SELinux – the good

There is brief intro presentation on SELinux for “everyday” users. The 12th slides is titled “SELinux – the good”. It has quoted someone by the name Larry Loeb:

“Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.”

I just found that hilarious so I had to pass it on.

I had been disabling SELinux, since it was released in FC2, but as of Fedora 9 I leave it on. For the most part now, it operates pretty transparently.

(Presentation link via James Morris)

Fedora 9 Update and Nvidia Update

It was announced in August that the Fedora Project suffered a security breach. As a result after a certain date, all software updates were disabled. As of recently, the updates were enabled with new signatures in place.

I recently updated my Fedora 9 32bit (i386) installation. The last time I updated my system was the last week of July, before the security announcement was made. The following are the steps I took to complete my update.

First I ran:

yum update

This listed very few updates, however I saw the following error:

--> Finished Dependency Resolution
kmod-nvidia-2.6.25.14-108.fc9.i686-173.14.12-3.lvn9.i686 from livna has depsolving problems
  --> Missing Dependency: kernel-uname-r = 2.6.25.14-108.fc9.i686 is needed by package kmod-nvidia-2.6.25.14-108.fc9.i686-173.14.12-3.lvn9.i686 (livna)
xine-lib-extras-nonfree-1.1.15-1.lvn9.i386 from livna has depsolving problems
  --> Missing Dependency: xine-lib(plugin-abi) = 1.24 is needed by package xine-lib-extras-nonfree-1.1.15-1.lvn9.i386 (livna)
Error: Missing Dependency: kernel-uname-r = 2.6.25.14-108.fc9.i686 is needed by package kmod-nvidia-2.6.25.14-108.fc9.i686-173.14.12-3.lvn9.i686 (livna)
Error: Missing Dependency: xine-lib(plugin-abi) = 1.24 is needed by package xine-lib-extras-nonfree-1.1.15-1.lvn9.i386 (livna)

To resolve it, I just did:

yum remove kmod-nvidia xine-lib-extras-nonfree

This removed:

Removing:
 kmod-nvidia                      i686   173.14.05-4.lvn9  installed   0.0
 xine-lib-extras-nonfree          i386   1.1.12-1.lvn9     installed   1.2 M
Removing for dependencies:
 amarok-extras-nonfree            i386   1.4.8-1.lvn9      installed   376
 kmod-nvidia-2.6.25.4-30.fc9.i686 i686   173.14.05-3.lvn9  installed   7.5 M
 kmod-nvidia-2.6.25.6-55.fc9.i686 i686   173.14.05-4.lvn9  installed   7.5 M
 xorg-x11-drv-nvidia              i386   173.14.05-1.lvn9  installed   7.0 M
 xorg-x11-drv-nvidia-libs         i386   173.14.05-1.lvn9  installed    17 M

I knew that a new repository would be configured, so instead of downloading any updates from the previous repository, I just ran the following:

yum update fedora-release

After that, I did the actual update (the “yes” option -y is recommended considering the amount of updates):

yum -y update

This listed, for me, 35 new packages, 443 updated packages and 2 packages to remove – for a total download size of: 991 MB !!!

After the download completed, and before the actual installation/update occurred, I saw the following (which is what is expected):

warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 6df2196f
Importing GPG key 0x6DF2196F "Fedora (8 and 9) " from /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-and-9-i386
Is this ok [y/N]: y

After all the updates were installed, I fixed the xine-lib-extra-nonfree update issue (basically adding what I had previously removed). The following ran with no problems:

yum install xine-lib-extras-nonfree amarok-extras-nonfree

NVIDIA Driver Issue

When trying to update/install the Nvidia binary driver using yum:

yum install kmod-nvidia

The same error from above persisted:

--> Finished Dependency Resolution
kmod-nvidia-2.6.25.14-108.fc9.i686-173.14.12-3.lvn9.i686 from livna has depsolving problems
  --> Missing Dependency: kernel-uname-r = 2.6.25.14-108.fc9.i686 is needed by package kmod-nvidia-2.6.25.14-108.fc9.i686-173.14.12-3.lvn9.i686 (livna)
Error: Missing Dependency: kernel-uname-r = 2.6.25.14-108.fc9.i686 is needed by package kmod-nvidia-2.6.25.14-108.fc9.i686-173.14.12-3.lvn9.i686 (livna)

Apparently, this problem is due to Livna build system being down. The following is the recommended alternate solution:

yum install akmod-nvidia

Then you just need to reboot and you are done!!! (This is already required due to the new kernel).

However I ran the following to test the akmod system. This is OPTIONAL as the following will automatically happen after rebooting:
First Identify the newest installed kernel:

[mirandam@charon ~]$ rpm -q kernel
kernel-2.6.25.6-55.fc9.i686
kernel-2.6.26.3-29.fc9.i686

Create the proper matching kmod files for that kernel:

[mirandam@charon ~]$ sudo /usr/sbin/akmods --kernels 2.6.26.3-29.fc9.i686
Checking kmods exist for 2.6.26.3-29.fc9.i686              [WARNING]
Building and installing nvidia-kmod                        [  OK  ]

Then I was done. Every step worked for me to bring my Fedora 9 system up to date. I rebooted and the akmod detected I had already created the necessary kmod files.

I should have done all of this earlier. For more help and issues, please read:
https://fedoraproject.org/wiki/Enabling_new_signing_key

I am glad that issue has been resolved.

Firefox SSL Certificates

Using Firefox 3. Very simply, I know that Redhat’s main website (https://www.redhat.com) works perfectly fine. However when I exclude the “www”, and go to the same website: https://redhat.com, apparently something is wrong?

I see Secure Connection Failed. (Should I be concerned???)
So I click the “add exception link…”
… which turns into button …
So I click the “Add Exception…” Button
… which opens a dialog
So I click the “Get Certificate” Button
So I can enable the “Confirm Security Exception” Button, so I can click on that.

Who is the genius who came up with that work flow?

Is this misleading? Confusing? I wonder … but you decide for yourself.

I will simply say it is annoying as hell.

SELinux Preventing SSH Passwordless Login

Since upgrading to Fedora 9, I am trying much harder to work with SELinux. For the most part it is pretty easy.

I am using passwordless SSH logins between my CentOS 5.1 server and my Fedora 9 desktop. Since my Fedora 8 never used SELinux, all my file contexts were “wrong” when I mounted my /home partition. I noticed the following error when I tried to ssh from my server to Fedora (I read /var/log/messages):

setroubleshoot: SELinux is preventing access to files with the label, file_t.
For complete SELinux messages. run sealert -l f414b4c3-ed13-4b83-8a67-3df599e16723

Realizing this is a file context issue, I am pretty sure that a “relabel” (touch /.autorelabel; reboot) would fix this. However I don’t want to reboot at the moment. I ran the above recommendation (I am shortening the output here):

[mirandam@charon ~]$ sealert -l f414b4c3-ed13-4b83-8a67-3df599e16723

Summary:
SELinux is preventing access to files with the label, file_t.

Allowing Access:
You can execute the following command as root to relabel your computer system:
touch /.autorelabel; reboot

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:file_t:s0
Target Objects                /home/mirandam/.ssh/authorized_keys [ file ]

Raw Audit Messages
host=charon.lunar type=AVC msg=audit(1213619507.698:11): avc:  denied  { getattr } for  pid=2396
 comm=sshd path=/home/mirandam/.ssh/authorized_keys dev=sda13 ino=2950756 
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file

Simple fix (without reboot):

[mirandam@charon ~]$ /sbin/restorecon -v ~/.ssh/authorized_keys

While this was not a serious problem (I was still able to login to SSH by using password), the above steps of reading the logs and following recommendations should remedy most SELinux issues. If you are logged into your desktop console directly (e.g. GNOME) – I was not, the SELinux Troubleshooter would help with all of the above with graphical tools.