>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Jim Cornette >Sent: Sunday, December 18, 2005 6:40 PM >To: For users of Fedora Core releases >Subject: Re: SELinux is screwing me up!!!! Help! > > >Daniel B. Thurman wrote: > >>Folks, >> >>I believe all of my problems started because I had backup >>and restored my filesystem and and *somehow* all or some >>of the selinux attributes may have been messed up. Reading >>the selinux manual, it says that you can rebuild it by touching >>a file: /.autorelabel and reboot. I did that, and I still have >>the same problem as before - nothing has changed. I checked some >>of the file-permissions such as /bin/su and note that they are >>correct and other files and directory - so at first mini-check it >>all appears to be correct. The restore appears correct throughout >>on precursory checks. >> >>The following are problem I am having.... >> >>1) I cannot login as a non-root user! I have 4 non-root user accounts >>and yet I cannot log into any of them except as root! >> >>I get the following message when attempting to log in: >> >> ========================================== >> Your session lasted less than 10 seconds. If you have not >> logged out yourself, this could mean that there is some >> installation problem or that you may be out of diskspace. >> Try logging in with one of the failsafe sessions to see if >> you can fix this problem. >> >> [] View details (~/.xsession-errors file) >> ========================================== >> >>then I get kicked out of the login session. [PROBLEM SOLVED] Since 'yum update' was prevented from doing post-installation (?) of the #prelink# perhaps due to selinux, it appears that some of the permissions were not applied correctly throughout. Since I did not actually click the checkbox for "View Details" until now, I realized that the #prelink# was a problem as it was revealed that the file: /usr/lib/libgnomeui-2.so.0 was linked to: /usr/lib/libgnomeui-2.so.0.1000.0.#prelink#.Hotj6j for which the permissions was 0600! Changing the permission to 0755 now allows me to login into the gnome console as a non-root user. Please note that I have not caught all of the other files that used the #prelink# post-installations so I dont know what problems I may encounter later on. >> >>2) As root user, when I `su - dant', I get this EVERY TIME: >> >> ========================================== >> Your default context is: user_u:system_r:kernel_t. >> >> Do you want to want to choose a different one? [n] >> ========================================== >> >>chosing the default lets me in as this user. Choosing 'n' >>gives me a list of context and choosing one lets me in. >> [PROBLEM SOLVED] I think that I solved this problem by: 1) Booting in selinux=0 single 2) /sbin/fixfiles -F -R -a -F relabel 3) reboot Reset the selinux settings to leave kerberos and frontpage alone since specific details are not solved for these by the default selinux policies. >> > >The above behavior and message displays sound like policy-strict >behavior. Of course a system relabeling is probably needed. > >First try running as root setenforce 0 which will put you in >permissive >mode. (As I understand, not totally disables selinux) >Switch to a virtual console and try to log in. >If this works for letting you login, the system is not >labelled correctly. > >My suggested remedy: ( Novice but successful on my system with results) > >boot with selinux=0 and single appended to your grub loader by >highlighting the kernel entry and pressing 'a' to append the entry. >When system gives you the ash prompt, run >fixfiles relabel >It will prompt you for if you desire to delete the content of >your /tmp >directory. If you have nothing important in the /tmp directory, answer >yes. Let the system relabel itself, then reboot in normal mode. >Your system will again go into relabelling the filesystem, let it >finish. Next, let your GUI login manager load. From the GUI login >manager, type info for your desired regular user and password >and see if >you can successfully login. > >If this fails, probably fresh installing the system and >pulling critical >information from the backup would be your best option. > >Off topic: Just wait for SELinux in FC5, it guards the system even >tighter than FC4 seems to. Though FC4 seems to be updated to rawhide, >the more stringent control might be effecting system processes >already. >I assume that it is behind development models. > >>3) As root, I tried to create a non-root user: >> >># useradd joed >> >>/var/log/message says: >> >>type=USER_CHAUTHTOK msg=audit(1134936930.895:3557): user >pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user >acct=joed res=success' >>type=USER_CHAUTHTOK msg=audit(1134936930.895:3558): user >pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding home >directory acct=joed res=success' >>type=AVC msg=audit(1134936931.415:3559): avc: denied { >create } for pid=19294 comm="useradd" name=".kde" >scontext=root:system_r:kernel_t >tcontext=user_u:object_r:user_home_t tclass=dir >>type=SYSCALL msg=audit(1134936931.415:3559): arch=40000003 >syscall=39 success=no exit=-13 a0=bfde8bf0 a1=1ed a2=92f92ef >a3=ffffffff items=1 pid=19294 auid=4294967295 uid=0 gid=0 >euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" >exe="/usr/sbin/useradd" >>type=CWD msg=audit(1134936931.415:3559): cwd="/root" >>type=PATH msg=audit(1134936931.415:3559): item=0 >name="/home/joed/.kde" flags=10 inode=1245989 dev=03:02 >mode=040755 ouid=511 ogid=512 rdev=00:00 >>type=AVC msg=audit(1134936931.419:3560): avc: denied { >create } for pid=19294 comm="useradd" name="passwd+" >scontext=root:system_r:kernel_t >tcontext=system_u:object_r:etc_t tclass=file >>type=SYSCALL msg=audit(1134936931.419:3560): arch=40000003 >syscall=5 success=no exit=-13 a0=bfde8f64 a1=8241 a2=1b6 >a3=92f33b8 items=1 pid=19294 auid=4294967295 uid=0 gid=0 >euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" >exe="/usr/sbin/useradd" >>type=CWD msg=audit(1134936931.419:3560): cwd="/root" >>type=PATH msg=audit(1134936931.419:3560): item=0 >name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 >mode=040755 ouid=0 ogid=0 rdev=00:00 >>type=USER_CHAUTHTOK msg=audit(1134936931.419:3561): user >pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user >acct=joed res=failed' >> [PROBLEM SOLVED] With the selinux attributes restored, I can now create and delete users. >>4) Cannot 'yum update' successfully and these are the errors I see: >> >>Transaction Test Succeeded >>Running Transaction >> Installing: arts >####################### [ 1/26] >>error: unpacking of archive failed on file /usr/bin/artscat: >cpio: lsetfilecon >> Installing: perl >####################### [ 2/26] >>error: unpacking of archive failed on file /usr/bin/a2p: >cpio: lsetfilecon >> Installing: cups-libs >####################### [ 3/26] >>error: unpacking of archive failed on file >/usr/lib/libcups.so.2: cpio: lsetfilecon >>error: %pre(kdelibs-3.5.0-0.1.fc4.i386) scriptlet failed, >exit status 255 >>error: install: %pre scriptlet failed (2), skipping >kdelibs-3.5.0-0.1.fc4 >> Installing: kdebase > [ 5/26]warning: /etc/X11/xdm/kdmrc saved as >/etc/X11/xdm/kdmrc.rpmorig >> Installing: kdebase >####################### [ 5/26] >>error: unpacking of archive failed on file >/etc/X11/xdm/kdmrc: cpio: lsetfilecon Updating : kdenetwork > ####################### [ 6/26] >>error: unpacking of archive failed on file /etc/pam.d/kppp: >cpio: lsetfilecon >> Installing: kdebindings >####################### [ 7/26] >>error: unpacking of archive failed on file /usr/bin/embedjs: >cpio: lsetfilecon >> Updating : kdemultimedia >####################### [ 8/26] >>error: unpacking of archive failed on file >/etc/xdg/menus/applications-merged/kde-multimedia-music.menu: >cpio: lsetfilecon >> Updating : kdegraphics >####################### [ 9/26] >>error: unpacking of archive failed on file >/usr/bin/kcolorchooser: cpio: lsetfilecon >> Updating : kdegames >####################### [10/26] >>error: unpacking of archive failed on file /usr/bin/atlantik: >cpio: lsetfilecon >> Installing: arts-devel >####################### [11/26] >>error: unpacking of archive failed on file >/usr/bin/artsc-config: cpio: lsetfilecon >> Installing: kdelibs-devel >####################### [12/26] >>error: unpacking of archive failed on file /usr/bin/dcopidl: >cpio: lsetfilecon >> Updating : kdeartwork >####################### [13/26] >>error: unpacking of archive failed on file >/usr/bin/kbanner.kss: cpio: lsetfilecon >> Updating : cups >####################### [14/26] >>error: unpacking of archive failed on file >/etc/cron.daily/cups: cpio: lsetfilecon >> Updating : system-config-nfs >####################### [15/26] >>error: unpacking of archive failed on file >/etc/pam.d/system-config-nfs: cpio: lsetfilecon >> Updating : kdebindings-devel >####################### [16/26] >>error: unpacking of archive failed on file >/usr/include/kde/kjsembed: cpio: lsetfilecon >> Updating : dhcp >####################### [17/26] >>error: unpacking of archive failed on file /etc/dhcpd.conf: >cpio: lsetfilecon >>error: %preun(kdenetwork-3.4.2-0.fc4.2.i386) scriptlet >failed, exit status 255 >> Cleanup : kdeartwork >####################### [18/26] >>error: %postun(kdeartwork-3.4.2-0.fc4.1.i386) scriptlet >failed, exit status 255 >>error: %trigger(cups-1.1.23-15.1.i386) scriptlet failed, exit >status 255 >> Cleanup : kdemultimedia >####################### [19/26] >>error: %postun(kdemultimedia-3.4.2-0.fc4.1.i386) scriptlet >failed, exit status 255 >>error: %preun(system-config-nfs-1.3.11-0.fc4.1.noarch) >scriptlet failed, exit status 255 >> Cleanup : kdebindings-devel >####################### [20/26] >> Cleanup : kdegraphics >####################### [21/26] >>error: %postun(kdegraphics-3.4.2-0.fc4.2.i386) scriptlet >failed, exit status 25 >> >> >>I am at loss as to why I see a general "avc: denied >{xxxxxxx}" messages >>interpersed in the /var/log/message and >/var/log/audit/audit.log files such >>as shown below: >> >>/var/log/messages: >>==================== >> >>=== >>No idea what these are: >> >>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3) >>Dec 12 21:48:06 linux dbus: avc: 1 AV entries and 1/512 >buckets used, longest chain length 1 >>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3) >>Dec 12 21:48:06 linux dbus: avc: 0 AV entries and 0/512 >buckets used, longest chain length 0 >>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3) >>Dec 12 21:48:06 linux dbus: avc: 7 AV entries and 7/512 >buckets used, longest chain length 1 >> >>=== >>Relabeling problems shown below... >> >>Dec 17 18:35:50 linux kernel: SELinux: initialized (dev sdb1, >type ext3), uses xattr >>Dec 17 18:35:50 linux kernel: audit(1134872391.398:2): avc: >granted { setenforce } for pid=379 comm="rc.sysinit" >scontext=system_u:system_r:kernel_t >tcontext=system_u:object_r:security_t tclass=security >>Dec 17 18:35:50 linux kernel: audit(1134872392.086:3): avc: >denied { relabelfrom } for pid=1236 comm="setfiles" >name="__db.001" dev=hda2 ino=904713 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:file_t tclass=file >>Dec 17 18:35:50 linux kernel: audit(1134872412.527:4): avc: >denied { relabelto } for pid=1236 comm="setfiles" >name="root" dev=hda2 ino=671745 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:user_home_dir_t tclass=dir >>Dec 17 18:35:50 linux kernel: audit(1134872412.547:5): avc: >denied { relabelto } for pid=1236 comm="setfiles" name="bin" >dev=hda2 ino=671746 scontext=system_u:system_r:kernel_t >tcontext=root:object_r:user_home_t tclass=dir >>Dec 17 18:35:50 linux kernel: audit(1134872412.559:6): avc: >denied { relabelto } for pid=1236 comm="setfiles" >name="doCerts" dev=hda2 ino=671747 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:user_home_t tclass=file >>Dec 17 18:35:50 linux kernel: audit(1134872412.951:7): avc: >denied { relabelfrom } for pid=1236 comm="setfiles" >name="khelpcenter" dev=hda2 ino=672118 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:file_t tclass=dir >>Dec 17 18:35:50 linux kernel: audit(1134872412.975:8): avc: >denied { relabelto } for pid=1236 comm="setfiles" >name="socket-linux.cdkkt.com" dev=hda2 ino=672307 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:user_home_t tclass=lnk_file >>Dec 17 18:35:50 linux kernel: audit(1134872413.031:9): avc: >denied { relabelto } for pid=1236 comm="setfiles" >name="libflashplayer.so" dev=hda2 ino=672362 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:lib_t tclass=file >>Dec 17 18:35:50 linux kernel: audit(1134873060.784:10): avc: >denied { relabelfrom } for pid=1236 comm="setfiles" >name="xterm" dev=hda2 ino=1565515 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:file_t tclass=lnk_file >>Dec 17 18:35:50 linux kernel: audit(1134873187.416:11): avc: >denied { relabelto } for pid=1236 comm="setfiles" >name="dant" dev=hda2 ino=1245501 >scontext=system_u:system_r:kernel_t >tcontext=user_u:object_r:user_home_dir_t tclass=dir >>Dec 17 18:35:50 linux kernel: audit(1134873187.416:12): avc: >denied { relabelto } for pid=1236 comm="setfiles" >name=".kde" dev=hda2 ino=1245502 >scontext=system_u:system_r:kernel_t >tcontext=user_u:object_r:user_home_t tclass=dir >>Dec 17 18:35:50 linux kernel: audit(1134873187.420:13): avc: >denied { relabelto } for pid=1236 comm="setfiles" >name="Autorun.desktop" dev=hda2 ino=1245504 >scontext=system_u:system_r:kernel_t >tcontext=user_u:object_r:user_home_t tclass=file >>Dec 17 18:35:50 linux kernel: audit(1134873187.492:14): avc: >denied { relabelto } for pid=1236 comm="setfiles" >name="socket-linux.cdkkt.com" dev=hda2 ino=1245588 >scontext=system_u:system_r:kernel_t >tcontext=user_u:object_r:user_home_t tclass=lnk_file >>Dec 17 18:35:50 linux kernel: audit(1134873191.264:15): avc: >denied { relabelfrom } for pid=1236 comm="setfiles" >name="verifyFS" dev=hdb1 ino=49063 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:samba_share_t tclass=file >>Dec 17 18:35:50 linux kernel: audit(1134873191.340:16): avc: >denied { relabelfrom } for pid=1236 comm="setfiles" >name="DenyHosts-1.1.2-python2.4.noarch.rpm" dev=hdb1 >ino=1651599 scontext=system_u:system_r:kernel_t >tcontext=root:object_r:default_t tclass=file >>Dec 17 18:35:50 linux kernel: audit(1134873218.749:17): avc: >denied { relabelfrom } for pid=1236 comm="setfiles" >name="defaults" dev=hdb3 ino=1697393 >scontext=system_u:system_r:kernel_t >tcontext=root:object_r:default_t tclass=dir >>Dec 17 18:35:50 linux kernel: audit(1134873319.356:18): avc: >granted { setenforce } for pid=379 comm="rc.sysinit" >scontext=system_u:system_r:kernel_t >tcontext=system_u:object_r:security_t tclass=security >>Dec 17 18:35:50 linux kernel: Adding 2289252k swap on >/dev/hda3. Priority:-1 extents:1 across:2289252k >> >>Any help would be appreciated! >> >>Kind regards, >>Dan >> >> >> >With selinux totally disabled during relabeling, you should not be >hampered by avc denials. selinux=0 is the safest mode in runlevel 1 to >ensure access for relabeling with minimul running processes >which might >cause problems. From the output above, it is relabeling in permissive >mode, which is not totally free to allow root full control. IMO > >Jim > Since 'yum update' was executed in a messed up selinux state, I am not certain that all of the updates was correctly performed for all of the files updated as some files were deposited/installed and yet post-installs may have failed as well as evidenced with the gnome/kde #prelink# issue noted above preventing me from logging into the console as a non-root user. I will search for all the #prelink# files but it is impossible to catch other things that may have been missed. Anyone know how I can force-reinstall all the newly downloaded rpms or perhaps force install all of the rpm's in the database which presumably has the updates as well? Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
