Everything got broken. selinux-policy-targeted-1.17.30-2.90

Omri Schwarz ocschwar at MIT.EDU
Wed Mar 30 05:56:48 UTC 2005

Hi, everyone.

Until two days ago, when I ran up2date, I had a machine running 
FC3 with SELinux targeted, user homedirs coming in over NFS, 
Apache running and segregated into httpd_t land, and so on and so forth.

I ran up2date.

And it all went to hell. The upgrade to selinux-policy-targeted-1.17.30-2.90 
prevented console logins, use of sudo, and startups from messagebus and httpd. 

It allowed, however for SSH logins, and use of 'su'.

Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.90.n
oarch.rpm, and I suffer from the same errors:

# /usr/sbin/getenforce
getenforce:  getenforce() failed

]# /usr/sbin/getsebool -a
getsebool: booleans.c:48: security_get_boolean_names: Assertion `selinux_mnt' 

# cat /selinux/enforce

# cd /selinux/booleans
# ls

allow_ypbind           mysqld_disable_trans      squid_disable_trans
dhcpd_disable_trans    named_disable_trans       syslogd_disable_trans
httpd_disable_trans    named_write_master_zones  use_nfs_home_dirs
httpd_enable_cgi       nscd_disable_trans        use_samba_home_dirs
httpd_enable_homedirs  ntpd_disable_trans        use_syslogng
httpd_ssi_exec         portmap_disable_trans     winbind_disable_trans
httpd_tty_comm         postgresql_disable_trans  ypbind_disable_trans
httpd_unified          snmpd_disable_trans
# cat *
1 10 00 01 11 11 10 01 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

]# cat policyvers

Now, for the many multifarious wierdnesses that have sprung up on me:

I cannot log in to the console. 
TTY logins fail silently and X logins leave this in the syslog:

Mar 29 18:43:42 HOST gdm(pam_unix)[5945]: session opened for user root by 
Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: child 5945 crashed of 
signal 6
Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: Slave crashed, killing 
its children

Clearly something is denied a resource by selinux, causing a crash that 
ends the login session. 

I cannot sudo:

% sudo su root
root:system_r:unconfined_t is not a valid context

Doing a sudo leaves this in /var/log/secure:
Mar 30 00:47:29 HOST sudo:     omri : TTY=pts/1 ; PWD=/nfs/newline/h1/omri ; 
USER=root ; COMMAND=/bin/su root

And this in /var/log/messages:
Mar 30 00:47:29 HOST sudo(pam_unix)[6028]: authentication failure; 
logname=omri uid=0 euid=0 tty=pts/1 ruser= rhost=  user=omri
Mar 30 00:47:29 HOST sudo[6028]: pam_krb5[6028]: authentication succeeds for 
'omri' (omri at SPACE.MIT.EDU)

I can SSH in, but this gets left in the logs:

Mar 30 00:43:48 HOST sshd[5941]: error: Failed to set exec security context 
omri:system_r:unconfined_t for omri. Continuing in permissive mode

I can su just fine, which is what lets me play around with these things. 

The portmapper has its own difficulties:

Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc:  denied  { search } 
for  pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377 
scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t 

Obviously, it's the console logins that I want to solve first and foremost.
Any help would be most appreciated. 

More information about the fedora-selinux-list mailing list