LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-04-2008, 06:50 PM   #1
Lord Estraven
Member
 
Registered: Aug 2004
Distribution: Pardus
Posts: 53

Rep: Reputation: 15
SELinux on Debian blocks dhcp, 3D


'lo again... I'm trying to set up SELinux on a Debian system but I keep running into problems with the default SELinux profile. Two problems specifically, networking doesn't work and OpenGL doesn't work.

On the networking front, I *can* run dhclient on eth0, and it appears to succeed, but I cannot connect to the internet or anything on the local network. NetworkManager likewise says that it can connect, but when I try to access any web page I just get "Page Not Found" or "Cannot Load While Offline".

With OpenGL - any application that uses GL (e.g. glxgears) segfaults on start. If I try to use LIBGL_ALWAYS_INDIRECT to make AIGLX handle it, then the X server crashes and restarts. glxinfo always works fine though, and tells me I have working 3D acceleration with no problems.

Can anyone tell me what I have to do to get networking and OpenGL working again? Is the problem with the Debian default SElinux configuration, or is it with the default configuration of dhclient and DRI?
 
Old 10-05-2008, 01:15 PM   #2
Lord Estraven
Member
 
Registered: Aug 2004
Distribution: Pardus
Posts: 53

Original Poster
Rep: Reputation: 15
Update

Okay this is strange - networking gets blocked with SELinux in "permissive" mode too, not just enforcing mode. Anyone?
 
Old 10-06-2008, 02:11 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928
If anything gets blocked by SE Linux you'll have logging.
Logging could help us determine what's going on.
 
Old 10-07-2008, 12:23 AM   #4
Lord Estraven
Member
 
Registered: Aug 2004
Distribution: Pardus
Posts: 53

Original Poster
Rep: Reputation: 15
FWIW which log file should I be looking in? kern.log?
 
Old 10-07-2008, 02:50 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928
AFAIK check audit.log first if you run auditd, else whatever makes Syslog dump *.info to?
 
Old 10-07-2008, 12:22 PM   #6
Lord Estraven
Member
 
Registered: Aug 2004
Distribution: Pardus
Posts: 53

Original Poster
Rep: Reputation: 15
Okay, here's what auditd has to say about glxgears:

Quote:
type=AVC msg=audit(1223396408.851:25): avc: denied { execmem } for pid=3064 comm="glxgears" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1223396408.851:25): arch=40000003 syscall=192 success=no exit=-1302155264 a0=0 a1=a00000 a2=7 a3=22 items=0 ppid=3052 pid=3064 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4294967295 comm="glxgears" exe="/usr/bin/glxgears" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
I'll post the output for networkmanager as soon as it gets logged.

(FWIW, I loaded the SELinux .pp modules for dhcp and networkmanager... Those didn't seem to do anything though.)

[Edit: edited so as not to break formatting.]
 
Old 10-08-2008, 02:59 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928
In permissive mode things only get logged. The kind of thing "execmem" problem shown should be easy to correct with a local policy anyway. I'm much more interested in why some networking wouldn't work as you say. It would be good if any (SE Linux) logging shown for any network-related errors should be accompanied by exact application errors, iptables rules and diagnostics like ping, tcptraceroute and such.
 
Old 10-08-2008, 10:58 AM   #8
Lord Estraven
Member
 
Registered: Aug 2004
Distribution: Pardus
Posts: 53

Original Poster
Rep: Reputation: 15
Here we go:

Quote:
type=AVC msg=audit(1223408803.780:27): avc: denied { execute } for pid=435 comm="run-parts" name="bind" dev=sda2 ino=33912 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1223408803.780:27): arch=40000003 syscall=33 success=yes exit=0 a0=85fe020 a1=1 a2=85ff410 a3=85fe020 items=0 ppid=433 pid=435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="run-parts" exe="/bin/run-parts" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223408803.781:28): avc: denied { execute_no_trans } for pid=437 comm="run-parts" path="/etc/resolvconf/update.d/bind" dev=sda2 ino=33912 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1223408803.781:28): arch=40000003 syscall=11 success=yes exit=0 a0=85fe020 a1=85fe008 a2=bfba00a8 a3=0 items=0 ppid=435 pid=437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bind" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223408803.814:29): avc: denied { execute_no_trans } for pid=443 comm="libc" path="/lib/resolvconf/list-records" dev=sda2 ino=254588 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_ubject_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1223408803.814:29): arch=40000003 syscall=11 success=yes exit=0 a0=805e7dc a1=805e808 a2=805e814 a3=872c23d items=0 ppid=441 pid=443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="list-records" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223430318.045:30): avc: denied { execute } for pid=550 comm="run-parts" name="bind" dev=sda2 ino=33912 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1223430318.045:30): arch=40000003 syscall=33 success=yes exit=0 a0=89d0020 a1=1 a2=89d1410 a3=89d0020 items=0 ppid=544 pid=550 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="run-parts" exe="/bin/run-parts" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223430318.045:31): avc: denied { execute_no_trans } for pid=553 comm="run-parts" path="/etc/resolvconf/update.d/bind" dev=sda2 ino=33912 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1223430318.045:31): arch=40000003 syscall=11 success=yes exit=0 a0=89d0020 a1=89d0008 a2=bf979508 a3=0 items=0 ppid=550 pid=553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bind" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1223430318.069:32): avc: denied { execute_no_trans } for pid=557 comm="libc" path="/lib/resolvconf/list-records" dev=sda2 ino=254588 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_ubject_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1223430318.069:32): arch=40000003 syscall=11 success=yes exit=0 a0=805e7dc a1=805e808 a2=805e814 a3=8aaf345 items=0 ppid=555 pid=557 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="list-records" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
It looks to me as though NM is getting denied permission to use commands in needs... How do I fix this (if this is the problem)?
 
Old 10-08-2008, 03:05 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928
Like I said in my previous reply, most problems shown could be easily corrected with a local policy. However, for our understanding, maybe we should go back to the start and let you explain what sources guides you, what steps your took to enable SE Linux?..
 
Old 10-08-2008, 05:28 PM   #10
Lord Estraven
Member
 
Registered: Aug 2004
Distribution: Pardus
Posts: 53

Original Poster
Rep: Reputation: 15
Sources? Debian has a precompiled default policy...

I installed selinux-basics, selinux-policy-default, and some other tools; edited GRUB's menu.lst to append selinux=1 to the kopt line and ran update-grub; touched /.autorelabel; edited /etc/selinux/config so the SELinux mode would be "enforcing"; and rebooted. As far as I can tell the relabeling worked fine.
 
  


Reply

Tags
3d, debian, dhclient, dhcp, dri, mesa, opengl, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux blocks my changes in rsyslog.conf tbergfeld Linux - Newbie 1 06-17-2008 04:39 AM
SELinux blocks my changes in rsyslog.conf tbergfeld Linux - Security 1 06-17-2008 04:12 AM
Fedora 8 selinux blocks root cron but not user cron Infinity Fedora 7 11-29-2007 09:21 AM
SElinux Disaster / Can't Login / X11 Blocks Libpam.so tarek_taha Fedora 5 06-08-2006 09:29 AM
dhcp blocks startup vintermann Mandriva 0 10-20-2005 03:37 AM


All times are GMT -5. The time now is 04:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration