as I know I'm pretty much running a default OS which is why I'm a bit puzzled by these issues. I do include livna and freshrpms when updating.
I'm trying to run down these niggling issues so I can go on to VMware and maybe Beryl. One other issue that's been bugging me is that my system can't seem to kill 'nscd' services on shutdown but, that's for another post.
When I re-enabled SELinux, didn't that 're-label'? For now I want to re-enable SELinux and maybe along the way get a better understanding of its functioning and of course my OS. Hopefully others can benefit from my pain. phil
[philtr@philsfc6 ~]$ rpm -q selinux-policy-mls
package selinux-policy-mls is not installed
[philtr@philsfc6 ~]$ rpm -q selinux-policy-strict
package selinux-policy-strict is not installed
And I don't know how I got a 'MLS base'. I sure didn't order it!
[root@philsfc6 ~]# system-config-securitylevel
bad image index
/usr/share/system-config-securitylevel/securitylevel.py:498: GtkWarning: Icon cache '/usr/share/icons/hicolor/icon-theme.cache' is invalid
I had a similar issue when trying to run 'gedit' from the commmand prompt which told me that 'icon-theme.cashe' was invalid. I made a copy of the file and deleted the original then renamed the copy. The problem as far as gedit resoleved.
Hmmmmm...got the old problem with gedit back. bummer.
I've been able to narrow down the policys that seem to cause problems with my system. They're in 'SELinux, SELinux Service Protection' catagory.
There seem to be policies that affect five services: nfsd, nrpe, ntpd, portmap and rhgb. I need to re-verify but at the moment I'm burnt out. (Update-8-15-07) It seems that with 'openvpn' enforcing I'm not able to establish a internet connection. Disabling it allows me to connect to the internet.
When these services are protected with SELinux policies my system has problems and is not able to either run the service and/or takes forever to get to the login screen. nfs services and portmap are the two most obvious services affected.
To narrow down the possible suspects I first noted the settings in SELinux so that I could return the system to its current settings. Then I disabled every service that I could except in the 'other' catagory. I left all boxes that were checked allowed or that were unchecked and not a disabling box (in other words the unchecked allowed boxes). After checking all the disabling boxes I enabled SELinux and rebooted. If this didn't allow the system to boot in its usual time I was going to look at unchecking selected allowed boxes that seemed appropriate. Fortunately the system booted quickly and the login screen came up after what seemed a normal time interval.
I then began unchecking disabled boxes rechecking when the system hung.
In reading the SELinux faq for FC5 I noted that FC4 used 'MLS (multi-level security)' but was dropped for 'targetd' with FC5. I'm not sure that when I upgraded to FC6 the MLS was effectively removed/disabled. I'm not yet able to distinguish between a MLS policy and a targeted policy.
before going through the policy 'disable' exercise w/o a good outcome. Would it make any difference if I did it again now? Would the above command be sufficient? I can't think of any harm that could be done. I'd cravp if I trashed my sys tho even though like jesus, I save. Thanks. phil
Would it make any difference if I did it again now?
No, I guess not. I tried to find anything about this on Fedora Core 6 or CentOS-5 but I couldn't find anything to replicate this error with.
For some reason I can imagine the upgrade from FC4 to FC6 somehow didn't cover it all, so one approach could be to readicate everything SELinux* from your box (should unlabel everything I hope), make sure all references and files are erased, and then reinstall those packages again. Of course there's no guarantee it will work, so before you do best consult FC bugtracker and/or SELinux users mailing list.
Looking around for "libsepol.link_modules: Tried to link in a non-MLS module with an MLS base." related user reports I have seen some patches moving over the SELinux mailinglist, but I doubt it fixed any of your problems since they where mostly (IIGC) 2006-ish or pertaining another policy version. So if the above option is too radical for you then if there's a knob for turning this off I'd do that for now, at least you got your services working right then I hope, up the access restrictions a notch and post to FC bugtracker and/or SELinux users mailing list.