Re: Firestarter startup and FC4 SE Linux Errors -

On Fri, 2005-01-07 at 12:41 -0400, Mike Pepe wrote:
> If you're following events on the fedora mailing list, you're not alone. 
> FC4 + selinux seems to be bad news for a lot of people.
> 
> I the "SE" stands for "stops everything" - I set mine to warning mode as 
> I got tired of endlessly trying to add rules for things I run.
> 
> Now, maybe you know this, but there's a utility called audit2allow which 
> will turn those avc denials into rules which you can then feed back into 
> the selinux policy and, at least in theory, get things running right.
> 
> I can give you more details if you want to try making a policy that is 
> firestarter friendly.
> 
> Incidentally my personal opinion is that selinux is best run in warning 
> only mode for several months so you can collect information from the 
> logs about things your programs and users do during normal operation. 
> Once you have that info you can build your personal policy and that 
> should keep things outside the norm restricted.
> 
> just my two cents
> 
> 
> 
> David Niemi wrote:
> > (Sorry for the length, I included all error messages)
> > 
> > With the version of Firestarter from FC4 Extras myself and other users
> > are experiencing starter up error messages with SE Linux though
> > firestarter appears to start.
> > 
> > There messages during bootup that permission is denied to:
> > 
> > touch - touch /var/lock/firestarter
> > remove - rm /var/lock/firestarter
> > 
> > and that there is a "fatal error, your kernel does not support
> > iptables".  At the end of this message is the errors from messages and I
> > couldn't locate any corresponding entries in audit.  There could be
> > audit entries but I couldn't tell from my VERY LIMITED SE Linux and
> > audit knowledge.
> > 
> > The latest policies update does not appear to have made a difference.
> > 
> > The quick fix of coarse is to set enforcing=0 or using SELINUX=disabled
> > in /etc/selinux/config, but this sort of defeats the purpose.  As a test
> > I set enforcing=0 during a reboot and didn't get the boot errors though
> > there was still many messages (appended) about permission denied
> > in /var/log/messages.

The following is what one user found on the FC list.

On Fri, 2005-01-07 at 14:33 -0400, Mark Bidewell wrote:
I tracked the problem with firestarter down to /etc/dhclient-exit-hooks 
> which contains the line "sh /etc/firestarter/firestarter.sh start" which 
> starts firestarter independed of the firestater init script.  Removing 
> this line solves the selinux errors and the firewall policy still seems 
> to be in effect.  I am theroizing that the line above is executed when 
> the dhclient daemon attempts to shutdown  as well as start thus 
> attempting to start the firewall while closing the interface.  I think 
> this is what selinux is flagging.  I haven't checked to see if there is 
> a reason for that command yet.
> 
> Mark Bidewell

So we need to figure out what that sh command is doing.




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click