SELinux is screwing me up!!!! Help!
Jim Cornette
fc-cornette at insight.rr.com
Mon Dec 19 02:39:53 UTC 2005
Daniel B. Thurman wrote:
>Folks,
>
>I believe all of my problems started because I had backup
>and restored my filesystem and and *somehow* all or some
>of the selinux attributes may have been messed up. Reading
>the selinux manual, it says that you can rebuild it by touching
>a file: /.autorelabel and reboot. I did that, and I still have
>the same problem as before - nothing has changed. I checked some
>of the file-permissions such as /bin/su and note that they are
>correct and other files and directory - so at first mini-check it
>all appears to be correct. The restore appears correct throughout
>on precursory checks.
>
>The following are problem I am having....
>
>1) I cannot login as a non-root user! I have 4 non-root user accounts
>and yet I cannot log into any of them except as root!
>
>I get the following message when attempting to log in:
>
> ==========================================
> Your session lasted less than 10 seconds. If you have not
> logged out yourself, this could mean that there is some
> installation problem or that you may be out of diskspace.
> Try logging in with one of the failsafe sessions to see if
> you can fix this problem.
>
> [] View details (~/.xsession-errors file)
> ==========================================
>
>then I get kicked out of the login session.
>
>2) As root user, when I `su - dant', I get this EVERY TIME:
>
> ==========================================
> Your default context is: user_u:system_r:kernel_t.
>
> Do you want to want to choose a different one? [n]
> ==========================================
>
>chosing the default lets me in as this user. Choosing 'n'
>gives me a list of context and choosing one lets me in.
>
>
The above behavior and message displays sound like policy-strict
behavior. Of course a system relabeling is probably needed.
First try running as root setenforce 0 which will put you in permissive
mode. (As I understand, not totally disables selinux)
Switch to a virtual console and try to log in.
If this works for letting you login, the system is not labelled correctly.
My suggested remedy: ( Novice but successful on my system with results)
boot with selinux=0 and single appended to your grub loader by
highlighting the kernel entry and pressing 'a' to append the entry.
When system gives you the ash prompt, run
fixfiles relabel
It will prompt you for if you desire to delete the content of your /tmp
directory. If you have nothing important in the /tmp directory, answer
yes. Let the system relabel itself, then reboot in normal mode.
Your system will again go into relabelling the filesystem, let it
finish. Next, let your GUI login manager load. From the GUI login
manager, type info for your desired regular user and password and see if
you can successfully login.
If this fails, probably fresh installing the system and pulling critical
information from the backup would be your best option.
Off topic: Just wait for SELinux in FC5, it guards the system even
tighter than FC4 seems to. Though FC4 seems to be updated to rawhide,
the more stringent control might be effecting system processes already.
I assume that it is behind development models.
>3) As root, I tried to create a non-root user:
>
># useradd joed
>
>/var/log/message says:
>
>type=USER_CHAUTHTOK msg=audit(1134936930.895:3557): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user acct=joed res=success'
>type=USER_CHAUTHTOK msg=audit(1134936930.895:3558): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding home directory acct=joed res=success'
>type=AVC msg=audit(1134936931.415:3559): avc: denied { create } for pid=19294 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
>type=SYSCALL msg=audit(1134936931.415:3559): arch=40000003 syscall=39 success=no exit=-13 a0=bfde8bf0 a1=1ed a2=92f92ef a3=ffffffff items=1 pid=19294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
>type=CWD msg=audit(1134936931.415:3559): cwd="/root"
>type=PATH msg=audit(1134936931.415:3559): item=0 name="/home/joed/.kde" flags=10 inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
>type=AVC msg=audit(1134936931.419:3560): avc: denied { create } for pid=19294 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
>type=SYSCALL msg=audit(1134936931.419:3560): arch=40000003 syscall=5 success=no exit=-13 a0=bfde8f64 a1=8241 a2=1b6 a3=92f33b8 items=1 pid=19294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
>type=CWD msg=audit(1134936931.419:3560): cwd="/root"
>type=PATH msg=audit(1134936931.419:3560): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
>type=USER_CHAUTHTOK msg=audit(1134936931.419:3561): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user acct=joed res=failed'
>
>4) Cannot 'yum update' successfully and these are the errors I see:
>
>Transaction Test Succeeded
>Running Transaction
> Installing: arts ####################### [ 1/26]
>error: unpacking of archive failed on file /usr/bin/artscat: cpio: lsetfilecon
> Installing: perl ####################### [ 2/26]
>error: unpacking of archive failed on file /usr/bin/a2p: cpio: lsetfilecon
> Installing: cups-libs ####################### [ 3/26]
>error: unpacking of archive failed on file /usr/lib/libcups.so.2: cpio: lsetfilecon
>error: %pre(kdelibs-3.5.0-0.1.fc4.i386) scriptlet failed, exit status 255
>error: install: %pre scriptlet failed (2), skipping kdelibs-3.5.0-0.1.fc4
> Installing: kdebase [ 5/26]warning: /etc/X11/xdm/kdmrc saved as /etc/X11/xdm/kdmrc.rpmorig
> Installing: kdebase ####################### [ 5/26]
>error: unpacking of archive failed on file /etc/X11/xdm/kdmrc: cpio: lsetfilecon Updating : kdenetwork ####################### [ 6/26]
>error: unpacking of archive failed on file /etc/pam.d/kppp: cpio: lsetfilecon
> Installing: kdebindings ####################### [ 7/26]
>error: unpacking of archive failed on file /usr/bin/embedjs: cpio: lsetfilecon
> Updating : kdemultimedia ####################### [ 8/26]
>error: unpacking of archive failed on file /etc/xdg/menus/applications-merged/kde-multimedia-music.menu: cpio: lsetfilecon
> Updating : kdegraphics ####################### [ 9/26]
>error: unpacking of archive failed on file /usr/bin/kcolorchooser: cpio: lsetfilecon
> Updating : kdegames ####################### [10/26]
>error: unpacking of archive failed on file /usr/bin/atlantik: cpio: lsetfilecon
> Installing: arts-devel ####################### [11/26]
>error: unpacking of archive failed on file /usr/bin/artsc-config: cpio: lsetfilecon
> Installing: kdelibs-devel ####################### [12/26]
>error: unpacking of archive failed on file /usr/bin/dcopidl: cpio: lsetfilecon
> Updating : kdeartwork ####################### [13/26]
>error: unpacking of archive failed on file /usr/bin/kbanner.kss: cpio: lsetfilecon
> Updating : cups ####################### [14/26]
>error: unpacking of archive failed on file /etc/cron.daily/cups: cpio: lsetfilecon
> Updating : system-config-nfs ####################### [15/26]
>error: unpacking of archive failed on file /etc/pam.d/system-config-nfs: cpio: lsetfilecon
> Updating : kdebindings-devel ####################### [16/26]
>error: unpacking of archive failed on file /usr/include/kde/kjsembed: cpio: lsetfilecon
> Updating : dhcp ####################### [17/26]
>error: unpacking of archive failed on file /etc/dhcpd.conf: cpio: lsetfilecon
>error: %preun(kdenetwork-3.4.2-0.fc4.2.i386) scriptlet failed, exit status 255
> Cleanup : kdeartwork ####################### [18/26]
>error: %postun(kdeartwork-3.4.2-0.fc4.1.i386) scriptlet failed, exit status 255
>error: %trigger(cups-1.1.23-15.1.i386) scriptlet failed, exit status 255
> Cleanup : kdemultimedia ####################### [19/26]
>error: %postun(kdemultimedia-3.4.2-0.fc4.1.i386) scriptlet failed, exit status 255
>error: %preun(system-config-nfs-1.3.11-0.fc4.1.noarch) scriptlet failed, exit status 255
> Cleanup : kdebindings-devel ####################### [20/26]
> Cleanup : kdegraphics ####################### [21/26]
>error: %postun(kdegraphics-3.4.2-0.fc4.2.i386) scriptlet failed, exit status 25
>
>
>I am at loss as to why I see a general "avc: denied {xxxxxxx}" messages
>interpersed in the /var/log/message and /var/log/audit/audit.log files such
>as shown below:
>
>/var/log/messages:
>====================
>
>===
>No idea what these are:
>
>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
>Dec 12 21:48:06 linux dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1
>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
>Dec 12 21:48:06 linux dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0
>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
>Dec 12 21:48:06 linux dbus: avc: 7 AV entries and 7/512 buckets used, longest chain length 1
>
>===
>Relabeling problems shown below...
>
>Dec 17 18:35:50 linux kernel: SELinux: initialized (dev sdb1, type ext3), uses xattr
>Dec 17 18:35:50 linux kernel: audit(1134872391.398:2): avc: granted { setenforce } for pid=379 comm="rc.sysinit" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
>Dec 17 18:35:50 linux kernel: audit(1134872392.086:3): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="__db.001" dev=hda2 ino=904713 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=file
>Dec 17 18:35:50 linux kernel: audit(1134872412.527:4): avc: denied { relabelto } for pid=1236 comm="setfiles" name="root" dev=hda2 ino=671745 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_dir_t tclass=dir
>Dec 17 18:35:50 linux kernel: audit(1134872412.547:5): avc: denied { relabelto } for pid=1236 comm="setfiles" name="bin" dev=hda2 ino=671746 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=dir
>Dec 17 18:35:50 linux kernel: audit(1134872412.559:6): avc: denied { relabelto } for pid=1236 comm="setfiles" name="doCerts" dev=hda2 ino=671747 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=file
>Dec 17 18:35:50 linux kernel: audit(1134872412.951:7): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="khelpcenter" dev=hda2 ino=672118 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=dir
>Dec 17 18:35:50 linux kernel: audit(1134872412.975:8): avc: denied { relabelto } for pid=1236 comm="setfiles" name="socket-linux.cdkkt.com" dev=hda2 ino=672307 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=lnk_file
>Dec 17 18:35:50 linux kernel: audit(1134872413.031:9): avc: denied { relabelto } for pid=1236 comm="setfiles" name="libflashplayer.so" dev=hda2 ino=672362 scontext=system_u:system_r:kernel_t tcontext=root:object_r:lib_t tclass=file
>Dec 17 18:35:50 linux kernel: audit(1134873060.784:10): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="xterm" dev=hda2 ino=1565515 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=lnk_file
>Dec 17 18:35:50 linux kernel: audit(1134873187.416:11): avc: denied { relabelto } for pid=1236 comm="setfiles" name="dant" dev=hda2 ino=1245501 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
>Dec 17 18:35:50 linux kernel: audit(1134873187.416:12): avc: denied { relabelto } for pid=1236 comm="setfiles" name=".kde" dev=hda2 ino=1245502 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
>Dec 17 18:35:50 linux kernel: audit(1134873187.420:13): avc: denied { relabelto } for pid=1236 comm="setfiles" name="Autorun.desktop" dev=hda2 ino=1245504 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=file
>Dec 17 18:35:50 linux kernel: audit(1134873187.492:14): avc: denied { relabelto } for pid=1236 comm="setfiles" name="socket-linux.cdkkt.com" dev=hda2 ino=1245588 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=lnk_file
>Dec 17 18:35:50 linux kernel: audit(1134873191.264:15): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="verifyFS" dev=hdb1 ino=49063 scontext=system_u:system_r:kernel_t tcontext=root:object_r:samba_share_t tclass=file
>Dec 17 18:35:50 linux kernel: audit(1134873191.340:16): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="DenyHosts-1.1.2-python2.4.noarch.rpm" dev=hdb1 ino=1651599 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=file
>Dec 17 18:35:50 linux kernel: audit(1134873218.749:17): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="defaults" dev=hdb3 ino=1697393 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=dir
>Dec 17 18:35:50 linux kernel: audit(1134873319.356:18): avc: granted { setenforce } for pid=379 comm="rc.sysinit" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
>Dec 17 18:35:50 linux kernel: Adding 2289252k swap on /dev/hda3. Priority:-1 extents:1 across:2289252k
>
>Any help would be appreciated!
>
>Kind regards,
>Dan
>
>
>
With selinux totally disabled during relabeling, you should not be
hampered by avc denials. selinux=0 is the safest mode in runlevel 1 to
ensure access for relabeling with minimul running processes which might
cause problems. From the output above, it is relabeling in permissive
mode, which is not totally free to allow root full control. IMO
Jim
--
Don't shoot until you're sure you both aren't on the same side.
More information about the fedora-list
mailing list