LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-27-2005, 10:21 PM   #1
nevarlen
Member
 
Registered: Feb 2005
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68

Rep: Reputation: 15
Updating Selinux on Fedora C3 followed by strangeness


Hello all,
I have noticed strange messages in /var/log/messages about kernel audit. I just updated the selinux through yum, however this may not be the cause of it all. Below messages began to appear around 4am yesterday, whereas I have updated the selinux around noon today.. Also, I just finished installing jabberd server, may be relevant information. Everything gui-based seems to be broken. I can not access any modules through webmin, imap is inaccessible too. I get errors like ::::::
----------------------------------------------------------------------------------------------------
Error while checking current Postfix configuration. Please manually fix Postfix configuration.

sh: error while loading shared libraries: /lib/libdl.so.2: cannot apply additional memory protection after relocation: Permission denied

or

/usr/bin/mysql: error while loading shared libraries: /lib/libcrypt.so.1: cannot apply additional memory protection after relocation: Permission denied
-----------------------------------------------------------------------------------------------------

I have done pretty much everything suggested on this forums regarding to selinux upgrading problems, still no luck.
I would appreciate it if anyone can help me with this problem.

Kernel Errors::::::::::::::::
Yesterday's
---------------------------------------------------
Jun 26 04:02:56 kernel: audit(1119776576.041:0): avc: denied { search } for pid=24582 exe=/usr/bin/python name=run
dev=hda1 ino=6897700 scontext=system_u:system_r:mailman_mail_t tcontext=system_ubject_r:var_run_t tclass=dir
Jun 26 04:02:56 kernel: audit(1119776576.042:0): avc: denied { search } for pid=24582 exe=/usr/bin/python name=run
dev=hda1 ino=6897700 scontext=system_u:system_r:mailman_mail_t tcontext=system_ubject_r:var_run_t tclass=dir
Jun 26 04:02:56 last message repeated 2 times
Jun 26 04:02:56 kernel: audit(1119776576.043:0): avc: denied { search } for pid=24582 exe=/usr/bin/python name=run
dev=hda1 ino=6897700 scontext=system_u:system_r:mailman_mail_t tcontext=system_ubject_r:var_run_t tclass=dir
Jun 26 04:02:56 kernel: audit(1119776576.043:0): avc: denied { search } for pid=24582 exe=/usr/bin/python name=run
dev=hda1 ino=6897700 scontext=system_u:system_r:mailman_mail_t tcontext=system_ubject_r:var_run_t tclass=dir
----------------------------------------------------------
Today's
---------------------------------------------------------
Jun 27 08:25:02 gconfd (root-19994): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source
at position 1
Jun 27 08:25:02 gconfd (root-19994): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only con
figuration source at position 2
Jun 27 08:25:04 gconfd (root-19994): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source
at position 0
Jun 27 08:26:10 kernel: audit(1119878770.925:0): avc: granted { load_policy } for pid=20090 exe=/usr/sbin/load_pol
icy scontext=root:sysadm_r:unconfined_t tcontext=system_ubject_r:security_t tclass=security
Jun 27 08:26:10 kernel: security: 3 users, 4 roles, 345 types, 30 bools
Jun 27 08:26:10 kernel: security: 55 classes, 15014 rules
Jun 27 08:35:56 kernel: audit(1119879356.167:0): avc: denied { execmod } for pid=20222 comm=sh path=/lib/libdl-2.3
.5.so dev=hda1 ino=12894237 scontext=user_u:system_r:unconfined_t tcontext=system_ubject_r:lib_t tclass=file
Jun 27 08:35:58 kernel: audit(1119879358.421:0): avc: denied { execmod } for pid=20225 comm=sh path=/lib/libdl-2.3
.5.so dev=hda1 ino=12894237 scontext=user_u:system_r:unconfined_t tcontext=system_ubject_r:lib_t tclass=file
Jun 27 08:40:28 kernel: audit(1119879628.187:0): avc: denied { execmod } for pid=20252 comm=sh path=/lib/libdl-2.3
.5.so dev=hda1 ino=12894237 scontext=user_u:system_r:unconfined_t tcontext=system_ubject_r:lib_t tclass=file
Jun 27 09:00:01 kernel: audit(1119880801.631:0): avc: denied { execmod } for pid=21247 comm=crond path=/lib/libnsl
-2.3.5.so dev=hda1 ino=12894258 scontext=user_u:system_r:unconfined_t tcontext=system_ubject_r:lib_t tclass=file
Jun 27 09:25:34 su[21262]: Warning! Could not relabel /dev/pts/1 with user_ubject_r:devpts_t, not relabeling.Opera
tion not permitted
 
Old 06-28-2005, 02:37 AM   #2
ldbobby
LQ Newbie
 
Registered: Dec 2004
Distribution: FC3
Posts: 8

Rep: Reputation: 0
I'm getting the same "denied { execmod } errors after updating selinux. Have no clue what to do, I'd appreciate the help also. Thanks.

I get:

audit(1119916123.162:0): avc: denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=hda5 ino=651567 scontext=user_u:system_r:unconfined_t tcontext=rootbject_r:lib_t tclass=file
/sbin/init: error while loading shared libraries: /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
Kernel panic - not syncing: Attempted to kill init!

Last edited by ldbobby; 06-28-2005 at 02:51 AM.
 
Old 06-28-2005, 10:45 AM   #3
nevarlen
Member
 
Registered: Feb 2005
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68

Original Poster
Rep: Reputation: 15
ldbobby,
I guess the only solution is to downgrade the selinux. I digged around /var/cache/yum/updates-released/packages/ and found the earlier version of selinux I had. I first removed the current version by rpm -e /var/cache/yum/updates-released/packages/ currentversion, then rpm -i /var/cache/yum/updates-released/packages/ oldversion. If you, for some reason, can not find the old version in your package repository, you can always find it online. Finally, reboot (I had to hard-reset the machine)..
Hope this helps..
 
Old 06-28-2005, 01:20 PM   #4
ldbobby
LQ Newbie
 
Registered: Dec 2004
Distribution: FC3
Posts: 8

Rep: Reputation: 0
Thanks for the suggestion nevarlen. Unfortunately I cannot get into a terminal. I can't get it to boot with init 1 or 3 or 5. Are there any other ways to get into the system so I can perform the downgrade? Thanks!

-- Edit
Acutally, I can boot from the CD and try to fix this. Dur.

Last edited by ldbobby; 06-28-2005 at 01:23 PM.
 
Old 06-28-2005, 01:23 PM   #5
nevarlen
Member
 
Registered: Feb 2005
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68

Original Poster
Rep: Reputation: 15
I am assuming you have another machine with a cd-burner, if so just download and burn the fedora rescue disk from fedora mirrors. This will let you get on system where you can remove the old selinux and replace it with new one.

------------------------------------------------
oops, missed the last line in your message. I hope it is all working fine for you..

Last edited by nevarlen; 06-28-2005 at 01:25 PM.
 
Old 06-28-2005, 02:17 PM   #6
ldbobby
LQ Newbie
 
Registered: Dec 2004
Distribution: FC3
Posts: 8

Rep: Reputation: 0
I'm actually at work and without a CD drive. But I've found that you can add "selinux=0" into the kernel parameters and it'll boot up just fine =D. Thanks for the info, on my way to fix it now.
 
Old 06-29-2005, 10:04 PM   #7
lumbrjackedpcj
Member
 
Registered: May 2004
Posts: 45

Rep: Reputation: 15
same problem

yeh i just updated selinux stuff and wont even let me boot!!!!! wtf!!!! anyways yeh selinux=0 as a boot parameter works. fedora should really get these bugs worked out
 
Old 06-30-2005, 01:49 PM   #8
toddman_015
LQ Newbie
 
Registered: Jun 2005
Location: Davis, CA
Distribution: FC3
Posts: 1

Rep: Reputation: 0
Question

I am having the same issue. How/where is "selinux=0" added to the kernel parameters?

Thanks!
 
Old 06-30-2005, 10:00 PM   #9
lumbrjackedpcj
Member
 
Registered: May 2004
Posts: 45

Rep: Reputation: 15
hope this helps

i see that they updated the selinux policy today and theres an update. not sure if it works yet. but ok here goes..... during boot, when you are brought to the grub screen(where you can select which kernel you want to use and if you want to dual boot into windows(if you have windows)) if you have multiple kernels installed, move the up-down arrow keys so that the cursor is over the kernel boot config you want to edit. once the cursor is over your kernel selection press 'e'. press the down arrow key so that it selects the second option that appears next. now add to the end of that line selinux=0 now once that is added press 'b' for boot. this will boot your kernel. once you boot up edit the file /boot/grub/menu.lst and add the selinux=0 option to the kernel that you normally boot. this is what part of my file looks like:

kernel /boot/vmlinuz-2.6.11-0524 ro root=LABEL=/ rhgb quiet apm=off acpi=on resume2=swap:/dev/hda4 selinux=0

hope i was clear with that
good luck
Paul
 
Old 07-01-2005, 07:08 AM   #10
jrbiochem
Member
 
Registered: Apr 2004
Location: Dundee, Scotland
Distribution: Fedora Core 2
Posts: 57

Rep: Reputation: 15
Hi all,

Just wanted to say that I had exactly this problem- thanks to Paul for the instruction, I was also cured by the selinux=0 option.

So that was a morning wasted- mental note, be careful what you update in Fedora.....

Jon
 
Old 07-02-2005, 05:15 PM   #11
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Fedora 8, Centos 5.1
Posts: 480

Rep: Reputation: 30
This isnt strictly an FC3 issue. Im seeing the same problems on FC4.

It affects certain games like enemy territory, making punkbuster unable to run. The nvidia driver wouldnt install either.

My temporary solution which i really hate at present was to totally kill selinux. I do like the extra protection it offers, but i like playing games more.
 
Old 07-02-2005, 07:04 PM   #12
nevarlen
Member
 
Registered: Feb 2005
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68

Original Poster
Rep: Reputation: 15
Just a reminder for those who chose to boot with selinux=0, your penguin may not be as secure when you disable the selinux. So, better and more secure option is to revert the selinux back to a working version, rather than desabling it alltogether..
 
Old 07-05-2005, 02:20 AM   #13
stabone
LQ Newbie
 
Registered: Mar 2005
Posts: 2

Rep: Reputation: 0
Yes thank you very much Paul for the tip on how to boot without the selinux. Now I'm going to do a backup ASAP.

thanks again
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Updating Fedora Trainlogan Linux - Software 1 09-27-2005 04:11 AM
Updating Fedora Trainlogan Linux - Software 2 09-19-2005 10:24 PM
Stock Install of Fedora Core 4 with SELinux SYD2005 Linux - Security 2 06-27-2005 08:31 PM
Fedora 2 with SELINUX startup errors Pisces107 Fedora 4 09-26-2004 02:08 AM
updating fedora _RA_ Fedora 6 05-11-2004 11:10 PM


All times are GMT -5. The time now is 02:09 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration