[mostly solved] SELinux is screwing me up!!!! Help!
Daniel B. Thurman
dant at cdkkt.com
Mon Dec 19 16:20:59 UTC 2005
>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Jim Cornette
>Sent: Sunday, December 18, 2005 6:40 PM
>To: For users of Fedora Core releases
>Subject: Re: SELinux is screwing me up!!!! Help!
>
>
>Daniel B. Thurman wrote:
>
>>Folks,
>>
>>I believe all of my problems started because I had backup
>>and restored my filesystem and and *somehow* all or some
>>of the selinux attributes may have been messed up. Reading
>>the selinux manual, it says that you can rebuild it by touching
>>a file: /.autorelabel and reboot. I did that, and I still have
>>the same problem as before - nothing has changed. I checked some
>>of the file-permissions such as /bin/su and note that they are
>>correct and other files and directory - so at first mini-check it
>>all appears to be correct. The restore appears correct throughout
>>on precursory checks.
>>
>>The following are problem I am having....
>>
>>1) I cannot login as a non-root user! I have 4 non-root user accounts
>>and yet I cannot log into any of them except as root!
>>
>>I get the following message when attempting to log in:
>>
>> ==========================================
>> Your session lasted less than 10 seconds. If you have not
>> logged out yourself, this could mean that there is some
>> installation problem or that you may be out of diskspace.
>> Try logging in with one of the failsafe sessions to see if
>> you can fix this problem.
>>
>> [] View details (~/.xsession-errors file)
>> ==========================================
>>
>>then I get kicked out of the login session.
[PROBLEM SOLVED]
Since 'yum update' was prevented from doing post-installation (?)
of the #prelink# perhaps due to selinux, it appears that some of
the permissions were not applied correctly throughout.
Since I did not actually click the checkbox for "View Details"
until now, I realized that the #prelink# was a problem as it was
revealed that the file: /usr/lib/libgnomeui-2.so.0 was linked to:
/usr/lib/libgnomeui-2.so.0.1000.0.#prelink#.Hotj6j for which the
permissions was 0600! Changing the permission to 0755 now allows
me to login into the gnome console as a non-root user.
Please note that I have not caught all of the other files that used
the #prelink# post-installations so I dont know what problems I may
encounter later on.
>>
>>2) As root user, when I `su - dant', I get this EVERY TIME:
>>
>> ==========================================
>> Your default context is: user_u:system_r:kernel_t.
>>
>> Do you want to want to choose a different one? [n]
>> ==========================================
>>
>>chosing the default lets me in as this user. Choosing 'n'
>>gives me a list of context and choosing one lets me in.
>>
[PROBLEM SOLVED]
I think that I solved this problem by:
1) Booting in selinux=0 single
2) /sbin/fixfiles -F -R -a -F relabel
3) reboot
Reset the selinux settings to leave kerberos and frontpage
alone since specific details are not solved for these by
the default selinux policies.
>>
>
>The above behavior and message displays sound like policy-strict
>behavior. Of course a system relabeling is probably needed.
>
>First try running as root setenforce 0 which will put you in
>permissive
>mode. (As I understand, not totally disables selinux)
>Switch to a virtual console and try to log in.
>If this works for letting you login, the system is not
>labelled correctly.
>
>My suggested remedy: ( Novice but successful on my system with results)
>
>boot with selinux=0 and single appended to your grub loader by
>highlighting the kernel entry and pressing 'a' to append the entry.
>When system gives you the ash prompt, run
>fixfiles relabel
>It will prompt you for if you desire to delete the content of
>your /tmp
>directory. If you have nothing important in the /tmp directory, answer
>yes. Let the system relabel itself, then reboot in normal mode.
>Your system will again go into relabelling the filesystem, let it
>finish. Next, let your GUI login manager load. From the GUI login
>manager, type info for your desired regular user and password
>and see if
>you can successfully login.
>
>If this fails, probably fresh installing the system and
>pulling critical
>information from the backup would be your best option.
>
>Off topic: Just wait for SELinux in FC5, it guards the system even
>tighter than FC4 seems to. Though FC4 seems to be updated to rawhide,
>the more stringent control might be effecting system processes
>already.
>I assume that it is behind development models.
>
>>3) As root, I tried to create a non-root user:
>>
>># useradd joed
>>
>>/var/log/message says:
>>
>>type=USER_CHAUTHTOK msg=audit(1134936930.895:3557): user
>pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user
>acct=joed res=success'
>>type=USER_CHAUTHTOK msg=audit(1134936930.895:3558): user
>pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding home
>directory acct=joed res=success'
>>type=AVC msg=audit(1134936931.415:3559): avc: denied {
>create } for pid=19294 comm="useradd" name=".kde"
>scontext=root:system_r:kernel_t
>tcontext=user_u:object_r:user_home_t tclass=dir
>>type=SYSCALL msg=audit(1134936931.415:3559): arch=40000003
>syscall=39 success=no exit=-13 a0=bfde8bf0 a1=1ed a2=92f92ef
>a3=ffffffff items=1 pid=19294 auid=4294967295 uid=0 gid=0
>euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd"
>exe="/usr/sbin/useradd"
>>type=CWD msg=audit(1134936931.415:3559): cwd="/root"
>>type=PATH msg=audit(1134936931.415:3559): item=0
>name="/home/joed/.kde" flags=10 inode=1245989 dev=03:02
>mode=040755 ouid=511 ogid=512 rdev=00:00
>>type=AVC msg=audit(1134936931.419:3560): avc: denied {
>create } for pid=19294 comm="useradd" name="passwd+"
>scontext=root:system_r:kernel_t
>tcontext=system_u:object_r:etc_t tclass=file
>>type=SYSCALL msg=audit(1134936931.419:3560): arch=40000003
>syscall=5 success=no exit=-13 a0=bfde8f64 a1=8241 a2=1b6
>a3=92f33b8 items=1 pid=19294 auid=4294967295 uid=0 gid=0
>euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd"
>exe="/usr/sbin/useradd"
>>type=CWD msg=audit(1134936931.419:3560): cwd="/root"
>>type=PATH msg=audit(1134936931.419:3560): item=0
>name="/etc/passwd+" flags=310 inode=1212417 dev=03:02
>mode=040755 ouid=0 ogid=0 rdev=00:00
>>type=USER_CHAUTHTOK msg=audit(1134936931.419:3561): user
>pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user
>acct=joed res=failed'
>>
[PROBLEM SOLVED]
With the selinux attributes restored, I can now create and delete users.
>>4) Cannot 'yum update' successfully and these are the errors I see:
>>
>>Transaction Test Succeeded
>>Running Transaction
>> Installing: arts
>####################### [ 1/26]
>>error: unpacking of archive failed on file /usr/bin/artscat:
>cpio: lsetfilecon
>> Installing: perl
>####################### [ 2/26]
>>error: unpacking of archive failed on file /usr/bin/a2p:
>cpio: lsetfilecon
>> Installing: cups-libs
>####################### [ 3/26]
>>error: unpacking of archive failed on file
>/usr/lib/libcups.so.2: cpio: lsetfilecon
>>error: %pre(kdelibs-3.5.0-0.1.fc4.i386) scriptlet failed,
>exit status 255
>>error: install: %pre scriptlet failed (2), skipping
>kdelibs-3.5.0-0.1.fc4
>> Installing: kdebase
> [ 5/26]warning: /etc/X11/xdm/kdmrc saved as
>/etc/X11/xdm/kdmrc.rpmorig
>> Installing: kdebase
>####################### [ 5/26]
>>error: unpacking of archive failed on file
>/etc/X11/xdm/kdmrc: cpio: lsetfilecon Updating : kdenetwork
> ####################### [ 6/26]
>>error: unpacking of archive failed on file /etc/pam.d/kppp:
>cpio: lsetfilecon
>> Installing: kdebindings
>####################### [ 7/26]
>>error: unpacking of archive failed on file /usr/bin/embedjs:
>cpio: lsetfilecon
>> Updating : kdemultimedia
>####################### [ 8/26]
>>error: unpacking of archive failed on file
>/etc/xdg/menus/applications-merged/kde-multimedia-music.menu:
>cpio: lsetfilecon
>> Updating : kdegraphics
>####################### [ 9/26]
>>error: unpacking of archive failed on file
>/usr/bin/kcolorchooser: cpio: lsetfilecon
>> Updating : kdegames
>####################### [10/26]
>>error: unpacking of archive failed on file /usr/bin/atlantik:
>cpio: lsetfilecon
>> Installing: arts-devel
>####################### [11/26]
>>error: unpacking of archive failed on file
>/usr/bin/artsc-config: cpio: lsetfilecon
>> Installing: kdelibs-devel
>####################### [12/26]
>>error: unpacking of archive failed on file /usr/bin/dcopidl:
>cpio: lsetfilecon
>> Updating : kdeartwork
>####################### [13/26]
>>error: unpacking of archive failed on file
>/usr/bin/kbanner.kss: cpio: lsetfilecon
>> Updating : cups
>####################### [14/26]
>>error: unpacking of archive failed on file
>/etc/cron.daily/cups: cpio: lsetfilecon
>> Updating : system-config-nfs
>####################### [15/26]
>>error: unpacking of archive failed on file
>/etc/pam.d/system-config-nfs: cpio: lsetfilecon
>> Updating : kdebindings-devel
>####################### [16/26]
>>error: unpacking of archive failed on file
>/usr/include/kde/kjsembed: cpio: lsetfilecon
>> Updating : dhcp
>####################### [17/26]
>>error: unpacking of archive failed on file /etc/dhcpd.conf:
>cpio: lsetfilecon
>>error: %preun(kdenetwork-3.4.2-0.fc4.2.i386) scriptlet
>failed, exit status 255
>> Cleanup : kdeartwork
>####################### [18/26]
>>error: %postun(kdeartwork-3.4.2-0.fc4.1.i386) scriptlet
>failed, exit status 255
>>error: %trigger(cups-1.1.23-15.1.i386) scriptlet failed, exit
>status 255
>> Cleanup : kdemultimedia
>####################### [19/26]
>>error: %postun(kdemultimedia-3.4.2-0.fc4.1.i386) scriptlet
>failed, exit status 255
>>error: %preun(system-config-nfs-1.3.11-0.fc4.1.noarch)
>scriptlet failed, exit status 255
>> Cleanup : kdebindings-devel
>####################### [20/26]
>> Cleanup : kdegraphics
>####################### [21/26]
>>error: %postun(kdegraphics-3.4.2-0.fc4.2.i386) scriptlet
>failed, exit status 25
>>
>>
>>I am at loss as to why I see a general "avc: denied
>{xxxxxxx}" messages
>>interpersed in the /var/log/message and
>/var/log/audit/audit.log files such
>>as shown below:
>>
>>/var/log/messages:
>>====================
>>
>>===
>>No idea what these are:
>>
>>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
>>Dec 12 21:48:06 linux dbus: avc: 1 AV entries and 1/512
>buckets used, longest chain length 1
>>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
>>Dec 12 21:48:06 linux dbus: avc: 0 AV entries and 0/512
>buckets used, longest chain length 0
>>Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
>>Dec 12 21:48:06 linux dbus: avc: 7 AV entries and 7/512
>buckets used, longest chain length 1
>>
>>===
>>Relabeling problems shown below...
>>
>>Dec 17 18:35:50 linux kernel: SELinux: initialized (dev sdb1,
>type ext3), uses xattr
>>Dec 17 18:35:50 linux kernel: audit(1134872391.398:2): avc:
>granted { setenforce } for pid=379 comm="rc.sysinit"
>scontext=system_u:system_r:kernel_t
>tcontext=system_u:object_r:security_t tclass=security
>>Dec 17 18:35:50 linux kernel: audit(1134872392.086:3): avc:
>denied { relabelfrom } for pid=1236 comm="setfiles"
>name="__db.001" dev=hda2 ino=904713
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:file_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134872412.527:4): avc:
>denied { relabelto } for pid=1236 comm="setfiles"
>name="root" dev=hda2 ino=671745
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:user_home_dir_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134872412.547:5): avc:
>denied { relabelto } for pid=1236 comm="setfiles" name="bin"
>dev=hda2 ino=671746 scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:user_home_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134872412.559:6): avc:
>denied { relabelto } for pid=1236 comm="setfiles"
>name="doCerts" dev=hda2 ino=671747
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:user_home_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134872412.951:7): avc:
>denied { relabelfrom } for pid=1236 comm="setfiles"
>name="khelpcenter" dev=hda2 ino=672118
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:file_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134872412.975:8): avc:
>denied { relabelto } for pid=1236 comm="setfiles"
>name="socket-linux.cdkkt.com" dev=hda2 ino=672307
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:user_home_t tclass=lnk_file
>>Dec 17 18:35:50 linux kernel: audit(1134872413.031:9): avc:
>denied { relabelto } for pid=1236 comm="setfiles"
>name="libflashplayer.so" dev=hda2 ino=672362
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:lib_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134873060.784:10): avc:
>denied { relabelfrom } for pid=1236 comm="setfiles"
>name="xterm" dev=hda2 ino=1565515
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:file_t tclass=lnk_file
>>Dec 17 18:35:50 linux kernel: audit(1134873187.416:11): avc:
>denied { relabelto } for pid=1236 comm="setfiles"
>name="dant" dev=hda2 ino=1245501
>scontext=system_u:system_r:kernel_t
>tcontext=user_u:object_r:user_home_dir_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134873187.416:12): avc:
>denied { relabelto } for pid=1236 comm="setfiles"
>name=".kde" dev=hda2 ino=1245502
>scontext=system_u:system_r:kernel_t
>tcontext=user_u:object_r:user_home_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134873187.420:13): avc:
>denied { relabelto } for pid=1236 comm="setfiles"
>name="Autorun.desktop" dev=hda2 ino=1245504
>scontext=system_u:system_r:kernel_t
>tcontext=user_u:object_r:user_home_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134873187.492:14): avc:
>denied { relabelto } for pid=1236 comm="setfiles"
>name="socket-linux.cdkkt.com" dev=hda2 ino=1245588
>scontext=system_u:system_r:kernel_t
>tcontext=user_u:object_r:user_home_t tclass=lnk_file
>>Dec 17 18:35:50 linux kernel: audit(1134873191.264:15): avc:
>denied { relabelfrom } for pid=1236 comm="setfiles"
>name="verifyFS" dev=hdb1 ino=49063
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:samba_share_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134873191.340:16): avc:
>denied { relabelfrom } for pid=1236 comm="setfiles"
>name="DenyHosts-1.1.2-python2.4.noarch.rpm" dev=hdb1
>ino=1651599 scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:default_t tclass=file
>>Dec 17 18:35:50 linux kernel: audit(1134873218.749:17): avc:
>denied { relabelfrom } for pid=1236 comm="setfiles"
>name="defaults" dev=hdb3 ino=1697393
>scontext=system_u:system_r:kernel_t
>tcontext=root:object_r:default_t tclass=dir
>>Dec 17 18:35:50 linux kernel: audit(1134873319.356:18): avc:
>granted { setenforce } for pid=379 comm="rc.sysinit"
>scontext=system_u:system_r:kernel_t
>tcontext=system_u:object_r:security_t tclass=security
>>Dec 17 18:35:50 linux kernel: Adding 2289252k swap on
>/dev/hda3. Priority:-1 extents:1 across:2289252k
>>
>>Any help would be appreciated!
>>
>>Kind regards,
>>Dan
>>
>>
>>
>With selinux totally disabled during relabeling, you should not be
>hampered by avc denials. selinux=0 is the safest mode in runlevel 1 to
>ensure access for relabeling with minimul running processes
>which might
>cause problems. From the output above, it is relabeling in permissive
>mode, which is not totally free to allow root full control. IMO
>
>Jim
>
Since 'yum update' was executed in a messed up selinux state, I am not
certain that all of the updates was correctly performed for all of the
files updated as some files were deposited/installed and yet post-installs
may have failed as well as evidenced with the gnome/kde #prelink# issue
noted above preventing me from logging into the console as a non-root
user. I will search for all the #prelink# files but it is impossible to
catch other things that may have been missed.
Anyone know how I can force-reinstall all the newly downloaded rpms or perhaps
force install all of the rpm's in the database which presumably has the updates
as well?
Dan
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
More information about the fedora-list
mailing list