My home is fully labeled default_t after a kernel crash

Laurent Rineau laurent.rineau__fedora at normalesup.org
Thu Aug 27 10:46:51 UTC 2009


On my F11 x64 machine, this morning, I have launch that command:

sudo semanage fcontext -a -t textrel_shlib_t 
/opt/intel/Compiler/11.0/081/mkl/lib/em64t/libmkl_core.so

After that, my X11 server freezed. I managed to login on the machine with ssh, 
but sudo got permission denied. :-(

Then I have done:
- A soft shutdown with the power button. That shutdown was successful.
- Power on the machine. Boot the default kernel. Lots of AVC on the console. 
X11 and mingetty unable to launch.
- Reboot with "enforcing=0 autorelabel=1 single". Relabelling seems ok.
- Reboot (with no selinux boot parameters). X11 and GDM ok. But just after I 
tried to login, a popup told me something about permission denied on $HOME, 
using HOME=/. Obviously, that failed!
- Reboot with enforcing=0.

Then I have managed to understand that the problem is that almost all my files 
in $HOME are labeled: "system_u:object_r:default_t:s0" (actually all my $HOME 
but files with customized context).

Another problem: unconfined_u has disappeared!
$ id -Z
user_u:user_r:user_t:s0

$ sudo semanage user -l
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux 
Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r 
sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r 
sysadm_r system_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r



I have search on the web for a solution, but the only solutions proposed where  
/.autorelabel! :-(

That is why I am looking for a clue here...


The machine is under F11, with updates. My configuration:

$ rpm -qa \*selinux\* \*semana\* | sort
libselinux-2.0.80-1.fc11.i586
libselinux-2.0.80-1.fc11.x86_64
libselinux-debuginfo-2.0.80-1.fc11.x86_64
libselinux-devel-2.0.80-1.fc11.x86_64
libselinux-python-2.0.80-1.fc11.x86_64
libselinux-utils-2.0.80-1.fc11.x86_64
libsemanage-2.0.31-4.fc11.x86_64
libsemanage-python-2.0.31-4.fc11.x86_64
selinux-policy-3.6.12-78.fc11.noarch
selinux-policy-targeted-3.6.12-78.fc11.noarch

$ uname -a
Linux matisse.localdomain 2.6.29.6-217.2.8.fc11.x86_64 #1 SMP Sat Aug 15 
01:06:26 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

(But the machine was in enforcing mode at the beginning of the story.)

-- 
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau




More information about the fedora-selinux-list mailing list