Problem with VNC and SELinux: FC4

Daniel B. Thurman dant at cdkkt.com
Mon Dec 19 15:44:01 UTC 2005


>From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
>Sent: Monday, December 19, 2005 5:33 AM
>To: Daniel B. Thurman
>Cc: For users of Fedora Core releases (E-mail); Fedora SELinux support
>list for users & developers.
>Subject: Re: Problem with VNC and SELinux: FC4
>
>
>On Fri, 2005-12-16 at 18:11 -0800, Daniel B. Thurman wrote:
>> With the new SELinux updates, it appears that root,
>> other than normal users can login to Fedora via VNC
>> Server?  My VNC Server is setup such that I am using
>> xinitd for VNC Server requests.
>> 
>> Another problem I noticed is that when I log into my
>> Fedora system via VNC as root user, and open a xterm
>> window and run a su - <normal-user>, I get back a
>> SElinux message:
>> 
>> ================================================
>> # su - dan
>> Your default context is: user_u:system_r:kernel_t.
>> 
>> Do you want to want to choose a different one? [n]
>> ================================================
>> 
>> It is *possible* that this problem came up when
>> I had to make a copy of my filesystem to another
>> hard-disk for the purpose of creating a /boot
>> partition (my bad) and copied/restored the filesystem
>> back over to the main drive.  I don't think I made
>> any copy/restore mistakes as I know the fs permissions
>> are correct but I cannot speak for filesystem journaling
>> or whatever that keeps track of the SELinux attributes.
>> 
>> In any case, what can I do to resolve my VNC and/or su
>> issue knowing that SElinux has something to do with it?
>
>/usr/sbin/sestatus -v | grep -v active shows what?
>

[
  There are several threads to this issue - so I will be
  trying to update these threads to let others know of my
  progress.

  At this time, my system is running, I am able to login as
  non-root user into the gnome console, I am able to create
  and delete new users.  It appears that selinux is now working
  good but I have yet to catch up to manual selinux disables for
  Kerberos and FrontPage because these were reset to defaults.
  So far, so good. Everything appears to look good however I am
  not certain I have solved all the 'yum update' #prelink#
  issues.  Please read on for details if you want.  I have
  provided you with the selinux status request in case there
  are other possible issues with selinux since I am no expert
  on this subject :-)
]

Please note, that it took me several tries using fixfiles to
reset (restore, and relabel) before all of the permissions
denied messages stopped being displayed.

Previously, I had done the restore command but while in selinix
and single user mode (selinux was not disabled), where the
restore had permissions denied on perhaps less than 200 files
from X11 fonts, and other places throughout.

I believe I may have gotten some selinux attribute recovery
by doing selinix=0 and single user mode and running fixfiles
and using the -F such as: /sbin/fixfiles -F -R -a -F relabel
and then reboot.  I had thought that running the command would
have executed immediately but did not actually take effect until
a reboot - which was odd to me - but perhaps this is normal? Manual
says nothing about this behavior.  The fixfiles with the restore
command ran immediately in place - and this was while I was in
single user mode with selinux in effect at the time.

When I did an yum update but before running the above fixfile relabel
command, I noticed that there was a lot of #prelinks# where KDE
and GNOME was being updated/installed and it was basically saying
something that these prelinks (post-installation?) was failing due
to selinux permission denials (logs in audit.log) on the post-installation
processes. It also could have been bad timimg on my part for thinking
that 'yum update' would somehow restore my problems when I had no idea
where to begin.

When I tried to log into the gnome console as a non-root user,
I did not actually click the checkbox at the time, but in doing so
revealed to me that there was a problem executing the file:
/usr/lib/libgnomeui-2.so

Delving into this further, I saw the "#prelink#" files and noted
that the file permission was 0600!  So, I changed the permission
for this library as:

# chmod 755 /usr/lib/libgnomeui-2.so.0.1000.0.#prelink#.Hotj6j

I have not yet tried to locate all of the other #prelink# files at
this time.  But for now, I can now log into gnome as a non-root user!

I am providing per your request for the status, in case there may
be other issues that I may not be aware of.  Thanks for responding
to my issue!

# /usr/sbin/sestatus -v

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 20
Policy from config file:        targeted

Policy booleans:
NetworkManager_disable_trans      inactive
allow_execmem                     active
allow_execmod                     active
allow_execstack                   active
allow_ftpd_anon_write             inactive
allow_gssd_read_tmp               active
allow_httpd_anon_write            inactive
allow_httpd_sys_script_anon_write inactive
allow_ifconfig_sys_module         inactive
allow_kerberos                    active
allow_postgresql_use_pam          inactive
allow_rsync_anon_write            inactive
allow_saslauthd_read_shadow       inactive
allow_smbd_anon_write             inactive
allow_write_xshm                  inactive
allow_ypbind                      inactive
apmd_disable_trans                inactive
arpwatch_disable_trans            inactive
auditd_disable_trans              inactive
bluetooth_disable_trans           inactive
canna_disable_trans               inactive
cardmgr_disable_trans             inactive
comsat_disable_trans              inactive
cupsd_config_disable_trans        inactive
cupsd_disable_trans               inactive
cupsd_lpd_disable_trans           inactive
cvs_disable_trans                 inactive
cyrus_disable_trans               inactive
dbskkd_disable_trans              inactive
dhcpc_disable_trans               inactive
dhcpd_disable_trans               inactive
dovecot_disable_trans             inactive
fingerd_disable_trans             inactive
ftp_home_dir                      active
ftpd_disable_trans                inactive
ftpd_is_daemon                    active
getty_disable_trans               inactive
gssd_disable_trans                inactive
hald_disable_trans                inactive
hotplug_disable_trans             inactive
howl_disable_trans                inactive
hplip_disable_trans               inactive
httpd_builtin_scripting           active
httpd_can_network_connect         inactive
httpd_disable_trans               active
httpd_enable_cgi                  active
httpd_enable_ftp_server           inactive
httpd_enable_homedirs             active
httpd_ssi_exec                    active
httpd_suexec_disable_trans        inactive
httpd_tty_comm                    inactive
httpd_unified                     active
inetd_child_disable_trans         inactive
inetd_disable_trans               inactive
innd_disable_trans                inactive
kadmind_disable_trans             active
klogd_disable_trans               inactive
krb5kdc_disable_trans             active
ktalkd_disable_trans              inactive
lpd_disable_trans                 inactive
mysqld_disable_trans              inactive
named_disable_trans               inactive
named_write_master_zones          inactive
nfs_export_all_ro                 active
nfs_export_all_rw                 active
nfsd_disable_trans                inactive
nmbd_disable_trans                active
nscd_disable_trans                inactive
ntpd_disable_trans                inactive
pegasus_disable_trans             inactive
portmap_disable_trans             inactive
postfix_disable_trans             inactive
postgresql_disable_trans          inactive
pppd_can_insmod                   inactive
pppd_disable_trans                inactive
pppd_for_user                     inactive
pptp_disable_trans                inactive
privoxy_disable_trans             inactive
ptal_disable_trans                inactive
radiusd_disable_trans             inactive
radvd_disable_trans               inactive
read_default_t                    active
rlogind_disable_trans             inactive
rpcd_disable_trans                inactive
rsync_disable_trans               inactive
samba_enable_home_dirs            inactive
saslauthd_disable_trans           inactive
secure_mode_insmod                inactive
secure_mode_policyload            inactive
slapd_disable_trans               inactive
smbd_disable_trans                active
snmpd_disable_trans               inactive
spamd_disable_trans               inactive
squid_connect_any                 inactive
squid_disable_trans               inactive
stunnel_disable_trans             inactive
stunnel_is_daemon                 inactive
syslogd_disable_trans             inactive
system_dbusd_disable_trans        inactive
telnetd_disable_trans             inactive
tftpd_disable_trans               inactive
udev_disable_trans                inactive
use_nfs_home_dirs                 inactive
use_samba_home_dirs               inactive
uucpd_disable_trans               inactive
winbind_disable_trans             active
ypbind_disable_trans              inactive
ypserv_disable_trans              inactive
zebra_disable_trans               inactive

Process contexts:
Current context:                  root:system_r:unconfined_t
Init context:                     system_u:system_r:init_t
/sbin/mingetty                    system_u:system_r:getty_t
/usr/sbin/sshd                    system_u:system_r:unconfined_t

File contexts:
Controlling term:                 root:object_r:devpts_t
/etc/passwd                       system_u:object_r:etc_t
/etc/shadow                       system_u:object_r:shadow_t
/bin/bash                         system_u:object_r:shell_exec_t
/bin/login                        system_u:object_r:login_exec_t
/bin/sh                           system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty                      system_u:object_r:getty_exec_t
/sbin/init                        system_u:object_r:init_exec_t
/sbin/mingetty                    system_u:object_r:getty_exec_t
/usr/sbin/sshd                    system_u:object_r:sshd_exec_t
/lib/libc.so.6                    system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2                system_u:object_r:lib_t -> system_u:object_r:ld_so_t

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
 




More information about the fedora-selinux-list mailing list