Daniel B. Thurman wrote:
From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. Thurman
Sent: Saturday, December 17, 2005 2:30 PM
To: For users of Fedora Core releases
Cc: Fedora SELinux support list for users & developers.
Subject: Non-root console login issue! (was: Problem with VNC and
SELinux:FC4)
From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. Thurman
Sent: Friday, December 16, 2005 6:11 PM
To: For users of Fedora Core releases (E-mail)
Cc: Fedora SELinux support list for users & developers.
Subject: Problem with VNC and SELinux: FC4
Folks,
With the new SELinux updates, it appears that root,
other than normal users can login to Fedora via VNC
Server? My VNC Server is setup such that I am using
xinitd for VNC Server requests.
Another problem I noticed is that when I log into my
Fedora system via VNC as root user, and open a xterm
window and run a su - <normal-user>, I get back a
SElinux message:
================================================
# su - dan
Your default context is: user_u:system_r:kernel_t.
Do you want to want to choose a different one? [n]
================================================
It is *possible* that this problem came up when
I had to make a copy of my filesystem to another
hard-disk for the purpose of creating a /boot
partition (my bad) and copied/restored the filesystem
back over to the main drive. I don't think I made
any copy/restore mistakes as I know the fs permissions
are correct but I cannot speak for filesystem journaling
or whatever that keeps track of the SELinux attributes.
In any case, what can I do to resolve my VNC and/or su
issue knowing that SElinux has something to do with it?
Thanks!
Dan Thurman
Problem is not related to SELinux and not really related
to VNC. It turns out that I cannot log into the console
as a non-root user and I get a message saying:
=======================================================
Your session lasted less than 10 seconds. If you have not
logged out yourself, this could mean that there is some
installation problem or that you may be out of diskspace.
Try logging in with one of the failsafe sessions to see if
you can fix this problem.
[] View details (~/.xsession-errors file)
=======================================================
The problem here is that the .xsession-errors file does
not exist. I also note from /var/log/message file:
=======================================================
Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for
user dant by (uid=0)
Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for
user dant
Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512
buckets used, longest chain length 0
=======================================================
And from /var/log/audit/audit.log
=======================================================
type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397
uid=0 auid=4294967295 msg='PAM authentication: user=dant
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Success)'
type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397
uid=0 auid=4294967295 msg='PAM accounting: user=dant
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Success)'
type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397
uid=0 auid=4294967295 msg='PAM setcred: user=dant
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Success)'
type=USER_START msg=audit(1134858412.307:3932): user pid=3397
uid=0 auid=4294967295 msg='PAM session open: user=dant
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Success)'
=======================================================
File:
# ls -l /usr/bin/gdm-binary
-rwxr-xr-x 1 root root 251668 May 23 2005 /usr/bin/gdm-binary
HALLLLLP! Please :-)
Dan
Sorry - had to add this tidbit.... seems that SElinux may be
involved or maybe my file journaling is messed up after a "restore"?
I tried to create a new user account to see if by doing this
I would get a correct security context and be able to log
into the console but WHOA!!! What is going on here!?!?!?
=======================================================
[root@linux ~]# useradd dant2
useradd: cannot rewrite password file
[root@linux ~]#
=======================================================
File: /var/log/audit/audit.log:
94967295 msg='useradd: op=adding home directory acct=dant2 res=success'
type=AVC msg=audit(1134859204.879:4004): avc: denied { create } for pid=19177 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 syscall=39 success=no exit=-13 a0=bfd81470 a1=1ed a2=98fd2ef a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.879:4004): cwd="/root"
type=PATH msg=audit(1134859204.879:4004): item=0 name="/home/dant2/.kde" flags=10 inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
type=AVC msg=audit(1134859204.883:4005): avc: denied { create } for pid=19177 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 syscall=5 success=no exit=-13 a0=bfd817e4 a1=8241 a2=1b6 a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.883:4005): cwd="/root"
type=PATH msg=audit(1134859204.883:4005): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user pid=19177 uid=0 auid=4294967295 msg='useradd: op=adding user acct=dant2 res=failed'
=======================================================
Dan
Looks like you have a labeling problem. file_t files should not exist
if your system is properly labeled. This either indicates you booted
with selinux=0 or you added additional disks.
You can relabel by executing
touch /.autorelabel
reboot
--
