selinux adventures/troubles

Daniel J Walsh dwalsh at redhat.com
Sun Jan 4 17:08:09 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michal Jaegermann wrote:
> On Mon, Dec 29, 2008 at 10:30:31AM -0500, Daniel J Walsh wrote:
>> Michal Jaegermann wrote:
>>> I wonder if this is my unique experience or this is widely observed.
>>>
>>> So far, AFAICT, when installing a machine "from scratch", and while
>>> keeping a layout as plain as possible, then selinux is rather
>>> expected to work; at least decently enough.  The picture becomes
>>> entirely diferent when you are trying to upgrade a distro.  What
>>> results of such exercise will be I am unable to predict.
> ....
>> Ok lets look at the log file.
>>
>>   This works but I am getting every
>>> time "Unable to get valid context for root" and in /var/log/secure:
>>> "pam_selinux(sshd:session): Security context
>>> system_u:system_r:logrotate_t:s0-s0:c0.c1023 is not allowed for
>>> system_u:system_r:logrotate_t:s0-s0:c0.c1023".
>> When you log in in permissive mode what does 'id -Z' show?
> 
> Something rather weird for 'id -Z':  system_u:system_r:system_crond_t:s0
> The other machine after an upgrades reports
> 'root:unconfined_r:unconfined_t:SystemLow-SystemHigh' which looks
> like something saner.
> 
>> # semanage login -l
> 
> Login Name                SELinux User              MLS/MCS Range            
> 
> __default__               unconfined_u              s0-s0:c0.c1023           
> root                      system_u                  s0-s0:c0.c1023           
> system_u                  system_u                  s0-s0:c0.c1023           
> 
> which again is different than on another machine.  Here we go:
> 
> Login Name                SELinux User              MLS/MCS Range            
> 
> __default__               unconfined_u              SystemLow-SystemHigh     
> root                      root                      SystemLow-SystemHigh     
> system_u                  system_u                  SystemLow-SystemHigh     
> 
>> and
>> # semanage user -l
> 
> 
>                 Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> guest_u         guest      s0         s0                             guest_r
> root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
> staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r
> sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
> system_u        user       s0         s0-s0:c0.c1023                 system_r
> unconfined_u    unconfined s0         s0-s0:c0.c1023                 system_r unconfined_r
> user_u          user       s0         s0                             user_r
> xguest_u        xguest     s0         s0                             xguest_r
> 
> and this is on that second one:
> 
>                 Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> guest_u         user       s0         s0                             guest_r
> root            user       s0         SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> staff_u         user       s0         SystemLow-SystemHigh           staff_r sysadm_r system_r
> sysadm_u        user       s0         SystemLow-SystemHigh           sysadm_r
> system_u        user       s0         SystemLow-SystemHigh           system_r
> unconfined_u    user       s0         SystemLow-SystemHigh           system_r unconfined_r
> user_u          user       s0         s0                             user_r
> xguest_u        user       s0         s0                             xguest_r
> 
> where at least "Labeling Prefixes" look suspicious for a change.
> 
>> Finally what context is ssh running as.
>>
>> # ps -eZ | grep ssh
> 
> system_u:system_r:system_crond_t:s0 3972 ?     00:00:00 sshd
> system_u:system_r:system_crond_t:s0 26371 ?    00:00:00 sshd
> 
> against
> 
> root:system_r:sshd_t:SystemLow-SystemHigh 10298 ? 00:00:00 sshd
> root:system_r:sshd_t:SystemLow-SystemHigh 28760 ? 00:00:00 sshd
> 
> where things appear to work as expected.
> 
> A label on /usr/sbin/sshd itself is system_u:object_r:sshd_exec_t:s0
> in the first case and system_u:object_r:sshd_exec_t, without that
> trailing ":s0", in the second one.
> 
> All that fun simply as a result of running anaconda with an upgrade
> from F8 to F10; in both cases.  I noted already that in the first
> case I had to do 'touch /.autorelabel' and reboot before I started
> to get anywhere and that was not needed in the second case.
> 
> Differences in a file system layout are are that for the first
> machine /, /boot, /usr, /usr/local, /var and /home are separate
> file systems while the second box has only /boot and / for
> everything (it is a specialized server).
> 
> This is not the first time when selinux starts to act "weird" for me
> on an installation after anaconda did its work.  Only the other
> cases were starting from older distributions and this was for
> "scratch" installations in any case so the simplest wasy out was to
> dump results and run install again.  In the current situation this
> is really not a good option and besides I would rather like to
> understand what is going on.
> 
>    Michal
> 
I think the problem is logging in as root is screwed up.

if you execute

# semanage login -m -s unconfined_u root
This should cause root users to login in as unconfined_t automatically.
   The sshd running as system_crond_t?  Does this happen on reboot?  Or
was this caused by logging in in permissive mode then restarting sshd?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklg7PkACgkQrlYvE4MpobOm1gCePTXfavOEEcTy3DSam/IkvbqV
Ch0An1ZlgRAtttd79UlI+U94R59TXI59
=D8Yt
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list