Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16

[Stephen Smalley]

On Fri, 2006-01-27 at 17:49 +0200, G Jahchan wrote:
> ls -Z /sbin/init
> -rwxr-xr-x  root     root     system_u:object_r:staff_home_t   /sbin/init

That's your problem - your filesystem is incorrectly labeled.  Don't
know how your /sbin/init program ended up with the type of a staff home
directory; it should have init_exec_t.

/sbin/restorecon -nv /sbin/init

If that correctly relabels to init_exec_t, then proceed to do a full
relabel, i.e. touch /.autorelabel and reboot or pass 'autorelabel' on
the kernel command line.  Or shut down to single-user and run 'fixfiles
relabel'.  All variations on the same theme...

> /etc/passwd                         system_u:object_r:staff_home_t

Should be etc_t.

> /bin/bash                           system_u:object_r:staff_home_t

shell_exec_t

> /bin/login                          system_u:object_r:staff_home_t

login_exec_t

> /sbin/init                          system_u:object_r:staff_home_t

init_exec_t

> /sbin/mingetty                      system_u:object_r:staff_home_t

getty_exec_t

> /usr/sbin/sshd                      system_u:object_r:staff_home_t

sshd_exec_t

> The results of audit2why seem to indicate a mismatch between current in-memory
> boolean settings vs. permanent ones.

No, just a filesystem labeling problem.  audit2why can't determine that;
it just diagnoses policy problems.

-- 
Stephen Smalley
National Security Agency