RE: [mostly solved] SELinux is screwing me up!!!! Help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>From: fedora-list-bounces@xxxxxxxxxx
>[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Jim Cornette
>Sent: Sunday, December 18, 2005 6:40 PM
>To: For users of Fedora Core releases
>Subject: Re: SELinux is screwing me up!!!! Help!
>
>
>Daniel B. Thurman wrote:
>
>>Folks,
>>
>>I believe all of my problems started because I had backup
>>and restored my filesystem and and *somehow* all or some
>>of the selinux attributes may have been messed up.  Reading
>>the selinux manual, it says that you can rebuild it by touching
>>a file: /.autorelabel and reboot.  I did that, and I still have
>>the same problem as before - nothing has changed.  I checked some
>>of the file-permissions such as /bin/su and note that they are
>>correct and other files and directory - so at first mini-check it
>>all appears to be correct. The restore appears correct throughout
>>on precursory checks.
>>
>>The following are problem I am having....
>>
>>1) I cannot login as a non-root user!  I have 4 non-root user accounts
>>and yet I cannot log into any of them except as root!
>>
>>I get the following message when attempting to log in:
>>
>> ==========================================
>> Your session lasted less than 10 seconds. If you have not
>> logged out yourself, this could mean that there is some
>> installation problem or that you may be out of diskspace.
>> Try logging in with one of the failsafe sessions to see if
>> you can fix this problem.
>>
>> [] View details (~/.xsession-errors file)
>> ==========================================
>>
>>then I get kicked out of the login session.

[PROBLEM SOLVED]

Since 'yum update' was prevented from doing post-installation (?)
of the #prelink# perhaps due to selinux, it appears that some of
the permissions were not applied correctly throughout.

Since I did not actually click the checkbox for "View Details"
until now, I realized that the #prelink# was a problem as it was
revealed that the file: /usr/lib/libgnomeui-2.so.0 was linked to:
/usr/lib/libgnomeui-2.so.0.1000.0.#prelink#.Hotj6j for which the
permissions was 0600!  Changing the permission to 0755 now allows
me to login into the gnome console as a non-root user.

Please note that I have not caught all of the other files that used
the #prelink# post-installations so I dont know what problems I may
encounter later on.

>>
>>2) As root user, when I `su - dant', I get this EVERY TIME:
>>
>> ==========================================
>>  Your default context is: user_u:system_r:kernel_t.
>>
>>  Do you want to want to choose a different one? [n]
>> ==========================================
>>
>>chosing the default lets me in as this user.  Choosing 'n'
>>gives me a list of context and choosing one lets me in.
>>  

[PROBLEM SOLVED]

I think that I solved this problem by:

1) Booting in selinux=0 single
2) /sbin/fixfiles -F -R -a -F relabel
3) reboot

Reset the selinux settings to leave kerberos and frontpage
alone since specific details are not solved for these by
the default selinux policies.

>>
>
>The above behavior and message displays sound like policy-strict 
>behavior. Of course a system relabeling is probably needed.
>
>First try running as root setenforce 0 which will put you in 
>permissive 
>mode. (As I understand, not totally disables selinux)
>Switch to a virtual console and try to log in.
>If this works for letting you login, the system is not 
>labelled correctly.
>
>My suggested remedy: ( Novice but successful on my system with results)
>
>boot with selinux=0 and single appended to your grub loader by 
>highlighting the kernel entry and pressing 'a' to append the entry.
>When system gives you the ash prompt, run
>fixfiles relabel
>It will prompt you for if you desire to delete the content of 
>your /tmp 
>directory. If you have nothing important in the /tmp directory, answer 
>yes. Let the system relabel itself, then reboot in normal mode.
>Your system will again go into relabelling the filesystem, let it 
>finish. Next, let your GUI login manager load. From the GUI login 
>manager, type info for your desired regular user and password 
>and see if 
>you can successfully login.
>
>If this fails, probably fresh installing the system and 
>pulling critical 
>information from the backup would be your best option.
>
>Off topic: Just wait for SELinux in FC5, it guards the system even 
>tighter than FC4 seems to. Though FC4 seems to be updated to rawhide, 
>the more stringent control might be effecting system processes 
>already. 
>I assume that it is behind development models.
>
>>3) As root, I tried to create a non-root user:
>>
>># useradd joed
>>
>>/var/log/message says:
>>
>>type=USER_CHAUTHTOK msg=audit(1134936930.895:3557): user 
>pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user 
>acct=joed res=success'
>>type=USER_CHAUTHTOK msg=audit(1134936930.895:3558): user 
>pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding home 
>directory acct=joed res=success'
>>type=AVC msg=audit(1134936931.415:3559): avc:  denied  { 
>create } for  pid=19294 comm="useradd" name=".kde" 
>scontext=root:system_r:kernel_t 
>tcontext=user_u:object_r:user_home_t tclass=dir
>>type=SYSCALL msg=audit(1134936931.415:3559): arch=40000003 
>syscall=39 success=no exit=-13 a0=bfde8bf0 a1=1ed a2=92f92ef 
>a3=ffffffff items=1 pid=19294 auid=4294967295 uid=0 gid=0 
>euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" 
>exe="/usr/sbin/useradd"
>>type=CWD msg=audit(1134936931.415:3559):  cwd="/root"
>>type=PATH msg=audit(1134936931.415:3559): item=0 
>name="/home/joed/.kde" flags=10  inode=1245989 dev=03:02 
>mode=040755 ouid=511 ogid=512 rdev=00:00
>>type=AVC msg=audit(1134936931.419:3560): avc:  denied  { 
>create } for  pid=19294 comm="useradd" name="passwd+" 
>scontext=root:system_r:kernel_t 
>tcontext=system_u:object_r:etc_t tclass=file
>>type=SYSCALL msg=audit(1134936931.419:3560): arch=40000003 
>syscall=5 success=no exit=-13 a0=bfde8f64 a1=8241 a2=1b6 
>a3=92f33b8 items=1 pid=19294 auid=4294967295 uid=0 gid=0 
>euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" 
>exe="/usr/sbin/useradd"
>>type=CWD msg=audit(1134936931.419:3560):  cwd="/root"
>>type=PATH msg=audit(1134936931.419:3560): item=0 
>name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 
>mode=040755 ouid=0 ogid=0 rdev=00:00
>>type=USER_CHAUTHTOK msg=audit(1134936931.419:3561): user 
>pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user 
>acct=joed res=failed'
>>

[PROBLEM SOLVED]

With the selinux attributes restored, I can now create and delete users.

>>4) Cannot 'yum update' successfully and these are the errors I see:
>>
>>Transaction Test Succeeded
>>Running Transaction
>>  Installing: arts                         
>####################### [ 1/26]
>>error: unpacking of archive failed on file /usr/bin/artscat: 
>cpio: lsetfilecon
>>  Installing: perl                         
>####################### [ 2/26]
>>error: unpacking of archive failed on file /usr/bin/a2p: 
>cpio: lsetfilecon
>>  Installing: cups-libs                    
>####################### [ 3/26]
>>error: unpacking of archive failed on file 
>/usr/lib/libcups.so.2: cpio: lsetfilecon
>>error: %pre(kdelibs-3.5.0-0.1.fc4.i386) scriptlet failed, 
>exit status 255
>>error:   install: %pre scriptlet failed (2), skipping 
>kdelibs-3.5.0-0.1.fc4
>>  Installing: kdebase                                         
>     [ 5/26]warning: /etc/X11/xdm/kdmrc saved as 
>/etc/X11/xdm/kdmrc.rpmorig
>>  Installing: kdebase                      
>####################### [ 5/26]
>>error: unpacking of archive failed on file 
>/etc/X11/xdm/kdmrc: cpio: lsetfilecon  Updating  : kdenetwork  
>                 ####################### [ 6/26]
>>error: unpacking of archive failed on file /etc/pam.d/kppp: 
>cpio: lsetfilecon
>>  Installing: kdebindings                  
>####################### [ 7/26]
>>error: unpacking of archive failed on file /usr/bin/embedjs: 
>cpio: lsetfilecon
>>  Updating  : kdemultimedia                
>####################### [ 8/26]
>>error: unpacking of archive failed on file 
>/etc/xdg/menus/applications-merged/kde-multimedia-music.menu: 
>cpio: lsetfilecon
>>  Updating  : kdegraphics                  
>####################### [ 9/26]
>>error: unpacking of archive failed on file 
>/usr/bin/kcolorchooser: cpio: lsetfilecon
>>  Updating  : kdegames                     
>####################### [10/26]
>>error: unpacking of archive failed on file /usr/bin/atlantik: 
>cpio: lsetfilecon
>>  Installing: arts-devel                   
>####################### [11/26]
>>error: unpacking of archive failed on file 
>/usr/bin/artsc-config: cpio: lsetfilecon
>>  Installing: kdelibs-devel                
>####################### [12/26]
>>error: unpacking of archive failed on file /usr/bin/dcopidl: 
>cpio: lsetfilecon
>>  Updating  : kdeartwork                   
>####################### [13/26]
>>error: unpacking of archive failed on file 
>/usr/bin/kbanner.kss: cpio: lsetfilecon
>>  Updating  : cups                         
>####################### [14/26]
>>error: unpacking of archive failed on file 
>/etc/cron.daily/cups: cpio: lsetfilecon
>>  Updating  : system-config-nfs            
>####################### [15/26]
>>error: unpacking of archive failed on file 
>/etc/pam.d/system-config-nfs: cpio: lsetfilecon
>>  Updating  : kdebindings-devel            
>####################### [16/26]
>>error: unpacking of archive failed on file 
>/usr/include/kde/kjsembed: cpio: lsetfilecon
>>  Updating  : dhcp                         
>####################### [17/26]
>>error: unpacking of archive failed on file /etc/dhcpd.conf: 
>cpio: lsetfilecon
>>error: %preun(kdenetwork-3.4.2-0.fc4.2.i386) scriptlet 
>failed, exit status 255
>>  Cleanup   : kdeartwork                   
>####################### [18/26]
>>error: %postun(kdeartwork-3.4.2-0.fc4.1.i386) scriptlet 
>failed, exit status 255
>>error: %trigger(cups-1.1.23-15.1.i386) scriptlet failed, exit 
>status 255
>>  Cleanup   : kdemultimedia                
>####################### [19/26]
>>error: %postun(kdemultimedia-3.4.2-0.fc4.1.i386) scriptlet 
>failed, exit status 255
>>error: %preun(system-config-nfs-1.3.11-0.fc4.1.noarch) 
>scriptlet failed, exit status 255
>>  Cleanup   : kdebindings-devel            
>####################### [20/26]
>>  Cleanup   : kdegraphics                  
>####################### [21/26]
>>error: %postun(kdegraphics-3.4.2-0.fc4.2.i386) scriptlet 
>failed, exit status 25
>>
>>
>>I am at loss as to why I see a general "avc: denied 
>{xxxxxxx}" messages
>>interpersed in the /var/log/message and 
>/var/log/audit/audit.log files such
>>as shown below:
>>
>>/var/log/messages:
>>====================
>>
>>===
>>No idea what these are:
>>
>>Dec 12 21:48:06 linux dbus: avc:  received policyload notice (seqno=3)
>>Dec 12 21:48:06 linux dbus: avc:  1 AV entries and 1/512 
>buckets used, longest chain length 1
>>Dec 12 21:48:06 linux dbus: avc:  received policyload notice (seqno=3)
>>Dec 12 21:48:06 linux dbus: avc:  0 AV entries and 0/512 
>buckets used, longest chain length 0
>>Dec 12 21:48:06 linux dbus: avc:  received policyload notice (seqno=3)
>>Dec 12 21:48:06 linux dbus: avc:  7 AV entries and 7/512 
>buckets used, longest chain length 1
>>
>>===
>>Relabeling problems shown below...
>>
>>Dec 17 18:35:50 linux kernel: SELinux: initialized (dev sdb1, 
>type ext3), uses xattr
>>Dec 17 18:35:50 linux kernel: audit(1134872391.398:2): avc:  
>granted  { setenforce } for  pid=379 comm="rc.sysinit" 
>scontext=system_u:system_r:kernel_t 
>tcontext=system_u:object_r:security_t tclass=security
>>Dec 17 18:35:50 linux kernel: audit(1134872392.086:3): avc:  
>denied  { relabelfrom } for  pid=1236 comm="setfiles" 
>name="__db.001" dev=hda2 ino=904713 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:file_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134872412.527:4): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" 
>name="root" dev=hda2 ino=671745 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:user_home_dir_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134872412.547:5): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" name="bin" 
>dev=hda2 ino=671746 scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:user_home_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134872412.559:6): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" 
>name="doCerts" dev=hda2 ino=671747 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:user_home_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134872412.951:7): avc:  
>denied  { relabelfrom } for  pid=1236 comm="setfiles" 
>name="khelpcenter" dev=hda2 ino=672118 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:file_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134872412.975:8): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" 
>name="socket-linux.cdkkt.com" dev=hda2 ino=672307 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:user_home_t tclass=lnk_file
>>Dec 17 18:35:50 linux kernel: audit(1134872413.031:9): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" 
>name="libflashplayer.so" dev=hda2 ino=672362 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:lib_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134873060.784:10): avc:  
>denied  { relabelfrom } for  pid=1236 comm="setfiles" 
>name="xterm" dev=hda2 ino=1565515 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:file_t tclass=lnk_file
>>Dec 17 18:35:50 linux kernel: audit(1134873187.416:11): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" 
>name="dant" dev=hda2 ino=1245501 
>scontext=system_u:system_r:kernel_t 
>tcontext=user_u:object_r:user_home_dir_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134873187.416:12): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" 
>name=".kde" dev=hda2 ino=1245502 
>scontext=system_u:system_r:kernel_t 
>tcontext=user_u:object_r:user_home_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134873187.420:13): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" 
>name="Autorun.desktop" dev=hda2 ino=1245504 
>scontext=system_u:system_r:kernel_t 
>tcontext=user_u:object_r:user_home_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134873187.492:14): avc:  
>denied  { relabelto } for  pid=1236 comm="setfiles" 
>name="socket-linux.cdkkt.com" dev=hda2 ino=1245588 
>scontext=system_u:system_r:kernel_t 
>tcontext=user_u:object_r:user_home_t tclass=lnk_file
>>Dec 17 18:35:50 linux kernel: audit(1134873191.264:15): avc:  
>denied  { relabelfrom } for  pid=1236 comm="setfiles" 
>name="verifyFS" dev=hdb1 ino=49063 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:samba_share_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134873191.340:16): avc:  
>denied  { relabelfrom } for  pid=1236 comm="setfiles" 
>name="DenyHosts-1.1.2-python2.4.noarch.rpm" dev=hdb1 
>ino=1651599 scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:default_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134873218.749:17): avc:  
>denied  { relabelfrom } for  pid=1236 comm="setfiles" 
>name="defaults" dev=hdb3 ino=1697393 
>scontext=system_u:system_r:kernel_t 
>tcontext=root:object_r:default_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134873319.356:18): avc:  
>granted  { setenforce } for  pid=379 comm="rc.sysinit" 
>scontext=system_u:system_r:kernel_t 
>tcontext=system_u:object_r:security_t tclass=security
>>Dec 17 18:35:50 linux kernel: Adding 2289252k swap on 
>/dev/hda3.  Priority:-1 extents:1 across:2289252k
>>
>>Any help would be appreciated!
>>
>>Kind regards,
>>Dan
>>
>>  
>>
>With selinux totally disabled during relabeling, you should not be 
>hampered by avc denials. selinux=0 is the safest mode in runlevel 1 to 
>ensure access for relabeling with minimul running processes 
>which might 
>cause problems. From the output above, it is relabeling in permissive 
>mode, which is not totally free to allow root full control. IMO
>
>Jim
>

Since 'yum update' was executed in a messed up selinux state, I am not
certain that all of the updates was correctly performed for all of the
files updated as some files were deposited/installed and yet post-installs
may have failed as well as evidenced with the gnome/kde #prelink# issue
noted above preventing me from logging into the console as a non-root
user.  I will search for all the #prelink# files but it is impossible to
catch other things that may have been missed.

Anyone know how I can force-reinstall all the newly downloaded rpms or perhaps
force install all of the rpm's in the database which presumably has the updates
as well?

Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
 


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux