Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16
G Jahchan
SeLinux at Compucenter.org
Mon Jan 30 11:47:33 UTC 2006
I have not had time to do much testing, but first indications are that
incorrect labeling was the culprit.
I initiated a boot-time relabeling. When done, I restarted the system (in
permissive mode), switched to enforcing mode (/usr/sbin/setenforce 1) and was
able to log in normally from tty1, (while su'd as root in tty0) though there
are plenty of 'avc: denied' messages in /var/log/messages and
/var/log/audit/audit.log) that I need to look at.
I still have the problem of reported Boolean errors that are scrolling too fast
to read as selinux loads at boot time, and do not seem to be logged anywhere.
Can you help with those? All I was able to make up from the fast-scrolling
display is the word 'mozilla' repeated four or five times in an error message,
followed by a Boolean error message.
-----Original Message-----
From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-bounces at redhat.com]On Behalf Of Stephen
Smalley
Sent: Friday, January 27, 2006 21:29
To: Valdis.Kletnieks at vt.edu
Cc: G Jahchan; Fedora SE Linux List
Subject: Re: Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16
On Fri, 2006-01-27 at 14:18 -0500, Valdis.Kletnieks at vt.edu wrote:
> On Fri, 27 Jan 2006 11:44:07 EST, Stephen Smalley said:
> > On Fri, 2006-01-27 at 17:49 +0200, G Jahchan wrote:
> > > ls -Z /sbin/init
> > > -rwxr-xr-x root root system_u:object_r:staff_home_t /sbin/init
> >
> > That's your problem - your filesystem is incorrectly labeled. Don't
> > know how your /sbin/init program ended up with the type of a staff home
> > directory; it should have init_exec_t.
>
> It's probably related to the strict policy whoopsage I reported - the system
> would end up with only some 10% of the policy modules in place, and a
restorecon
> wouldn't include the *.fc rules for the missing modules - so some
less-restrictive
> rule would set the context (I ended up with almost everything as default_t,
> but I could see how staff_home_t might happen too...)
>
> At one point, every single process on my laptop was running in kernel_t,
because
> the various init_t and similar types weren't defined, nor were the
transitions for
> them. Good thing I'm running in permissive. ;)
Except that his message indicated that he is running FC4, not rawhide
(look at his kernel and policy versions).
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list