selinux adventures/troubles

Daniel J Walsh dwalsh at redhat.com
Mon Dec 29 15:30:31 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michal Jaegermann wrote:
> I wonder if this is my unique experience or this is widely observed.
> 
> So far, AFAICT, when installing a machine "from scratch", and while
> keeping a layout as plain as possible, then selinux is rather
> expected to work; at least decently enough.  The picture becomes
> entirely diferent when you are trying to upgrade a distro.  What
> results of such exercise will be I am unable to predict.
> 
> I have now such example recently moved from F8 to F10.  It was
> configured "targeted" and in the past it was behaving ok.  Burned on
> other occasions I set selinux to "permissive" before upgrading
> distros with an intentions to restore "enforcing" later on.  In
> anaconda it is hard not to notice that an installation of
> selinux-policy-targeted package takes a really long time.  One would
> think that this is because some checks are run or some relabeling
> takes place or whatever.  Only the end result was that after a
> reboot a machine was mostly busy spitting all kind of complaints and
> warnings.  If not that "permissive" setting it most likely would
> not boot at all.  'touch /.autorelabel' followed by a reboot and
> relabelling took care of most of that stuff.  But without the
> machine really going into a service at least two "mysteries" remain
> (and I fully expect more to show up later).
> 
> There is a requirement that a root needs to be able to login via
> ssh on this machine using an authorized key (a remote root login
> with a password is blocked).  This works but I am getting every
> time "Unable to get valid context for root" and in /var/log/secure:
> "pam_selinux(sshd:session): Security context
> system_u:system_r:logrotate_t:s0-s0:c0.c1023 is not allowed for
> system_u:system_r:logrotate_t:s0-s0:c0.c1023".
> Eh?  What this is supposed to mean?  There are no corresponding
> 'sealert' message I can find nor 'allow2why' comes with any reasons.
> 
> Another problem which hits immediately is that 'root' has
> .procmailrc file and it is necessary there.  Every mail to root
> results in selinux complaints.  Initially these were in a form:
> 
> SELinux is preventing the procmail from using potentially mislabeled
> files (./_ZoC.lwQVJB.xxxxxx.yyyy.zzz).
> 
> and propositions to relabel these.  A very good advice. :-)
> This time 'allow2rules' had the following things to propose:
> 
> allow procmail_t admin_home_t:dir { write remove_name add_name };
> allow procmail_t admin_home_t:file { write create unlink link };
> 
> I generated a corresponding module, and added it to a fray, and
> that only changed a nature of complaints to:
> 
> SELinux is preventing the procmail from using potentially mislabeled
> files (./.procmailrc).
> 
> The catch is that /root/.procmailrc has for a label
> system_u:object_r:admin_home_t:s0 and 'restorecon -v' on it does not
> change anything at all.
> 
> Of course I have no idea if there are policy problems, or troubles
> are somewhere else, or everything really works as expected.  A big
> mystery.
> 
> To makes things even more interesting I have another machine, also
> upgraded from F8 to F10 and configured, it would appear, in a
> similar way, and none of symptoms described above shows there.
> Only on that other box /root/.procmailrc is labeled with
> system_u:object_r:user_home_t (do not ask me why!) and 
> system_u:object_r:user_home_dir_t shows on /root and running
> there 'restorecon -vR /root' also does not change anything at all.
> So apparently both are correct only one does not work and how and
> why they aquired different labels is another of those puzzles.
> Does selinux policies are applied at random?
> 
>    Michal
> 
Ok lets look at the log file.

  This works but I am getting every
> time "Unable to get valid context for root" and in /var/log/secure:
> "pam_selinux(sshd:session): Security context
> system_u:system_r:logrotate_t:s0-s0:c0.c1023 is not allowed for
> system_u:system_r:logrotate_t:s0-s0:c0.c1023".

When you log in in permissive mode what does 'id -Z' show?

What does

# semanage login -l
and
# semanage user -l

Finally what context is ssh running as.

# ps -eZ | grep ssh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklY7RcACgkQrlYvE4MpobNUugCfeexMiZPbyYIgjSHeX6gSDVeU
2wkAmgMetyVDEYEPidAd5ispMYTnnJs4
=XUye
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list