selinux adventures/troubles

Michal Jaegermann michal at harddata.com
Sun Jan 4 18:41:33 UTC 2009 

On Sun, Jan 04, 2009 at 12:08:09PM -0500, Daniel J Walsh wrote:
> Michal Jaegermann wrote:
> > 
> > Something rather weird for 'id -Z':  system_u:system_r:system_crond_t:s0
> > The other machine after an upgrades reports
> > 'root:unconfined_r:unconfined_t:SystemLow-SystemHigh' which looks
> > like something saner.
> > 
> >> # semanage login -l
> > 
> > Login Name                SELinux User              MLS/MCS Range            
> > 
> > __default__               unconfined_u              s0-s0:c0.c1023           
> > root                      system_u                  s0-s0:c0.c1023           
> > system_u                  system_u                  s0-s0:c0.c1023           
> > 
> I think the problem is logging in as root is screwed up.

Indeed.  I had that impression for quite a while.

> if you execute
> 
> # semanage login -m -s unconfined_u root
> This should cause root users to login in as unconfined_t automatically.

That indeed changes 'semanage login -l' output to

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023

but it does not help that much.  I still get "Unable to get valid
context for root" from a login and 'system_u:system_r:system_crond_t:s0'
for 'id -Z'.  BTW - that does not generate any audit messages; only
"error: ssh_selinux_setup_pty: security_compute_relabel: Invalid
argument", and related, in /var/log/secure.

>    The sshd running as system_crond_t?

I told you this is weird.  All of that after an upgrade from F8 to
F10.  I really would like to know why as surely this is not a result
of me trying hard to mess things up.

> Does this happen on reboot?

That machine was rebooted a number of times and nothing changes.
I cannot switch to 'enforcing' as the box is "remote" and most
likely that would immediately cut me off.  Before an upgrade this
was 'targeted' and 'enforcing'.  As I wrote before: after an upgrade
I had to force relabelling on a reboot as otherwise most anything
was only spitting on me.

BTW - I did some hacking and I do not see at this moment any "avc"
type failure notificiations in /var/log/messages.  Only right now
the box is rather quiet.  I am not sure what will happen when
regular users will show up.

   Michal

More information about the fedora-test-list mailing list