Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16
G Jahchan
SeLinux at Compucenter.org
Wed Feb 1 08:12:45 UTC 2006
I have upgraded the kernel to 2.6.14-1.1656 and pam to 0.79.9 (from
2.6.14-1.1653 & 0.79.8 respectively) and I am back to the drawing board.
Authentication is no longer possible when in enforcing mode, but this time
there are NO reported 'avc: denied' messages in any of the logs.
The problem may not lie strictly with selinux, as even when in permissive mode,
the first authentication attempt to a console always fails, but the second
works (with the exact same credentials). Ditto when sudoing a command that
requires authentication: never works the first time if in permissive mode, and
not at all if in enforcing mode. su on the other hand always works in
permissive mode, but never in enforcing mode.
When in KDE, a locked station cannot be unlocked, regardless of the status of
selinux - permissive or enforcing, it makes no difference.
-----Original Message-----
From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-bounces at redhat.com]On Behalf Of Stephen Smalley
Sent: Monday, January 30, 2006 17:31
To: G Jahchan
Cc: Fedora SE Linux List
Subject: RE: Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16
On Mon, 2006-01-30 at 13:47 +0200, G Jahchan wrote:
> I have not had time to do much testing, but first indications are that
> incorrect labeling was the culprit.
>
> I initiated a boot-time relabeling. When done, I restarted the system (in
> permissive mode), switched to enforcing mode (/usr/sbin/setenforce 1) and was
> able to log in normally from tty1, (while su'd as root in tty0) though there
> are plenty of 'avc: denied' messages in /var/log/messages and
> /var/log/audit/audit.log) that I need to look at.
>
> I still have the problem of reported Boolean errors that are scrolling too
fast
> to read as selinux loads at boot time, and do not seem to be logged anywhere.
> Can you help with those? All I was able to make up from the fast-scrolling
> display is the word 'mozilla' repeated four or five times in an error
message,
> followed by a Boolean error message.
Likely just stale boolean settings in your booleans.local file, which
are just skipped with a warning. To reproduce, run:
/usr/sbin/load_policy -b /etc/selinux/targeted/policy/policy.19
If you have any "boolean ... no longer in policy" messages, just remove
those lines from your /etc/selinux/targeted/booleans.local file.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list