SELinux is screwing me up!!!! Help!
Craig White
craigwhite at azapple.com
Sun Dec 18 21:11:46 UTC 2005
On Sun, 2005-12-18 at 13:02 -0800, Daniel B. Thurman wrote:
> Folks,
>
> I believe all of my problems started because I had backup
> and restored my filesystem and and *somehow* all or some
> of the selinux attributes may have been messed up. Reading
> the selinux manual, it says that you can rebuild it by touching
> a file: /.autorelabel and reboot. I did that, and I still have
> the same problem as before - nothing has changed. I checked some
> of the file-permissions such as /bin/su and note that they are
> correct and other files and directory - so at first mini-check it
> all appears to be correct. The restore appears correct throughout
> on precursory checks.
>
> The following are problem I am having....
>
> 1) I cannot login as a non-root user! I have 4 non-root user accounts
> and yet I cannot log into any of them except as root!
>
> I get the following message when attempting to log in:
>
> ==========================================
> Your session lasted less than 10 seconds. If you have not
> logged out yourself, this could mean that there is some
> installation problem or that you may be out of diskspace.
> Try logging in with one of the failsafe sessions to see if
> you can fix this problem.
>
> [] View details (~/.xsession-errors file)
> ==========================================
>
> then I get kicked out of the login session.
>
> 2) As root user, when I `su - dant', I get this EVERY TIME:
>
> ==========================================
> Your default context is: user_u:system_r:kernel_t.
>
> Do you want to want to choose a different one? [n]
> ==========================================
>
> chosing the default lets me in as this user. Choosing 'n'
> gives me a list of context and choosing one lets me in.
>
> 3) As root, I tried to create a non-root user:
>
> # useradd joed
>
> /var/log/message says:
>
> type=USER_CHAUTHTOK msg=audit(1134936930.895:3557): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user acct=joed res=success'
> type=USER_CHAUTHTOK msg=audit(1134936930.895:3558): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding home directory acct=joed res=success'
> type=AVC msg=audit(1134936931.415:3559): avc: denied { create } for pid=19294 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
> type=SYSCALL msg=audit(1134936931.415:3559): arch=40000003 syscall=39 success=no exit=-13 a0=bfde8bf0 a1=1ed a2=92f92ef a3=ffffffff items=1 pid=19294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
> type=CWD msg=audit(1134936931.415:3559): cwd="/root"
> type=PATH msg=audit(1134936931.415:3559): item=0 name="/home/joed/.kde" flags=10 inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
> type=AVC msg=audit(1134936931.419:3560): avc: denied { create } for pid=19294 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
> type=SYSCALL msg=audit(1134936931.419:3560): arch=40000003 syscall=5 success=no exit=-13 a0=bfde8f64 a1=8241 a2=1b6 a3=92f33b8 items=1 pid=19294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
> type=CWD msg=audit(1134936931.419:3560): cwd="/root"
> type=PATH msg=audit(1134936931.419:3560): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=USER_CHAUTHTOK msg=audit(1134936931.419:3561): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user acct=joed res=failed'
>
> 4) Cannot 'yum update' successfully and these are the errors I see:
>
> Transaction Test Succeeded
> Running Transaction
> Installing: arts ####################### [ 1/26]
> error: unpacking of archive failed on file /usr/bin/artscat: cpio: lsetfilecon
> Installing: perl ####################### [ 2/26]
> error: unpacking of archive failed on file /usr/bin/a2p: cpio: lsetfilecon
> Installing: cups-libs ####################### [ 3/26]
> error: unpacking of archive failed on file /usr/lib/libcups.so.2: cpio: lsetfilecon
> error: %pre(kdelibs-3.5.0-0.1.fc4.i386) scriptlet failed, exit status 255
> error: install: %pre scriptlet failed (2), skipping kdelibs-3.5.0-0.1.fc4
> Installing: kdebase [ 5/26]warning: /etc/X11/xdm/kdmrc saved as /etc/X11/xdm/kdmrc.rpmorig
> Installing: kdebase ####################### [ 5/26]
> error: unpacking of archive failed on file /etc/X11/xdm/kdmrc: cpio: lsetfilecon Updating : kdenetwork ####################### [ 6/26]
> error: unpacking of archive failed on file /etc/pam.d/kppp: cpio: lsetfilecon
> Installing: kdebindings ####################### [ 7/26]
> error: unpacking of archive failed on file /usr/bin/embedjs: cpio: lsetfilecon
> Updating : kdemultimedia ####################### [ 8/26]
> error: unpacking of archive failed on file /etc/xdg/menus/applications-merged/kde-multimedia-music.menu: cpio: lsetfilecon
> Updating : kdegraphics ####################### [ 9/26]
> error: unpacking of archive failed on file /usr/bin/kcolorchooser: cpio: lsetfilecon
> Updating : kdegames ####################### [10/26]
> error: unpacking of archive failed on file /usr/bin/atlantik: cpio: lsetfilecon
> Installing: arts-devel ####################### [11/26]
> error: unpacking of archive failed on file /usr/bin/artsc-config: cpio: lsetfilecon
> Installing: kdelibs-devel ####################### [12/26]
> error: unpacking of archive failed on file /usr/bin/dcopidl: cpio: lsetfilecon
> Updating : kdeartwork ####################### [13/26]
> error: unpacking of archive failed on file /usr/bin/kbanner.kss: cpio: lsetfilecon
> Updating : cups ####################### [14/26]
> error: unpacking of archive failed on file /etc/cron.daily/cups: cpio: lsetfilecon
> Updating : system-config-nfs ####################### [15/26]
> error: unpacking of archive failed on file /etc/pam.d/system-config-nfs: cpio: lsetfilecon
> Updating : kdebindings-devel ####################### [16/26]
> error: unpacking of archive failed on file /usr/include/kde/kjsembed: cpio: lsetfilecon
> Updating : dhcp ####################### [17/26]
> error: unpacking of archive failed on file /etc/dhcpd.conf: cpio: lsetfilecon
> error: %preun(kdenetwork-3.4.2-0.fc4.2.i386) scriptlet failed, exit status 255
> Cleanup : kdeartwork ####################### [18/26]
> error: %postun(kdeartwork-3.4.2-0.fc4.1.i386) scriptlet failed, exit status 255
> error: %trigger(cups-1.1.23-15.1.i386) scriptlet failed, exit status 255
> Cleanup : kdemultimedia ####################### [19/26]
> error: %postun(kdemultimedia-3.4.2-0.fc4.1.i386) scriptlet failed, exit status 255
> error: %preun(system-config-nfs-1.3.11-0.fc4.1.noarch) scriptlet failed, exit status 255
> Cleanup : kdebindings-devel ####################### [20/26]
> Cleanup : kdegraphics ####################### [21/26]
> error: %postun(kdegraphics-3.4.2-0.fc4.2.i386) scriptlet failed, exit status 25
>
>
> I am at loss as to why I see a general "avc: denied {xxxxxxx}" messages
> interpersed in the /var/log/message and /var/log/audit/audit.log files such
> as shown below:
>
> /var/log/messages:
> ====================
>
> ===
> No idea what these are:
>
> Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
> Dec 12 21:48:06 linux dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1
> Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
> Dec 12 21:48:06 linux dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0
> Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
> Dec 12 21:48:06 linux dbus: avc: 7 AV entries and 7/512 buckets used, longest chain length 1
>
> ===
> Relabeling problems shown below...
>
> Dec 17 18:35:50 linux kernel: SELinux: initialized (dev sdb1, type ext3), uses xattr
> Dec 17 18:35:50 linux kernel: audit(1134872391.398:2): avc: granted { setenforce } for pid=379 comm="rc.sysinit" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
> Dec 17 18:35:50 linux kernel: audit(1134872392.086:3): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="__db.001" dev=hda2 ino=904713 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=file
> Dec 17 18:35:50 linux kernel: audit(1134872412.527:4): avc: denied { relabelto } for pid=1236 comm="setfiles" name="root" dev=hda2 ino=671745 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_dir_t tclass=dir
> Dec 17 18:35:50 linux kernel: audit(1134872412.547:5): avc: denied { relabelto } for pid=1236 comm="setfiles" name="bin" dev=hda2 ino=671746 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=dir
> Dec 17 18:35:50 linux kernel: audit(1134872412.559:6): avc: denied { relabelto } for pid=1236 comm="setfiles" name="doCerts" dev=hda2 ino=671747 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=file
> Dec 17 18:35:50 linux kernel: audit(1134872412.951:7): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="khelpcenter" dev=hda2 ino=672118 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=dir
> Dec 17 18:35:50 linux kernel: audit(1134872412.975:8): avc: denied { relabelto } for pid=1236 comm="setfiles" name="socket-linux.cdkkt.com" dev=hda2 ino=672307 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=lnk_file
> Dec 17 18:35:50 linux kernel: audit(1134872413.031:9): avc: denied { relabelto } for pid=1236 comm="setfiles" name="libflashplayer.so" dev=hda2 ino=672362 scontext=system_u:system_r:kernel_t tcontext=root:object_r:lib_t tclass=file
> Dec 17 18:35:50 linux kernel: audit(1134873060.784:10): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="xterm" dev=hda2 ino=1565515 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=lnk_file
> Dec 17 18:35:50 linux kernel: audit(1134873187.416:11): avc: denied { relabelto } for pid=1236 comm="setfiles" name="dant" dev=hda2 ino=1245501 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
> Dec 17 18:35:50 linux kernel: audit(1134873187.416:12): avc: denied { relabelto } for pid=1236 comm="setfiles" name=".kde" dev=hda2 ino=1245502 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
> Dec 17 18:35:50 linux kernel: audit(1134873187.420:13): avc: denied { relabelto } for pid=1236 comm="setfiles" name="Autorun.desktop" dev=hda2 ino=1245504 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=file
> Dec 17 18:35:50 linux kernel: audit(1134873187.492:14): avc: denied { relabelto } for pid=1236 comm="setfiles" name="socket-linux.cdkkt.com" dev=hda2 ino=1245588 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=lnk_file
> Dec 17 18:35:50 linux kernel: audit(1134873191.264:15): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="verifyFS" dev=hdb1 ino=49063 scontext=system_u:system_r:kernel_t tcontext=root:object_r:samba_share_t tclass=file
> Dec 17 18:35:50 linux kernel: audit(1134873191.340:16): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="DenyHosts-1.1.2-python2.4.noarch.rpm" dev=hdb1 ino=1651599 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=file
> Dec 17 18:35:50 linux kernel: audit(1134873218.749:17): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="defaults" dev=hdb3 ino=1697393 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=dir
> Dec 17 18:35:50 linux kernel: audit(1134873319.356:18): avc: granted { setenforce } for pid=379 comm="rc.sysinit" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
> Dec 17 18:35:50 linux kernel: Adding 2289252k swap on /dev/hda3. Priority:-1 extents:1 across:2289252k
>
> Any help would be appreciated!
----
I'd probably consider this list to be in reverse order of desirability.
1 - fresh install
2 - turn off selinux (or put into permissive mode until you can get a
more definitive answer from your question on selinux list.
3 - try '/sbin/fixfiles -R * restore'
Craig
More information about the fedora-list
mailing list