>From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] >Sent: Monday, December 19, 2005 5:33 AM >To: Daniel B. Thurman >Cc: For users of Fedora Core releases (E-mail); Fedora SELinux support >list for users & developers. >Subject: Re: Problem with VNC and SELinux: FC4 > > >On Fri, 2005-12-16 at 18:11 -0800, Daniel B. Thurman wrote: >> With the new SELinux updates, it appears that root, >> other than normal users can login to Fedora via VNC >> Server? My VNC Server is setup such that I am using >> xinitd for VNC Server requests. >> >> Another problem I noticed is that when I log into my >> Fedora system via VNC as root user, and open a xterm >> window and run a su - <normal-user>, I get back a >> SElinux message: >> >> ================================================ >> # su - dan >> Your default context is: user_u:system_r:kernel_t. >> >> Do you want to want to choose a different one? [n] >> ================================================ >> >> It is *possible* that this problem came up when >> I had to make a copy of my filesystem to another >> hard-disk for the purpose of creating a /boot >> partition (my bad) and copied/restored the filesystem >> back over to the main drive. I don't think I made >> any copy/restore mistakes as I know the fs permissions >> are correct but I cannot speak for filesystem journaling >> or whatever that keeps track of the SELinux attributes. >> >> In any case, what can I do to resolve my VNC and/or su >> issue knowing that SElinux has something to do with it? > >/usr/sbin/sestatus -v | grep -v active shows what? > [ There are several threads to this issue - so I will be trying to update these threads to let others know of my progress. At this time, my system is running, I am able to login as non-root user into the gnome console, I am able to create and delete new users. It appears that selinux is now working good but I have yet to catch up to manual selinux disables for Kerberos and FrontPage because these were reset to defaults. So far, so good. Everything appears to look good however I am not certain I have solved all the 'yum update' #prelink# issues. Please read on for details if you want. I have provided you with the selinux status request in case there are other possible issues with selinux since I am no expert on this subject :-) ] Please note, that it took me several tries using fixfiles to reset (restore, and relabel) before all of the permissions denied messages stopped being displayed. Previously, I had done the restore command but while in selinix and single user mode (selinux was not disabled), where the restore had permissions denied on perhaps less than 200 files from X11 fonts, and other places throughout. I believe I may have gotten some selinux attribute recovery by doing selinix=0 and single user mode and running fixfiles and using the -F such as: /sbin/fixfiles -F -R -a -F relabel and then reboot. I had thought that running the command would have executed immediately but did not actually take effect until a reboot - which was odd to me - but perhaps this is normal? Manual says nothing about this behavior. The fixfiles with the restore command ran immediately in place - and this was while I was in single user mode with selinux in effect at the time. When I did an yum update but before running the above fixfile relabel command, I noticed that there was a lot of #prelinks# where KDE and GNOME was being updated/installed and it was basically saying something that these prelinks (post-installation?) was failing due to selinux permission denials (logs in audit.log) on the post-installation processes. It also could have been bad timimg on my part for thinking that 'yum update' would somehow restore my problems when I had no idea where to begin. When I tried to log into the gnome console as a non-root user, I did not actually click the checkbox at the time, but in doing so revealed to me that there was a problem executing the file: /usr/lib/libgnomeui-2.so Delving into this further, I saw the "#prelink#" files and noted that the file permission was 0600! So, I changed the permission for this library as: # chmod 755 /usr/lib/libgnomeui-2.so.0.1000.0.#prelink#.Hotj6j I have not yet tried to locate all of the other #prelink# files at this time. But for now, I can now log into gnome as a non-root user! I am providing per your request for the status, in case there may be other issues that I may not be aware of. Thanks for responding to my issue! # /usr/sbin/sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 20 Policy from config file: targeted Policy booleans: NetworkManager_disable_trans inactive allow_execmem active allow_execmod active allow_execstack active allow_ftpd_anon_write inactive allow_gssd_read_tmp active allow_httpd_anon_write inactive allow_httpd_sys_script_anon_write inactive allow_ifconfig_sys_module inactive allow_kerberos active allow_postgresql_use_pam inactive allow_rsync_anon_write inactive allow_saslauthd_read_shadow inactive allow_smbd_anon_write inactive allow_write_xshm inactive allow_ypbind inactive apmd_disable_trans inactive arpwatch_disable_trans inactive auditd_disable_trans inactive bluetooth_disable_trans inactive canna_disable_trans inactive cardmgr_disable_trans inactive comsat_disable_trans inactive cupsd_config_disable_trans inactive cupsd_disable_trans inactive cupsd_lpd_disable_trans inactive cvs_disable_trans inactive cyrus_disable_trans inactive dbskkd_disable_trans inactive dhcpc_disable_trans inactive dhcpd_disable_trans inactive dovecot_disable_trans inactive fingerd_disable_trans inactive ftp_home_dir active ftpd_disable_trans inactive ftpd_is_daemon active getty_disable_trans inactive gssd_disable_trans inactive hald_disable_trans inactive hotplug_disable_trans inactive howl_disable_trans inactive hplip_disable_trans inactive httpd_builtin_scripting active httpd_can_network_connect inactive httpd_disable_trans active httpd_enable_cgi active httpd_enable_ftp_server inactive httpd_enable_homedirs active httpd_ssi_exec active httpd_suexec_disable_trans inactive httpd_tty_comm inactive httpd_unified active inetd_child_disable_trans inactive inetd_disable_trans inactive innd_disable_trans inactive kadmind_disable_trans active klogd_disable_trans inactive krb5kdc_disable_trans active ktalkd_disable_trans inactive lpd_disable_trans inactive mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zones inactive nfs_export_all_ro active nfs_export_all_rw active nfsd_disable_trans inactive nmbd_disable_trans active nscd_disable_trans inactive ntpd_disable_trans inactive pegasus_disable_trans inactive portmap_disable_trans inactive postfix_disable_trans inactive postgresql_disable_trans inactive pppd_can_insmod inactive pppd_disable_trans inactive pppd_for_user inactive pptp_disable_trans inactive privoxy_disable_trans inactive ptal_disable_trans inactive radiusd_disable_trans inactive radvd_disable_trans inactive read_default_t active rlogind_disable_trans inactive rpcd_disable_trans inactive rsync_disable_trans inactive samba_enable_home_dirs inactive saslauthd_disable_trans inactive secure_mode_insmod inactive secure_mode_policyload inactive slapd_disable_trans inactive smbd_disable_trans active snmpd_disable_trans inactive spamd_disable_trans inactive squid_connect_any inactive squid_disable_trans inactive stunnel_disable_trans inactive stunnel_is_daemon inactive syslogd_disable_trans inactive system_dbusd_disable_trans inactive telnetd_disable_trans inactive tftpd_disable_trans inactive udev_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive uucpd_disable_trans inactive winbind_disable_trans active ypbind_disable_trans inactive ypserv_disable_trans inactive zebra_disable_trans inactive Process contexts: Current context: root:system_r:unconfined_t Init context: system_u:system_r:init_t /sbin/mingetty system_u:system_r:getty_t /usr/sbin/sshd system_u:system_r:unconfined_t File contexts: Controlling term: root:object_r:devpts_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
