SELinux is screwing me up!!!! Help!
Daniel B. Thurman
dant at cdkkt.com
Mon Dec 19 00:32:11 UTC 2005
>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of James Wilkinson
>Sent: Sunday, December 18, 2005 1:41 PM
>To: For users of Fedora Core releases (E-mail)
>Subject: Re: SELinux is screwing me up!!!! Help!
>
>
>Daniel B. Thurman wrote:
>> I believe all of my problems started because I had backup
>> and restored my filesystem and and *somehow* all or some
>> of the selinux attributes may have been messed up. Reading
>> the selinux manual, it says that you can rebuild it by touching
>> a file: /.autorelabel and reboot. I did that, and I still have
>> the same problem as before - nothing has changed. I checked some
>> of the file-permissions such as /bin/su and note that they are
>> correct and other files and directory - so at first mini-check it
>> all appears to be correct. The restore appears correct throughout
>> on precursory checks.
>>
>> The following are problem I am having....
>
>Calm down...
I am... just wanted to make sure I provided all relevant information
as possible. I am not certain what is the cause of the problem, but
it *appears* to be SElinux from what I can see. This is of course an
assumption on my part.
>
>You haven't yet proved that it is SELinux. Temporarily add selinux=0 to
>your kernel command line.
>http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825880
>
>You do this through grub: when you're booting and grub displays it's
>"choose a kernel" screen, press "e". Choose the line that starts with
>"kernel", and type "e" to edit this line. At the end, add
> selinux=0
>(making sure that there's a space between that and whatever came
>before).
>
>Press Enter and "b" to boot the system. Now SELinux is disabled (this
>once). Anything that still remains can't be SELinux's fault.
Ok, I did this. Added selinux=0 to the kernel command
line and rebooted.
I was able to useradd a new user. I was NOT able to do
that in selinux mode.
>
>> 1) I cannot login as a non-root user! I have 4 non-root
>user accounts
>> and yet I cannot log into any of them except as root!
>>
>> I get the following message when attempting to log in:
>>
>> ==========================================
>> Your session lasted less than 10 seconds. If you have not
>> logged out yourself, this could mean that there is some
>> installation problem or that you may be out of diskspace.
>> Try logging in with one of the failsafe sessions to see if
>> you can fix this problem.
>>
>> [] View details (~/.xsession-errors file)
>> ==========================================
>>
>> then I get kicked out of the login session.
I still cannot log into the console as a non-root user, in selinux
or non-selinux mode. See below about disk-space - I think I have
plenty of diskspace - see below.
>
>I assume that you have, in fact, checked for disk space: try
>the command
>line
>df -m
I believe I have plenty of space - here is what I
have as df goes:
[root at linux ~]# df -m
Filesystem 1M-blocks Used Available Use% Mounted on
/dev/hda2 12207 8660 2928 75% /
/dev/hda1 38 14 23 39% /boot
/dev/hdb1 14081 467 12899 4% /app1
/dev/hdb2 14081 164 13203 2% /app2
/dev/hdb3 15127 4960 9400 35% /app3
/dev/shm 189 0 189 0% /dev/shm
/dev/sda1 8622 33 8152 1% /fapp1
/dev/sdb1 8611 33 8141 1% /fapp2
[root at linux ~]#
>
>Try pressing Ctrl-Alt-F1 to get to a text-mode screen, and log in there
>as a non-root user.
I can log in as a normal user in selinux mode and non-selinux mode.
So - this means that KDE/GNOME/X11 is a problem? I haven't changed
anything in my original setup - so why this after a restore?
>
>Try running
>tune2fs -l /dev/sdb1 | grep features
>where sbd1 is your new filesystem: it may be that you haven't enabled
>enough for SELinux.
>
>A mounted Fedora filesystem returns
>Filesystem features: has_journal ext_attr resize_inode dir_index
>filetype needs_recovery sparse_super large_file
>You should worry if it hasn't got an "ext_attr".
Hmmm... what does `needs_recovery' mean??? I got:
tune2fs 1.38 (30-Jun-2005)
Filesystem volume name: /
Last mounted on: <not available>
Filesystem UUID: 888b6827-2441-4270-90b6-b4b3e1f89765
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode filetype needs_recovery sparse_super large_file
Default mount options: (none)
Filesystem state: clean
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 1589248
Block count: 3174845
Reserved block count: 158742
Free blocks: 908087
Free inodes: 1263258
First block: 0
Block size: 4096
Fragment size: 4096
Reserved GDT blocks: 775
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 16384
Inode blocks per group: 512
Filesystem created: Thu Dec 15 11:20:42 2005
Last mount time: Sun Dec 18 15:54:44 2005
Last write time: Sun Dec 18 15:54:44 2005
Mount count: 2
Maximum mount count: 27
Last checked: Sun Dec 18 15:41:27 2005
Check interval: 15552000 (6 months)
Next check after: Fri Jun 16 16:41:27 2006
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 128
Journal inode: 8
First orphan inode: 753669
Default directory hash: tea
Directory Hash Seed: 7d77144f-ef72-4b14-856a-99008e49afc1
Journal backup: inode blocks
For your information, I ran in single-user mode
the following command:
/sbin/fixfiles -R -a restore
Most went through, but there was a lot of files that
did not get restored.
>
>You may find that tune2fs -O will let you add this: make sure
>you've got
>good backups, though. You may then need to run e2fsck. You shouldn't do
>this on a mounted filesystem.
>
Should I do this step?
>Hope this helps,
>
>James.
>
>--
>E-mail address: james | A woodpigeon would, If a woodpigeon could,
>@westexe.demon.co.uk | But a woodpigeon can't, So it won't.
> | A woodpigeon could, If a woodpigeon would,
> | But a woodpigeon doesn't want to. So
>it doesn't.
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
More information about the fedora-list
mailing list