Updating Selinux on Fedora C3 followed by strangeness

nevarlen · 06-27-2005, 09:21 PM

Hello all,
I have noticed strange messages in /var/log/messages about kernel audit. I just updated the selinux through yum, however this may not be the cause of it all. Below messages began to appear around 4am yesterday, whereas I have updated the selinux around noon today.. Also, I just finished installing jabberd server, may be relevant information. Everything gui-based seems to be broken. I can not access any modules through webmin, imap is inaccessible too. I get errors like ::::::
----------------------------------------------------------------------------------------------------
Error while checking current Postfix configuration. Please manually fix Postfix configuration.

sh: error while loading shared libraries: /lib/libdl.so.2: cannot apply additional memory protection after relocation: Permission denied

or

/usr/bin/mysql: error while loading shared libraries: /lib/libcrypt.so.1: cannot apply additional memory protection after relocation: Permission denied
-----------------------------------------------------------------------------------------------------

I have done pretty much everything suggested on this forums regarding to selinux upgrading problems, still no luck.
I would appreciate it if anyone can help me with this problem.

Kernel Errors::::::::::::::::
Yesterday's
---------------------------------------------------
Jun 26 04:02:56 kernel: audit(1119776576.041:0): avc: denied { search } for pid=24582 exe=/usr/bin/python name=run
dev=hda1 ino=6897700 scontext=system_u:system_r:mailman_mail_t tcontext=system_u

bject_r:var_run_t tclass=dir
Jun 26 04:02:56 kernel: audit(1119776576.042:0): avc: denied { search } for pid=24582 exe=/usr/bin/python name=run
dev=hda1 ino=6897700 scontext=system_u:system_r:mailman_mail_t tcontext=system_u

bject_r:var_run_t tclass=dir
Jun 26 04:02:56 last message repeated 2 times
Jun 26 04:02:56 kernel: audit(1119776576.043:0): avc: denied { search } for pid=24582 exe=/usr/bin/python name=run
dev=hda1 ino=6897700 scontext=system_u:system_r:mailman_mail_t tcontext=system_u

bject_r:var_run_t tclass=dir
Jun 26 04:02:56 kernel: audit(1119776576.043:0): avc: denied { search } for pid=24582 exe=/usr/bin/python name=run
dev=hda1 ino=6897700 scontext=system_u:system_r:mailman_mail_t tcontext=system_u

bject_r:var_run_t tclass=dir
----------------------------------------------------------
Today's
---------------------------------------------------------
Jun 27 08:25:02 gconfd (root-19994): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source
at position 1
Jun 27 08:25:02 gconfd (root-19994): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only con
figuration source at position 2
Jun 27 08:25:04 gconfd (root-19994): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source
at position 0
Jun 27 08:26:10 kernel: audit(1119878770.925:0): avc: granted { load_policy } for pid=20090 exe=/usr/sbin/load_pol
icy scontext=root:sysadm_r:unconfined_t tcontext=system_u

bject_r:security_t tclass=security
Jun 27 08:26:10 kernel: security: 3 users, 4 roles, 345 types, 30 bools
Jun 27 08:26:10 kernel: security: 55 classes, 15014 rules
Jun 27 08:35:56 kernel: audit(1119879356.167:0): avc: denied { execmod } for pid=20222 comm=sh path=/lib/libdl-2.3
.5.so dev=hda1 ino=12894237 scontext=user_u:system_r:unconfined_t tcontext=system_u

bject_r:lib_t tclass=file
Jun 27 08:35:58 kernel: audit(1119879358.421:0): avc: denied { execmod } for pid=20225 comm=sh path=/lib/libdl-2.3
.5.so dev=hda1 ino=12894237 scontext=user_u:system_r:unconfined_t tcontext=system_u

bject_r:lib_t tclass=file
Jun 27 08:40:28 kernel: audit(1119879628.187:0): avc: denied { execmod } for pid=20252 comm=sh path=/lib/libdl-2.3
.5.so dev=hda1 ino=12894237 scontext=user_u:system_r:unconfined_t tcontext=system_u

bject_r:lib_t tclass=file
Jun 27 09:00:01 kernel: audit(1119880801.631:0): avc: denied { execmod } for pid=21247 comm=crond path=/lib/libnsl
-2.3.5.so dev=hda1 ino=12894258 scontext=user_u:system_r:unconfined_t tcontext=system_u

bject_r:lib_t tclass=file
Jun 27 09:25:34 su[21262]: Warning! Could not relabel /dev/pts/1 with user_u

bject_r:devpts_t, not relabeling.Opera
tion not permitted

ldbobby · 06-28-2005, 01:37 AM

I'm getting the same "denied { execmod } errors after updating selinux. Have no clue what to do, I'd appreciate the help also. Thanks.

I get:

audit(1119916123.162:0): avc: denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=hda5 ino=651567 scontext=user_u:system_r:unconfined_t tcontext=root

bject_r:lib_t tclass=file
/sbin/init: error while loading shared libraries: /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
Kernel panic - not syncing: Attempted to kill init!

nevarlen · 06-28-2005, 09:45 AM

ldbobby,
I guess the only solution is to downgrade the selinux. I digged around /var/cache/yum/updates-released/packages/ and found the earlier version of selinux I had. I first removed the current version by rpm -e /var/cache/yum/updates-released/packages/ currentversion, then rpm -i /var/cache/yum/updates-released/packages/ oldversion. If you, for some reason, can not find the old version in your package repository, you can always find it online. Finally, reboot (I had to hard-reset the machine)..
Hope this helps..

ldbobby · 06-28-2005, 12:20 PM

Thanks for the suggestion nevarlen. Unfortunately I cannot get into a terminal. I can't get it to boot with init 1 or 3 or 5. Are there any other ways to get into the system so I can perform the downgrade? Thanks!

-- Edit
Acutally, I can boot from the CD and try to fix this. Dur.

nevarlen · 06-28-2005, 12:23 PM

I am assuming you have another machine with a cd-burner, if so just download and burn the fedora rescue disk from fedora mirrors. This will let you get on system where you can remove the old selinux and replace it with new one.

------------------------------------------------
oops, missed the last line in your message. I hope it is all working fine for you..

ldbobby · 06-28-2005, 01:17 PM

I'm actually at work and without a CD drive. But I've found that you can add "selinux=0" into the kernel parameters and it'll boot up just fine =D. Thanks for the info, on my way to fix it now.

lumbrjackedpcj · 06-29-2005, 09:04 PM

yeh i just updated selinux stuff and wont even let me boot!!!!! wtf!!!! anyways yeh selinux=0 as a boot parameter works. fedora should really get these bugs worked out

toddman_015 · 06-30-2005, 12:49 PM

I am having the same issue. How/where is "selinux=0" added to the kernel parameters?

Thanks!

lumbrjackedpcj · 06-30-2005, 09:00 PM

i see that they updated the selinux policy today and theres an update. not sure if it works yet. but ok here goes..... during boot, when you are brought to the grub screen(where you can select which kernel you want to use and if you want to dual boot into windows(if you have windows)) if you have multiple kernels installed, move the up-down arrow keys so that the cursor is over the kernel boot config you want to edit. once the cursor is over your kernel selection press 'e'. press the down arrow key so that it selects the second option that appears next. now add to the end of that line selinux=0 now once that is added press 'b' for boot. this will boot your kernel. once you boot up edit the file /boot/grub/menu.lst and add the selinux=0 option to the kernel that you normally boot. this is what part of my file looks like:

kernel /boot/vmlinuz-2.6.11-0524 ro root=LABEL=/ rhgb quiet apm=off acpi=on resume2=swap:/dev/hda4 selinux=0

hope i was clear with that
good luck
Paul

jrbiochem · 07-01-2005, 06:08 AM

Hi all,

Just wanted to say that I had exactly this problem- thanks to Paul for the instruction, I was also cured by the selinux=0 option.

So that was a morning wasted- mental note, be careful what you update in Fedora.....

Jon

v00d00101 · 07-02-2005, 04:15 PM

This isnt strictly an FC3 issue. Im seeing the same problems on FC4.

It affects certain games like enemy territory, making punkbuster unable to run. The nvidia driver wouldnt install either.

My temporary solution which i really hate at present was to totally kill selinux. I do like the extra protection it offers, but i like playing games more.

nevarlen · 07-02-2005, 06:04 PM

Just a reminder for those who chose to boot with selinux=0, your penguin may not be as secure when you disable the selinux. So, better and more secure option is to revert the selinux back to a working version, rather than desabling it alltogether..

stabone · 07-05-2005, 01:20 AM

Yes thank you very much Paul for the tip on how to boot without the selinux. Now I'm going to do a backup ASAP.

thanks again