logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Problem upgrading FC2 -> FC3: msg#00048

Subject: Problem upgrading FC2 -> FC3 
Hi,

I upgraded my FC2 system (which did not have selinux enabled) to FC3.
After the upgrade selinux was not enabled.

First I tried to enable it by using system-config-securitylevel.  On
boot I got plenty of error messages on console (nothing showed up in the
system logs).  I immediately rebooted again with selinux disadled.

Nest I installed selinux-policy-targeted-sources package and did: 

cd /etc/selinux/targeted/src/policy 
make
make relabel

Now when I reboot things looks quite ok except:

1)  Contrary to http://fedora.redhat.com/docs/selinux-faq-fc3/ pages:
id -Z shows:
root:system_r:unconfined_t
 (not root:sysadm_r:sysadm_t)

(After su -)

I tried only to remove and reinstall pam package (system-auth was
changed but there was no system-auth.rpmnew).  
This had no influence.

2) ISDN does not start correctly on boot:

First problem was that even without selinux the test in isdn rc-script
failed on:

isdnctrl list all >/dev/null 2>&1
    if [ $? = 0 ] ; then

(prints Can't open /dev/isdnctrl or /dev/isdn/isdnctrl: No such file or
directory)

I guess this is udev related problem?

However disabling this test it works without selinux.  With selinux I
get on boot:

kernel: audit(1100423485.839:0): avc:  denied  { create }
for  pid=2610 exe=/sbin/MAKEDEV name=isdnctrl
scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:tty_device_t tclass=lnk_file

'mgetty ttyI':s do open but do not work.

After boot "service isdn start" works even with selinux (I need to make
it work in boot) and devices operate properly.

3)  Now if I try to start "system-config-securitylevel" *with selinux
enabled* I just get:
Traceback (most recent call last):
  File "/usr/share/system-config-securitylevel/system-config-
securitylevel.py", line 18, in ?
    app.stand_alone()
  File "/usr/share/system-config-securitylevel/securitylevel.py", line
427, in stand_alone
    self.selinuxPage = selinuxPage.selinuxPage()
  File "/usr/share/system-config-securitylevel/selinuxPage.py", line
329, in __init__
    self.refreshTunables(self.initialtype)
  File "/usr/share/system-config-securitylevel/selinuxPage.py", line
427, in refreshTunables
    self.loadBooleans()
  File "/usr/share/system-config-securitylevel/selinuxPage.py", line
418, in loadBooleans
    on=rec[3]=="1"
IndexError: list index out of range

Never have I seen there a way to make httpd work without selinux.  When
running box with selinux disabled I see only named (rndc option) and
get... option on screen).

4)  Most of my web pages do not work (most of these are PHP based
pages):

Nov 14 11:20:53 srv kernel: audit(1100424053.389:0): avc:  denied
{ execute } for  pid=4416 exe=/usr/sbin/httpd name=rrdcgi dev=dm-0
ino=3542815 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:usr_t tclass=file
Nov 14 11:20:59 srv kernel: audit(1100424059.745:0): avc:  denied
{ getattr } for  pid=4415 exe=/usr/sbin/httpd path=/opt/bb/bb1.9e-
btf/www/bb.html dev=dm-0
ino=1491992 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:file_t tclass=file
Nov 14 11:20:59 srv kernel: audit(1100424059.745:0): avc:  denied
{ getattr } for  pid=4415 exe=/usr/sbin/httpd path=/opt/bb/bb1.9e-
btf/www/bb.html dev=dm-0
ino=1491992 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:file_t tclass=file
Nov 14 11:21:50 srv kernel: audit(1100424110.999:0): avc:  denied
{ write } for  pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:52 srv kernel: audit(1100424112.001:0): avc:  denied
{ write } for  pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:53 srv kernel: audit(1100424113.003:0): avc:  denied
{ write } for  pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:21:54 srv kernel: audit(1100424114.004:0): avc:  denied
{ write } for  pid=4415 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0
ino=3932284 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
Nov 14 11:22:09 srv kernel: audit(1100424129.740:0): avc:  denied
{ read } for  pid=4421 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=3443116
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file
Nov 14 11:22:09 srv kernel: audit(1100424129.741:0): avc:  denied
{ read } for  pid=4422 exe=/usr/sbin/httpd name=sh dev=dm-0 ino=3443116
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file
Nov 14 11:22:13 srv kernel: audit(1100424133.029:0): avc:  denied
{ execute } for  pid=4423 exe=/usr/sbin/httpd name=rrdcgi dev=dm-0
ino=3542815 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:usr_t tclass=file

I wonder how could I make these work without opening selinux too much?


What is the best way to upgrade selinux to same state where it would be
after fresh install of FC3 (Reinstalling my server is unfortunately no
option)?  This would also be good material for the FAQ pages.

Tia,

Jouni
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Non-root listening at port < 1024, Troels Arvin
Next by Date:  Re: Problem upgrading FC2 -> FC3, Jouni Viikari
Previous by Thread:  Non-root listening at port < 1024, Troels Arvin
Next by Thread:  Re: Problem upgrading FC2 -> FC3, Jouni Viikari
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation