Non-root console login issue! (was: Problem with VNC ... SELinux:FC4)

Tue Dec 20 19:34:23 UTC 2005

>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel J Walsh
>Sent: Tuesday, December 20, 2005 11:20 AM
>To: For users of Fedora Core releases
>Cc: Fedora SELinux support list for users & developers.
>Subject: Re: Non-root console login issue! (was: Problem with VNCand
>SELinux:FC4)
>
>
>Daniel B. Thurman wrote:
>>> From: fedora-list-bounces at redhat.com
>>> [mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel 
>B. Thurman
>>> Sent: Saturday, December 17, 2005 2:30 PM
>>> To: For users of Fedora Core releases
>>> Cc: Fedora SELinux support list for users & developers.
>>> Subject: Non-root console login issue! (was: Problem with VNC and
>>> SELinux:FC4)
>>>
>>>
>>>     
>>>> From: fedora-list-bounces at redhat.com
>>>> [mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel 
>B. Thurman
>>>> Sent: Friday, December 16, 2005 6:11 PM
>>>> To: For users of Fedora Core releases (E-mail)
>>>> Cc: Fedora SELinux support list for users & developers.
>>>> Subject: Problem with VNC and SELinux: FC4
>>>>
>>>>
>>>>
>>>> Folks,
>>>>
>>>> With the new SELinux updates, it appears that root,
>>>> other than normal users can login to Fedora via VNC
>>>> Server?  My VNC Server is setup such that I am using
>>>> xinitd for VNC Server requests.
>>>>
>>>> Another problem I noticed is that when I log into my
>>>> Fedora system via VNC as root user, and open a xterm
>>>> window and run a su - <normal-user>, I get back a
>>>> SElinux message:
>>>>
>>>> ================================================
>>>> # su - dan
>>>> Your default context is: user_u:system_r:kernel_t.
>>>>
>>>> Do you want to want to choose a different one? [n]
>>>> ================================================
>>>>
>>>> It is *possible* that this problem came up when
>>>> I had to make a copy of my filesystem to another
>>>> hard-disk for the purpose of creating a /boot
>>>> partition (my bad) and copied/restored the filesystem
>>>> back over to the main drive.  I don't think I made
>>>> any copy/restore mistakes as I know the fs permissions
>>>> are correct but I cannot speak for filesystem journaling
>>>> or whatever that keeps track of the SELinux attributes.
>>>>
>>>> In any case, what can I do to resolve my VNC and/or su
>>>> issue knowing that SElinux has something to do with it?
>>>>
>>>> Thanks!
>>>> Dan Thurman
>>>>
>>>>       
>>> Problem is not related to SELinux and not really related
>>> to VNC. It turns out that I cannot log into the console
>>> as a non-root user and I get a message saying:
>>>
>>> =======================================================
>>> Your session lasted less than 10 seconds. If you have not
>>> logged out yourself, this could mean that there is some
>>> installation problem or that you may be out of diskspace.
>>> Try logging in with one of the failsafe sessions to see if
>>> you can fix this problem.
>>>
>>> [] View details (~/.xsession-errors file)
>>> =======================================================
>>>
>>> The problem here is that the .xsession-errors file does
>>> not exist.  I also note from /var/log/message file:
>>>
>>> =======================================================
>>> Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for 
>>> user dant by (uid=0)
>>> Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for 
>>> user dant
>>> Dec 17 12:45:32 linux dbus: avc:  0 AV entries and 0/512 
>>> buckets used, longest chain length 0
>>> =======================================================
>>>
>>> And from /var/log/audit/audit.log
>>> =======================================================
>>> type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397 
>>> uid=0 auid=4294967295 msg='PAM authentication: user=dant 
>>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>>> result=Success)'
>>> type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397 
>>> uid=0 auid=4294967295 msg='PAM accounting: user=dant 
>>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>>> result=Success)'
>>> type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397 
>>> uid=0 auid=4294967295 msg='PAM setcred: user=dant 
>>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>>> result=Success)'
>>> type=USER_START msg=audit(1134858412.307:3932): user pid=3397 
>>> uid=0 auid=4294967295 msg='PAM session open: user=dant 
>>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>>> result=Success)'
>>> =======================================================
>>>
>>> File:
>>> # ls -l /usr/bin/gdm-binary
>>> -rwxr-xr-x  1 root root 251668 May 23  2005 /usr/bin/gdm-binary
>>>
>>> HALLLLLP!  Please :-)
>>>
>>> Dan
>>>
>>>     
>>
>> Sorry - had to add this tidbit....  seems that SElinux may be
>> involved or maybe my file journaling is messed up after a "restore"?
>>
>> I tried to create a new user account to see if by doing this
>> I would get a correct security context and be able to log
>> into the console but WHOA!!!  What is going on here!?!?!?
>>
>> =======================================================
>> [root at linux ~]# useradd dant2
>> useradd: cannot rewrite password file
>> [root at linux ~]#
>> =======================================================
>> File: /var/log/audit/audit.log:
>>
>> 94967295 msg='useradd: op=adding home directory acct=dant2 
>res=success'
>> type=AVC msg=audit(1134859204.879:4004): avc:  denied  { 
>create } for  pid=19177 comm="useradd" name=".kde" 
>scontext=root:system_r:kernel_t 
>tcontext=user_u:object_r:user_home_t tclass=dir
>> type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 
>syscall=39 success=no exit=-13 a0=bfd81470 a1=1ed a2=98fd2ef 
>a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0 
>euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" 
>exe="/usr/sbin/useradd"
>> type=CWD msg=audit(1134859204.879:4004):  cwd="/root"
>> type=PATH msg=audit(1134859204.879:4004): item=0 
>name="/home/dant2/.kde" flags=10  inode=1245989 dev=03:02 
>mode=040755 ouid=511 ogid=512 rdev=00:00
>> type=AVC msg=audit(1134859204.883:4005): avc:  denied  { 
>create } for  pid=19177 comm="useradd" name="passwd+" 
>scontext=root:system_r:kernel_t 
>tcontext=system_u:object_r:file_t tclass=file
>> type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 
>syscall=5 success=no exit=-13 a0=bfd817e4 a1=8241 a2=1b6 
>a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 
>euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" 
>exe="/usr/sbin/useradd"
>> type=CWD msg=audit(1134859204.883:4005):  cwd="/root"
>> type=PATH msg=audit(1134859204.883:4005): item=0 
>name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 
>mode=040755 ouid=0 ogid=0 rdev=00:00
>> type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user 
>pid=19177 uid=0 auid=4294967295 msg='useradd: op=adding user 
>acct=dant2 res=failed'
>> =======================================================
>>
>> Dan
>>
>>   
>Looks like you have a labeling problem.  file_t files should not exist 
>if your system is properly labeled.  This either indicates you booted 
>with selinux=0 or you added additional disks.
>
>You can relabel by executing
>
>touch /.autorelabel
>reboot

From: RE: [mostly solved] SELinux is screwing me up!!!!  Help!
Date: Mon 12/19/2005 8:21AM

I did try the autorelabel as it did not work.  It wasn't
until I tried the following that seemed to steer clear of
permissions problems encountered with the autorelabel method.

==========================================
I think that I solved this problem by:

1) Booting in selinux=0 single
2) /sbin/fixfiles -F -R -a -F relabel
3) reboot
==========================================

Sorry that you did not see this later thread.

Dan

>
>
>-- 
>
>
>-- 
>fedora-list mailing list
>fedora-list at redhat.com
>To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
>-- 
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.371 / Virus Database: 267.14.1/207 - Release 
>Date: 12/19/2005
> 
>

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/207 - Release Date: 12/19/2005