>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel J Walsh >Sent: Tuesday, December 20, 2005 11:20 AM >To: For users of Fedora Core releases >Cc: Fedora SELinux support list for users & developers. >Subject: Re: Non-root console login issue! (was: Problem with VNCand >SELinux:FC4) > > >Daniel B. Thurman wrote: >>> From: fedora-list-bounces@xxxxxxxxxx >>> [mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel >B. Thurman >>> Sent: Saturday, December 17, 2005 2:30 PM >>> To: For users of Fedora Core releases >>> Cc: Fedora SELinux support list for users & developers. >>> Subject: Non-root console login issue! (was: Problem with VNC and >>> SELinux:FC4) >>> >>> >>> >>>> From: fedora-list-bounces@xxxxxxxxxx >>>> [mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel >B. Thurman >>>> Sent: Friday, December 16, 2005 6:11 PM >>>> To: For users of Fedora Core releases (E-mail) >>>> Cc: Fedora SELinux support list for users & developers. >>>> Subject: Problem with VNC and SELinux: FC4 >>>> >>>> >>>> >>>> Folks, >>>> >>>> With the new SELinux updates, it appears that root, >>>> other than normal users can login to Fedora via VNC >>>> Server? My VNC Server is setup such that I am using >>>> xinitd for VNC Server requests. >>>> >>>> Another problem I noticed is that when I log into my >>>> Fedora system via VNC as root user, and open a xterm >>>> window and run a su - <normal-user>, I get back a >>>> SElinux message: >>>> >>>> ================================================ >>>> # su - dan >>>> Your default context is: user_u:system_r:kernel_t. >>>> >>>> Do you want to want to choose a different one? [n] >>>> ================================================ >>>> >>>> It is *possible* that this problem came up when >>>> I had to make a copy of my filesystem to another >>>> hard-disk for the purpose of creating a /boot >>>> partition (my bad) and copied/restored the filesystem >>>> back over to the main drive. I don't think I made >>>> any copy/restore mistakes as I know the fs permissions >>>> are correct but I cannot speak for filesystem journaling >>>> or whatever that keeps track of the SELinux attributes. >>>> >>>> In any case, what can I do to resolve my VNC and/or su >>>> issue knowing that SElinux has something to do with it? >>>> >>>> Thanks! >>>> Dan Thurman >>>> >>>> >>> Problem is not related to SELinux and not really related >>> to VNC. It turns out that I cannot log into the console >>> as a non-root user and I get a message saying: >>> >>> ======================================================= >>> Your session lasted less than 10 seconds. If you have not >>> logged out yourself, this could mean that there is some >>> installation problem or that you may be out of diskspace. >>> Try logging in with one of the failsafe sessions to see if >>> you can fix this problem. >>> >>> [] View details (~/.xsession-errors file) >>> ======================================================= >>> >>> The problem here is that the .xsession-errors file does >>> not exist. I also note from /var/log/message file: >>> >>> ======================================================= >>> Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for >>> user dant by (uid=0) >>> Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for >>> user dant >>> Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512 >>> buckets used, longest chain length 0 >>> ======================================================= >>> >>> And from /var/log/audit/audit.log >>> ======================================================= >>> type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397 >>> uid=0 auid=4294967295 msg='PAM authentication: user=dant >>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >>> result=Success)' >>> type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397 >>> uid=0 auid=4294967295 msg='PAM accounting: user=dant >>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >>> result=Success)' >>> type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397 >>> uid=0 auid=4294967295 msg='PAM setcred: user=dant >>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >>> result=Success)' >>> type=USER_START msg=audit(1134858412.307:3932): user pid=3397 >>> uid=0 auid=4294967295 msg='PAM session open: user=dant >>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >>> result=Success)' >>> ======================================================= >>> >>> File: >>> # ls -l /usr/bin/gdm-binary >>> -rwxr-xr-x 1 root root 251668 May 23 2005 /usr/bin/gdm-binary >>> >>> HALLLLLP! Please :-) >>> >>> Dan >>> >>> >> >> Sorry - had to add this tidbit.... seems that SElinux may be >> involved or maybe my file journaling is messed up after a "restore"? >> >> I tried to create a new user account to see if by doing this >> I would get a correct security context and be able to log >> into the console but WHOA!!! What is going on here!?!?!? >> >> ======================================================= >> [root@linux ~]# useradd dant2 >> useradd: cannot rewrite password file >> [root@linux ~]# >> ======================================================= >> File: /var/log/audit/audit.log: >> >> 94967295 msg='useradd: op=adding home directory acct=dant2 >res=success' >> type=AVC msg=audit(1134859204.879:4004): avc: denied { >create } for pid=19177 comm="useradd" name=".kde" >scontext=root:system_r:kernel_t >tcontext=user_u:object_r:user_home_t tclass=dir >> type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 >syscall=39 success=no exit=-13 a0=bfd81470 a1=1ed a2=98fd2ef >a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0 >euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" >exe="/usr/sbin/useradd" >> type=CWD msg=audit(1134859204.879:4004): cwd="/root" >> type=PATH msg=audit(1134859204.879:4004): item=0 >name="/home/dant2/.kde" flags=10 inode=1245989 dev=03:02 >mode=040755 ouid=511 ogid=512 rdev=00:00 >> type=AVC msg=audit(1134859204.883:4005): avc: denied { >create } for pid=19177 comm="useradd" name="passwd+" >scontext=root:system_r:kernel_t >tcontext=system_u:object_r:file_t tclass=file >> type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 >syscall=5 success=no exit=-13 a0=bfd817e4 a1=8241 a2=1b6 >a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 >euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" >exe="/usr/sbin/useradd" >> type=CWD msg=audit(1134859204.883:4005): cwd="/root" >> type=PATH msg=audit(1134859204.883:4005): item=0 >name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 >mode=040755 ouid=0 ogid=0 rdev=00:00 >> type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user >pid=19177 uid=0 auid=4294967295 msg='useradd: op=adding user >acct=dant2 res=failed' >> ======================================================= >> >> Dan >> >> >Looks like you have a labeling problem. file_t files should not exist >if your system is properly labeled. This either indicates you booted >with selinux=0 or you added additional disks. > >You can relabel by executing > >touch /.autorelabel >reboot From: RE: [mostly solved] SELinux is screwing me up!!!! Help! Date: Mon 12/19/2005 8:21AM I did try the autorelabel as it did not work. It wasn't until I tried the following that seemed to steer clear of permissions problems encountered with the autorelabel method. ========================================== I think that I solved this problem by: 1) Booting in selinux=0 single 2) /sbin/fixfiles -F -R -a -F relabel 3) reboot ========================================== Sorry that you did not see this later thread. Dan > > >-- > > >-- >fedora-list mailing list >fedora-list@xxxxxxxxxx >To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.371 / Virus Database: 267.14.1/207 - Release >Date: 12/19/2005 > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.1/207 - Release Date: 12/19/2005
