Void's Forums

[Void Main]

Over the last month there have been several people coming to me with a lot of funky problems that I have never encountered and it seemed the more we would dig the more I would be left scratching my head. People were having problems with apt, problems with glibc upgrades that caused cascades of other problems, problems with nVidia driver installs, problems with ntpd not working, and possibly other issues that I had never experienced, and I run quite a variety of FC3 installations.

One thing that never came up in my questioning or troubleshooting of the problems was SELinux. I don't run it on any of my installations and never thought to check if the people were running it that I was trying to help. I am reasonably certain at this point that all of the above mentioned problems that left me scratching my head were SELinux related after seeing a few threads on FedoraForum.org. My suggestion is that if you don't know what SELinux is and how it's configured (like me) then save yourself a little headache and turn it off. You can run the "system-config-securitylevel" command and click the SELinux tab and turn it off (you have to reboot after doing so). I'm not saying that it wouldn't be a good idea to learn about SELinux and use it once you understand what you are doing, just that it could cause you major headaches if you don't know what you are doing.

If you do decide to use SELinux I would at *least* suggest becoming very familiar with all of the contents of the FC3 SELinux FAQ:

http://fedora.redhat.com/docs/selinux-faq-fc3/

Turning it off will certainly become one of the steps in my trying to help people with their troubleshooting from now on.

[worker201]

Well, that answers a few things, doesn't it? I knew that's what SELinux was for, but I guess I never considered all the different things it would impact. Affecting the ntp daemon is apparently not the only problem either. The su command now does additional things, which can make your SELinux troubles even worse. And a performance drop of SEVEN PERCENT!!!! Even though I could fix SELinux to work for me, it's too much hassle to bother with. It's a good idea, but it isn't ready for the daily user yet.

[Void Main]

It's probably way more trouble than it's worth for desktop/laptop type systems (user systems). It certainly may be a worthwhile investment on servers though. The reason I say this is because they (Fedora) have the policies targeted more toward server services that may be exploited. Services that you normally don't want to run on client machines anyway, and the ones that you do run on a client usually are configured by default only to bind to the loopback address, so running SELinux policies on these systems give you little benefit and a lot of headache. That and the 7% CPU hit and I say don't install it unless you really know what you are doing and that you want it.

[Tux]

My system has been a rolling apt upgrade from FC1 through to FC3 and I have SELinux running without any noticable problems. But, reading about that performance hit, I think it is time for it to go

CORRECTION: I'm not running it. Must have turned it off in the past.

[Void Main]

CORRECTION: I'm not running it. Must have turned it off in the past.

If you did an "upgrade" (like I did on most of mine) it wouldn't get installed. You would have to manually install it.

[Tux]

Really? That explains it.

The wierd thing is that sometimes I get crazy SELinux related messages scrolling down the terminal when doing RPM operations.
Perhaps it is trying to run some macro that is failing

[Void Main]

Really? That explains it.

The wierd thing is that sometimes I get crazy SELinux related messages scrolling down the terminal when doing RPM operations.
Perhaps it is trying to run some macro that is failing :?

I got those messages on the first machine I ever upgraded to FC3, but never on any others. I think it was because I had a "policy" rpm installed. I could have probably just removed the policy RPM but I think on that particular machine I ended up setting the "%__file_context_path %{nil}" in my macros file like mentioned here:

https://bugzilla.redhat.com/bugzilla/sh ... ?id=120279

Removing the policy RPMs is probably the best way to solve it though.

[Tux]

Odd. I had no policies installed, only libselinux.
I've gone ahead and changed /usr/lib/rpm/macros. I'll tell you if it has worked at a later date.

Thanks.
Maybe

[dishawjp]

As many of you know, I've had more than my share of problems getting used to the SELinux policies and keeping things working properly. Without the help of this group, I might never have gotten some of them straightened out. But now both my oldest daughter and I are running it and, at least for the moment, it's working out OK.

I'm using the default "targeted" policy, and I guess that the reason I'm sticking with it for the time being is that I think that eventually it will become the standard.

to date, most of the problems I've had have had to do with learning about the /etc/udev/permissions.d/50-udev.permissions file and the /etc/udev/devices directory. I need to copy any new /dev entries like nvidia* modem, and any others I may create in /dev to /etc/udev/devices. Permissions then have to be set in the /etc/udev/permissions.d/50-udev.permissions file, usually changing them from 660 to 666. Not too difficult if you remember to do it. For example when I configured my modem and created the symlink "ln -s /dev/ttyS0 /dev/modem" I also had to "cp -a /dev/modem /etc/udev/devices" Then I had to edit my /50-udev.permissions file under "serial + dialup devices" and change the line
ttyS*:root:uucp:0660 to
ttyS*:root:uucp:0666
so that non-root users could control the modem.

I also had to do the same under dri devices for nvidia* and 3dfx* to give all users 3D. For some reason though, this is only necessary when I have my inittab set to runlevel3. IF it's set to runlevel5, changing permissions on the video drivers isn't necessary. Voidmain said that that had something to do with root owning X permissions when you use the graphical boot but not otherwise (sorry if I totally mangled your explanation Voidmain).

Also, to get the nvidia driver working, I had to comment out two lines in my /etc/security/console.perms file which had referred to the dri driver.

I had one unexplained issue with a whole slew of files which may have had something to do with SELinux where after an update I had two versions of everything from bash and library files installed, about 24 or 25 total where I had to manually "rpm -q" each file, and then "rpm -e" the older version. I found out I had that problem when apt complained I had multiple versions of those installed and it listed the .rpms that had two versions installed.

On my daughters computer, we had an issue where, when booting, we got a bunch of errors on various library files not having proper permissions, but were able to fix that by rebooting to single user mode and entering the command "fixfiles relabel" which corrected the SELinux problems there. I don't know what caused the problem, but the fix was simple enough.

It is also possible to get a file's context (and I really don't understand all this yet) by using the -Z flag on the ls command. For example:

Code: Select all

[dishawjp@eunix ~]$ ls -Z /bin/bash
-rwxr-xr-x  root     root     system_u:object_r:shell_exec_t   /bin/bash
[dishawjp@eunix ~]$


and the contexts can be reset using the "setfiles" command, but don't really understand that yet, and there's talk about doing work in SELinux in the "sysadmin_r" role which I also have no idea about getting to. I've been looking for decent material on a lot of this and haven't found what I'm looking for... an in-depth explanation for dummies.

The rpm -V command gives more output with SELinux enabled than otherwise. For example you always get an upper case "C" that you didn't get before, and this is not to be confused with the lower case "c" which indicates a configuration file. Below is a snippet from the cpmmand rpm -Va 'bin\/' command showing both "C's"

Code: Select all

........C   /usr/bin/texutil
........C   /usr/bin/tftopl
........C   /usr/bin/thumbpdf
........C   /usr/bin/tie
........C c /usr/bin/updmap
........C   /usr/bin/vftovp
........C   /usr/bin/virmpost
........C   /usr/bin/viromega
........C   /usr/bin/virptex
........C   /usr/bin/virtex


I know about the "S", "T","5", "U", "G" and "M" codes, but don't get the "C"

As a side note, and I know enough to know that this is a good thing, the command never reports anything on the contents of my /bin directory. I occasionally run this command to see if there have been any unwanted changes to my /bin /sbin and /usr/bin directories that would indicate an intrusion.

I also get much more verbose output from the normal rpm -V command on library files than I was used to, for example:

Code: Select all

 [root@eunix ~]# rpm -V glibc-common | wc
   5039   10120  243427
[root@eunix ~]#


And if I'm reading this correctly, that's about 5000 lines! Most refer to missing doc files and other minor issues.

Anyway, I'm still groping (and grepping) my way through this SELinux stuff. I only understand a very little bit of it, probably just enough to be dangerous. My poor little Linux box sits here and quivers with fear everytime I reach for the keyboard especially if there's a stack of beer cans (and especially if there's a pile of empty ones) within my reach

But I think that I am learning and have been able, again with the help of you folks, to slog my way through the difficulties so far. I'm going to continue playing around with SELinux and hopefully learning a bit as I do. I will more than likely be running back here with new and worse problems along the way. But who knows, maybe some day I'll actually be able to give one of you folks a bit of advice on something.
<edit>
My wife just stopped up to see what I was writing and looked it over. Then she gave me a ration of stuff because I still can't get a DVD to play on our TV with a standard DVD player. We have separate VHS and DVD players and I can never figure out how to get the TV and the DVD player to talk to each other. She wouldn't buy the fact that there's no command line on those things. Am I the only retard who can deal with a command line but can never find my way through the maze of buttons on the multiple remotes and all those stupid menus?
</edit>

Jim Dishaw

[Void Main]

Heh heh, I solved that problem by going out and buying an all in one dvd and vcr player. I can figure out to push the DVD button on the remote if I want to work the DVD player and push the VCR button if I want to work the VCR part.