I installed FC 8 a few days ago on Dell D410 and ran into problems with wireless. Looks like wireless either connects to a public non-encrypted network and instantly drops the connection or never establishes one. I get a constant message on top of the screen "SELinux AVC denial, click icon to view". When I click the icon, the summary of the problem is "SELinux is preventing ifdown-ipv6 (hotplug_t) "search" to ./net (proc_net_t)." It recommends running restorecon -v './net' but when I do, restorecon complains of "No such file or directory" ("find" turns up a bunch of different "net" directories all over the file system. "man restorecon" doesn't really help).

I found a weird workaround though: if I turn off netplugd, followed by "ifdown eth1; ifup eth1" (as root) "SELinux AVC denial" messages stop and wireless network connection works fine. But then I have to manually restart network connection every time. How do I get my wireless to work normally? It's using Intel 2200BG on-board wireless (Controlled by: Network Manager, DHCP, Automatically obtain DNS from provider, Mode: auto, SSID: auto, Transmit rate: auto, Key: [blank])

If you look in /var/log/messages you'll find 'sealert -l' messages which might hold an explanation. If you don't care for explanations you could probably 'audit2allow < /var/log/messages' and build a local policy from that. Since you use Fedora it would be good to check their bugtracker and see if you could help Fedora advance by posting SELinux policy notes.

Thanks, unSpawn.
I pulled the offending messages from /var/log/messages, to the best of my ability followed instructions to build a local policy into kernel, rebooted the machine, but the problem did not go away. SELinux denials still pop up.

OK.
- What instructions did you follow or what commands did you use to build your local policy file?
- Can you verify the output from 'grep "avc:.*denied" /var/log/messages|audit2allow' matches your local policy source file (the plaintext file with the .te extension)?
- Can you verify your local policy module is loaded with 'semodule -l'?
- If the local policy is loaded, do the Sealert alerts still point to the same warnings you already loaded rules for?
- How many unique alerts are we talking about anyway 'awk '/sealert -l/ {print $NF}' /var/log/messages |uniq|wc -l'?
- And what are the warnings? (Only if less than 10, else please upload "/tmp/sealerts.expl" to some free hosting provider or pastebin and post the URI here: 'awk '/sealert -l/ {print $NF}' /var/log/messages |uniq|while read ID; do sealert -l $ID 2>&1; done | tee /tmp/sealerts.expl'.

Thanks again, unSpawn.
1) I copied Raw Audit Messages into /tmp/avcs and ran (as root, in /tmp) "audit2allow -M local < /tmp/avcs" and "semodule -i local.pp" (local.pp looked fine). That didn't help. Then I tried "audit2allow -m local -l -i /var/log/audit/audit.log > local.te", made sure local.te file looks fine, ran "checkmodule -M -m -o local.mod local.te", "semodule_package -o local.pp -m local.mod" and "semodule -i local.pp". Before rebooting I dropped this file "touch /.autorelabel". Did not help either.

2) grep "avc:.*denied" /var/log/audit/audit.log|audit2allow
#============= hotplug_t ==============
allow hotplug_t proc_net_t:dir search;
allow hotplug_t selfrocess ptrace;
allow hotplug_t sysctl_net_t:file write;

And here is what /tmp/local.te contains:
#============= hotplug_t ==============
allow hotplug_t selfrocess ptrace;
allow hotplug_t sysctl_net_t:file write;

As you see, "allow hotplug_t proc_net_t:dir search;" is not in /tmp/local.te .

3) 'semodule -l' does not show local policy.
4) "awk '/sealert -l/ {print $NF}' /var/log/messages |uniq|wc -l" results in 6438 alerts (not sure how to post them elsewhere)

6438 alerts is A LOT. What I meant with "post somewhere" is that this forum can't take posts with many lines. There are hosting providers you can upload files to temporarily and for free. If you have a large log you could decide to compress it, even encrypt it if necessary and upload. Then all you have to do is post the URI here. Pastebin or nopaste is "a collaborative debugging tool" but it would be easier to say it's a "public clipboard".

But first lets see what building your policy would do.


OK. unless you add that to your local policy template that ain't gonna work (and running 'checkmodule -M -m local.te' should show why). If this is a selfcontained policy file it should look like this (w/o the line numbers):
Rename it (right now it builds "vprice.pp") then start at checkmodule and on.

After 2 revisions of local.pp (the last change caused a new denial to pop up, I incorporated it as well) the SELinux messages finally stopped. Thanks for your help, unSpawn. Wireless still has some problems but since I am giving this laptop to my stepson for his birthday tomorrow he will have to wrestle with them himself (the laptop was an incentive for him to learn Linux).

Good to see it works.


Nice stimulus indeed. Just two things you should do in terms of aftercare IMHO: make a backup and tell him that no matter what (in general) things *can* be fixed.

Thanks. Naturally I backed up the most recent copy of local.te so that we could add to it later if need be. But backing up the entire system - that's a project my stepson will have to deal with...