Problem with VNC and SELinux: FC4
Daniel B. Thurman
dant at cdkkt.com
Mon Dec 19 15:44:01 UTC 2005
>From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
>Sent: Monday, December 19, 2005 5:33 AM
>To: Daniel B. Thurman
>Cc: For users of Fedora Core releases (E-mail); Fedora SELinux support
>list for users & developers.
>Subject: Re: Problem with VNC and SELinux: FC4
>
>
>On Fri, 2005-12-16 at 18:11 -0800, Daniel B. Thurman wrote:
>> With the new SELinux updates, it appears that root,
>> other than normal users can login to Fedora via VNC
>> Server? My VNC Server is setup such that I am using
>> xinitd for VNC Server requests.
>>
>> Another problem I noticed is that when I log into my
>> Fedora system via VNC as root user, and open a xterm
>> window and run a su - <normal-user>, I get back a
>> SElinux message:
>>
>> ================================================
>> # su - dan
>> Your default context is: user_u:system_r:kernel_t.
>>
>> Do you want to want to choose a different one? [n]
>> ================================================
>>
>> It is *possible* that this problem came up when
>> I had to make a copy of my filesystem to another
>> hard-disk for the purpose of creating a /boot
>> partition (my bad) and copied/restored the filesystem
>> back over to the main drive. I don't think I made
>> any copy/restore mistakes as I know the fs permissions
>> are correct but I cannot speak for filesystem journaling
>> or whatever that keeps track of the SELinux attributes.
>>
>> In any case, what can I do to resolve my VNC and/or su
>> issue knowing that SElinux has something to do with it?
>
>/usr/sbin/sestatus -v | grep -v active shows what?
>
[
There are several threads to this issue - so I will be
trying to update these threads to let others know of my
progress.
At this time, my system is running, I am able to login as
non-root user into the gnome console, I am able to create
and delete new users. It appears that selinux is now working
good but I have yet to catch up to manual selinux disables for
Kerberos and FrontPage because these were reset to defaults.
So far, so good. Everything appears to look good however I am
not certain I have solved all the 'yum update' #prelink#
issues. Please read on for details if you want. I have
provided you with the selinux status request in case there
are other possible issues with selinux since I am no expert
on this subject :-)
]
Please note, that it took me several tries using fixfiles to
reset (restore, and relabel) before all of the permissions
denied messages stopped being displayed.
Previously, I had done the restore command but while in selinix
and single user mode (selinux was not disabled), where the
restore had permissions denied on perhaps less than 200 files
from X11 fonts, and other places throughout.
I believe I may have gotten some selinux attribute recovery
by doing selinix=0 and single user mode and running fixfiles
and using the -F such as: /sbin/fixfiles -F -R -a -F relabel
and then reboot. I had thought that running the command would
have executed immediately but did not actually take effect until
a reboot - which was odd to me - but perhaps this is normal? Manual
says nothing about this behavior. The fixfiles with the restore
command ran immediately in place - and this was while I was in
single user mode with selinux in effect at the time.
When I did an yum update but before running the above fixfile relabel
command, I noticed that there was a lot of #prelinks# where KDE
and GNOME was being updated/installed and it was basically saying
something that these prelinks (post-installation?) was failing due
to selinux permission denials (logs in audit.log) on the post-installation
processes. It also could have been bad timimg on my part for thinking
that 'yum update' would somehow restore my problems when I had no idea
where to begin.
When I tried to log into the gnome console as a non-root user,
I did not actually click the checkbox at the time, but in doing so
revealed to me that there was a problem executing the file:
/usr/lib/libgnomeui-2.so
Delving into this further, I saw the "#prelink#" files and noted
that the file permission was 0600! So, I changed the permission
for this library as:
# chmod 755 /usr/lib/libgnomeui-2.so.0.1000.0.#prelink#.Hotj6j
I have not yet tried to locate all of the other #prelink# files at
this time. But for now, I can now log into gnome as a non-root user!
I am providing per your request for the status, in case there may
be other issues that I may not be aware of. Thanks for responding
to my issue!
# /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 20
Policy from config file: targeted
Policy booleans:
NetworkManager_disable_trans inactive
allow_execmem active
allow_execmod active
allow_execstack active
allow_ftpd_anon_write inactive
allow_gssd_read_tmp active
allow_httpd_anon_write inactive
allow_httpd_sys_script_anon_write inactive
allow_ifconfig_sys_module inactive
allow_kerberos active
allow_postgresql_use_pam inactive
allow_rsync_anon_write inactive
allow_saslauthd_read_shadow inactive
allow_smbd_anon_write inactive
allow_write_xshm inactive
allow_ypbind inactive
apmd_disable_trans inactive
arpwatch_disable_trans inactive
auditd_disable_trans inactive
bluetooth_disable_trans inactive
canna_disable_trans inactive
cardmgr_disable_trans inactive
comsat_disable_trans inactive
cupsd_config_disable_trans inactive
cupsd_disable_trans inactive
cupsd_lpd_disable_trans inactive
cvs_disable_trans inactive
cyrus_disable_trans inactive
dbskkd_disable_trans inactive
dhcpc_disable_trans inactive
dhcpd_disable_trans inactive
dovecot_disable_trans inactive
fingerd_disable_trans inactive
ftp_home_dir active
ftpd_disable_trans inactive
ftpd_is_daemon active
getty_disable_trans inactive
gssd_disable_trans inactive
hald_disable_trans inactive
hotplug_disable_trans inactive
howl_disable_trans inactive
hplip_disable_trans inactive
httpd_builtin_scripting active
httpd_can_network_connect inactive
httpd_disable_trans active
httpd_enable_cgi active
httpd_enable_ftp_server inactive
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_suexec_disable_trans inactive
httpd_tty_comm inactive
httpd_unified active
inetd_child_disable_trans inactive
inetd_disable_trans inactive
innd_disable_trans inactive
kadmind_disable_trans active
klogd_disable_trans inactive
krb5kdc_disable_trans active
ktalkd_disable_trans inactive
lpd_disable_trans inactive
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zones inactive
nfs_export_all_ro active
nfs_export_all_rw active
nfsd_disable_trans inactive
nmbd_disable_trans active
nscd_disable_trans inactive
ntpd_disable_trans inactive
pegasus_disable_trans inactive
portmap_disable_trans inactive
postfix_disable_trans inactive
postgresql_disable_trans inactive
pppd_can_insmod inactive
pppd_disable_trans inactive
pppd_for_user inactive
pptp_disable_trans inactive
privoxy_disable_trans inactive
ptal_disable_trans inactive
radiusd_disable_trans inactive
radvd_disable_trans inactive
read_default_t active
rlogind_disable_trans inactive
rpcd_disable_trans inactive
rsync_disable_trans inactive
samba_enable_home_dirs inactive
saslauthd_disable_trans inactive
secure_mode_insmod inactive
secure_mode_policyload inactive
slapd_disable_trans inactive
smbd_disable_trans active
snmpd_disable_trans inactive
spamd_disable_trans inactive
squid_connect_any inactive
squid_disable_trans inactive
stunnel_disable_trans inactive
stunnel_is_daemon inactive
syslogd_disable_trans inactive
system_dbusd_disable_trans inactive
telnetd_disable_trans inactive
tftpd_disable_trans inactive
udev_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
uucpd_disable_trans inactive
winbind_disable_trans active
ypbind_disable_trans inactive
ypserv_disable_trans inactive
zebra_disable_trans inactive
Process contexts:
Current context: root:system_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t
File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
More information about the fedora-selinux-list
mailing list