Re: SELinux is screwing me up!!!! Help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel B. Thurman wrote:

Folks,

I believe all of my problems started because I had backup
and restored my filesystem and and *somehow* all or some
of the selinux attributes may have been messed up.  Reading
the selinux manual, it says that you can rebuild it by touching
a file: /.autorelabel and reboot.  I did that, and I still have
the same problem as before - nothing has changed.  I checked some
of the file-permissions such as /bin/su and note that they are
correct and other files and directory - so at first mini-check it
all appears to be correct. The restore appears correct throughout
on precursory checks.

The following are problem I am having....

1) I cannot login as a non-root user!  I have 4 non-root user accounts
and yet I cannot log into any of them except as root!

I get the following message when attempting to log in:

==========================================
Your session lasted less than 10 seconds. If you have not
logged out yourself, this could mean that there is some
installation problem or that you may be out of diskspace.
Try logging in with one of the failsafe sessions to see if
you can fix this problem.

[] View details (~/.xsession-errors file)
==========================================

then I get kicked out of the login session.

2) As root user, when I `su - dant', I get this EVERY TIME:

==========================================
 Your default context is: user_u:system_r:kernel_t.

 Do you want to want to choose a different one? [n]
==========================================

chosing the default lets me in as this user.  Choosing 'n'
gives me a list of context and choosing one lets me in.

The above behavior and message displays sound like policy-strict behavior. Of course a system relabeling is probably needed.

First try running as root setenforce 0 which will put you in permissive mode. (As I understand, not totally disables selinux)
Switch to a virtual console and try to log in.
If this works for letting you login, the system is not labelled correctly.

My suggested remedy: ( Novice but successful on my system with results)

boot with selinux=0 and single appended to your grub loader by highlighting the kernel entry and pressing 'a' to append the entry.
When system gives you the ash prompt, run
fixfiles relabel
It will prompt you for if you desire to delete the content of your /tmp directory. If you have nothing important in the /tmp directory, answer yes. Let the system relabel itself, then reboot in normal mode. Your system will again go into relabelling the filesystem, let it finish. Next, let your GUI login manager load. From the GUI login manager, type info for your desired regular user and password and see if you can successfully login.

If this fails, probably fresh installing the system and pulling critical information from the backup would be your best option.

Off topic: Just wait for SELinux in FC5, it guards the system even tighter than FC4 seems to. Though FC4 seems to be updated to rawhide, the more stringent control might be effecting system processes already. I assume that it is behind development models.

3) As root, I tried to create a non-root user:

# useradd joed

/var/log/message says:

type=USER_CHAUTHTOK msg=audit(1134936930.895:3557): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user acct=joed res=success'
type=USER_CHAUTHTOK msg=audit(1134936930.895:3558): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding home directory acct=joed res=success'
type=AVC msg=audit(1134936931.415:3559): avc:  denied  { create } for  pid=19294 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
type=SYSCALL msg=audit(1134936931.415:3559): arch=40000003 syscall=39 success=no exit=-13 a0=bfde8bf0 a1=1ed a2=92f92ef a3=ffffffff items=1 pid=19294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134936931.415:3559):  cwd="/root"
type=PATH msg=audit(1134936931.415:3559): item=0 name="/home/joed/.kde" flags=10  inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
type=AVC msg=audit(1134936931.419:3560): avc:  denied  { create } for  pid=19294 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
type=SYSCALL msg=audit(1134936931.419:3560): arch=40000003 syscall=5 success=no exit=-13 a0=bfde8f64 a1=8241 a2=1b6 a3=92f33b8 items=1 pid=19294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134936931.419:3560):  cwd="/root"
type=PATH msg=audit(1134936931.419:3560): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1134936931.419:3561): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user acct=joed res=failed'

4) Cannot 'yum update' successfully and these are the errors I see:

Transaction Test Succeeded
Running Transaction
 Installing: arts                         ####################### [ 1/26]
error: unpacking of archive failed on file /usr/bin/artscat: cpio: lsetfilecon
 Installing: perl                         ####################### [ 2/26]
error: unpacking of archive failed on file /usr/bin/a2p: cpio: lsetfilecon
 Installing: cups-libs                    ####################### [ 3/26]
error: unpacking of archive failed on file /usr/lib/libcups.so.2: cpio: lsetfilecon
error: %pre(kdelibs-3.5.0-0.1.fc4.i386) scriptlet failed, exit status 255
error:   install: %pre scriptlet failed (2), skipping kdelibs-3.5.0-0.1.fc4
 Installing: kdebase                                              [ 5/26]warning: /etc/X11/xdm/kdmrc saved as /etc/X11/xdm/kdmrc.rpmorig
 Installing: kdebase                      ####################### [ 5/26]
error: unpacking of archive failed on file /etc/X11/xdm/kdmrc: cpio: lsetfilecon  Updating  : kdenetwork                   ####################### [ 6/26]
error: unpacking of archive failed on file /etc/pam.d/kppp: cpio: lsetfilecon
 Installing: kdebindings                  ####################### [ 7/26]
error: unpacking of archive failed on file /usr/bin/embedjs: cpio: lsetfilecon
 Updating  : kdemultimedia                ####################### [ 8/26]
error: unpacking of archive failed on file /etc/xdg/menus/applications-merged/kde-multimedia-music.menu: cpio: lsetfilecon
 Updating  : kdegraphics                  ####################### [ 9/26]
error: unpacking of archive failed on file /usr/bin/kcolorchooser: cpio: lsetfilecon
 Updating  : kdegames                     ####################### [10/26]
error: unpacking of archive failed on file /usr/bin/atlantik: cpio: lsetfilecon
 Installing: arts-devel                   ####################### [11/26]
error: unpacking of archive failed on file /usr/bin/artsc-config: cpio: lsetfilecon
 Installing: kdelibs-devel                ####################### [12/26]
error: unpacking of archive failed on file /usr/bin/dcopidl: cpio: lsetfilecon
 Updating  : kdeartwork                   ####################### [13/26]
error: unpacking of archive failed on file /usr/bin/kbanner.kss: cpio: lsetfilecon
 Updating  : cups                         ####################### [14/26]
error: unpacking of archive failed on file /etc/cron.daily/cups: cpio: lsetfilecon
 Updating  : system-config-nfs            ####################### [15/26]
error: unpacking of archive failed on file /etc/pam.d/system-config-nfs: cpio: lsetfilecon
 Updating  : kdebindings-devel            ####################### [16/26]
error: unpacking of archive failed on file /usr/include/kde/kjsembed: cpio: lsetfilecon
 Updating  : dhcp                         ####################### [17/26]
error: unpacking of archive failed on file /etc/dhcpd.conf: cpio: lsetfilecon
error: %preun(kdenetwork-3.4.2-0.fc4.2.i386) scriptlet failed, exit status 255
 Cleanup   : kdeartwork                   ####################### [18/26]
error: %postun(kdeartwork-3.4.2-0.fc4.1.i386) scriptlet failed, exit status 255
error: %trigger(cups-1.1.23-15.1.i386) scriptlet failed, exit status 255
 Cleanup   : kdemultimedia                ####################### [19/26]
error: %postun(kdemultimedia-3.4.2-0.fc4.1.i386) scriptlet failed, exit status 255
error: %preun(system-config-nfs-1.3.11-0.fc4.1.noarch) scriptlet failed, exit status 255
 Cleanup   : kdebindings-devel            ####################### [20/26]
 Cleanup   : kdegraphics                  ####################### [21/26]
error: %postun(kdegraphics-3.4.2-0.fc4.2.i386) scriptlet failed, exit status 25


I am at loss as to why I see a general "avc: denied {xxxxxxx}" messages
interpersed in the /var/log/message and /var/log/audit/audit.log files such
as shown below:

/var/log/messages:
====================

===
No idea what these are:

Dec 12 21:48:06 linux dbus: avc:  received policyload notice (seqno=3)
Dec 12 21:48:06 linux dbus: avc:  1 AV entries and 1/512 buckets used, longest chain length 1
Dec 12 21:48:06 linux dbus: avc:  received policyload notice (seqno=3)
Dec 12 21:48:06 linux dbus: avc:  0 AV entries and 0/512 buckets used, longest chain length 0
Dec 12 21:48:06 linux dbus: avc:  received policyload notice (seqno=3)
Dec 12 21:48:06 linux dbus: avc:  7 AV entries and 7/512 buckets used, longest chain length 1

===
Relabeling problems shown below...

Dec 17 18:35:50 linux kernel: SELinux: initialized (dev sdb1, type ext3), uses xattr
Dec 17 18:35:50 linux kernel: audit(1134872391.398:2): avc:  granted  { setenforce } for  pid=379 comm="rc.sysinit" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
Dec 17 18:35:50 linux kernel: audit(1134872392.086:3): avc:  denied  { relabelfrom } for  pid=1236 comm="setfiles" name="__db.001" dev=hda2 ino=904713 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134872412.527:4): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name="root" dev=hda2 ino=671745 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_dir_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134872412.547:5): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name="bin" dev=hda2 ino=671746 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134872412.559:6): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name="doCerts" dev=hda2 ino=671747 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134872412.951:7): avc:  denied  { relabelfrom } for  pid=1236 comm="setfiles" name="khelpcenter" dev=hda2 ino=672118 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134872412.975:8): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name="socket-linux.cdkkt.com" dev=hda2 ino=672307 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=lnk_file
Dec 17 18:35:50 linux kernel: audit(1134872413.031:9): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name="libflashplayer.so" dev=hda2 ino=672362 scontext=system_u:system_r:kernel_t tcontext=root:object_r:lib_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134873060.784:10): avc:  denied  { relabelfrom } for  pid=1236 comm="setfiles" name="xterm" dev=hda2 ino=1565515 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=lnk_file
Dec 17 18:35:50 linux kernel: audit(1134873187.416:11): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name="dant" dev=hda2 ino=1245501 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134873187.416:12): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name=".kde" dev=hda2 ino=1245502 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134873187.420:13): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name="Autorun.desktop" dev=hda2 ino=1245504 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134873187.492:14): avc:  denied  { relabelto } for  pid=1236 comm="setfiles" name="socket-linux.cdkkt.com" dev=hda2 ino=1245588 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=lnk_file
Dec 17 18:35:50 linux kernel: audit(1134873191.264:15): avc:  denied  { relabelfrom } for  pid=1236 comm="setfiles" name="verifyFS" dev=hdb1 ino=49063 scontext=system_u:system_r:kernel_t tcontext=root:object_r:samba_share_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134873191.340:16): avc:  denied  { relabelfrom } for  pid=1236 comm="setfiles" name="DenyHosts-1.1.2-python2.4.noarch.rpm" dev=hdb1 ino=1651599 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134873218.749:17): avc:  denied  { relabelfrom } for  pid=1236 comm="setfiles" name="defaults" dev=hdb3 ino=1697393 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134873319.356:18): avc:  granted  { setenforce } for  pid=379 comm="rc.sysinit" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
Dec 17 18:35:50 linux kernel: Adding 2289252k swap on /dev/hda3.  Priority:-1 extents:1 across:2289252k

Any help would be appreciated!

Kind regards,
Dan

With selinux totally disabled during relabeling, you should not be hampered by avc denials. selinux=0 is the safest mode in runlevel 1 to ensure access for relabeling with minimul running processes which might cause problems. From the output above, it is relabeling in permissive mode, which is not totally free to allow root full control. IMO

Jim

--
Don't shoot until you're sure you both aren't on the same side.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux