Re: Non-root console login issue! (was: Problem with VNC and SELinux:FC4)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel B. Thurman wrote:
From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. Thurman
Sent: Saturday, December 17, 2005 2:30 PM
To: For users of Fedora Core releases
Cc: Fedora SELinux support list for users & developers.
Subject: Non-root console login issue! (was: Problem with VNC and
SELinux:FC4)


From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. Thurman
Sent: Friday, December 16, 2005 6:11 PM
To: For users of Fedora Core releases (E-mail)
Cc: Fedora SELinux support list for users & developers.
Subject: Problem with VNC and SELinux: FC4



Folks,

With the new SELinux updates, it appears that root,
other than normal users can login to Fedora via VNC
Server?  My VNC Server is setup such that I am using
xinitd for VNC Server requests.

Another problem I noticed is that when I log into my
Fedora system via VNC as root user, and open a xterm
window and run a su - <normal-user>, I get back a
SElinux message:

================================================
# su - dan
Your default context is: user_u:system_r:kernel_t.

Do you want to want to choose a different one? [n]
================================================

It is *possible* that this problem came up when
I had to make a copy of my filesystem to another
hard-disk for the purpose of creating a /boot
partition (my bad) and copied/restored the filesystem
back over to the main drive.  I don't think I made
any copy/restore mistakes as I know the fs permissions
are correct but I cannot speak for filesystem journaling
or whatever that keeps track of the SELinux attributes.

In any case, what can I do to resolve my VNC and/or su
issue knowing that SElinux has something to do with it?

Thanks!
Dan Thurman

Problem is not related to SELinux and not really related
to VNC. It turns out that I cannot log into the console
as a non-root user and I get a message saying:

=======================================================
Your session lasted less than 10 seconds. If you have not
logged out yourself, this could mean that there is some
installation problem or that you may be out of diskspace.
Try logging in with one of the failsafe sessions to see if
you can fix this problem.

[] View details (~/.xsession-errors file)
=======================================================

The problem here is that the .xsession-errors file does
not exist.  I also note from /var/log/message file:

=======================================================
Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for user dant by (uid=0) Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for user dant Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0
=======================================================

And from /var/log/audit/audit.log
=======================================================
type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397 uid=0 auid=4294967295 msg='PAM authentication: user=dant exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)' type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397 uid=0 auid=4294967295 msg='PAM accounting: user=dant exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)' type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397 uid=0 auid=4294967295 msg='PAM setcred: user=dant exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)' type=USER_START msg=audit(1134858412.307:3932): user pid=3397 uid=0 auid=4294967295 msg='PAM session open: user=dant exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)'
=======================================================

File:
# ls -l /usr/bin/gdm-binary
-rwxr-xr-x  1 root root 251668 May 23  2005 /usr/bin/gdm-binary

HALLLLLP!  Please :-)

Dan


Sorry - had to add this tidbit....  seems that SElinux may be
involved or maybe my file journaling is messed up after a "restore"?

I tried to create a new user account to see if by doing this
I would get a correct security context and be able to log
into the console but WHOA!!!  What is going on here!?!?!?

=======================================================
[root@linux ~]# useradd dant2
useradd: cannot rewrite password file
[root@linux ~]#
=======================================================
File: /var/log/audit/audit.log:

94967295 msg='useradd: op=adding home directory acct=dant2 res=success'
type=AVC msg=audit(1134859204.879:4004): avc:  denied  { create } for  pid=19177 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 syscall=39 success=no exit=-13 a0=bfd81470 a1=1ed a2=98fd2ef a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.879:4004):  cwd="/root"
type=PATH msg=audit(1134859204.879:4004): item=0 name="/home/dant2/.kde" flags=10  inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
type=AVC msg=audit(1134859204.883:4005): avc:  denied  { create } for  pid=19177 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 syscall=5 success=no exit=-13 a0=bfd817e4 a1=8241 a2=1b6 a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.883:4005):  cwd="/root"
type=PATH msg=audit(1134859204.883:4005): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user pid=19177 uid=0 auid=4294967295 msg='useradd: op=adding user acct=dant2 res=failed'
=======================================================

Dan

Looks like you have a labeling problem. file_t files should not exist if your system is properly labeled. This either indicates you booted with selinux=0 or you added additional disks.

You can relabel by executing

touch /.autorelabel
reboot


--



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux