selinux adventures/troubles
Michal Jaegermann
michal at harddata.com
Wed Jan 7 22:17:26 UTC 2009
On Wed, Jan 07, 2009 at 03:41:55PM -0500, Stephen Smalley wrote:
>
> Then any subsequent login attempt via ssh would be similarly botched,
> because sshd is running in system_crond_t, and thus the starting domain
> isn't what the system expects and when we ask the system what user
> contexts are reachable from that starting domain, it gets rather
> puzzled.
I was not that surprised with specific results, as they were
consistent with what was showing up after all, as rather how I got
there.
> Reboot the system, then login and look at pstree -Z output.
This time it actually helped. Thanks! This is the first time
the system got rebooted after selinux-policy-targeted got
reinstalled yesterday. Maybe this made a difference? Before
that rebooting did not seem to have any discernible effects.
I attach the current output from 'pstree -Z'; it looks to me as what
I would roughly expect to see.`
> As to the original cause, I assume that this is due to:
> 1) The rather major changes that took place in the policy across these
> versions ....
....
> 2) The (mis)use of semanage by the selinux-policy package to manage the
> seuser definitions ....
....
What for me is most disconcerting is that I went through the same
exercise a few times and results were not consistent. Also I still
would not know for sure how to repair a botched upgrade. It appears
that this time I ended up with something which looks sane but why
this reboot changed things while previous one were ineffective I am
not sure.
Thanks,
Michal
-------------- next part --------------
init(`system_u:system_r:init_t:s0')
|-acpid(`system_u:system_r:apmd_t:s0')
|-anacron(`system_u:system_r:system_crond_t:s0')
|-atd(`system_u:system_r:crond_t:s0-s0:c0.c1023')
|-auditd(`system_u:system_r:auditd_t:s0')
| |-audispd(`system_u:system_r:audisp_t:s0')
| | `-{audispd}(`system_u:system_r:audisp_t:s0')
| `-{auditd}(`system_u:system_r:auditd_t:s0')
|-avahi-daemon(`system_u:system_r:avahi_t:s0')
| `-avahi-daemon(`system_u:system_r:avahi_t:s0')
|-console-kit-dae(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| |-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
| `-{console-kit-dae}(`system_u:system_r:consolekit_t:s0-s0:c0.c1023')
|-crond(`system_u:system_r:crond_t:s0-s0:c0.c1023')
|-cupsd(`system_u:system_r:cupsd_t:s0-s0:c0.c1023')
|-dbus-daemon(`system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023')
| `-{dbus-daemon}(`system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023')
|-dbus-daemon(`system_u:system_r:system_dbusd_t:s0-s0:c0.c1023')
| `-{dbus-daemon}(`system_u:system_r:system_dbusd_t:s0-s0:c0.c1023')
|-dbus-launch(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
|-dictd(`system_u:system_r:dictd_t:s0')
|-gam_server(`system_u:system_r:rpm_t:s0')
|-gconfd-2(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
|-gdm-binary(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
| `-gdm-simple-slav(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
| |-Xorg(`system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023')
| |-gdm-session-wor(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
| `-gnome-session(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
| |-gdm-simple-gree(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
| |-metacity(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
| `-{gnome-session}(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
|-gnome-power-man(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
|-gnome-settings-(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
| `-{gnome-settings-}(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
|-gvfsd(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
|-hald(`system_u:system_r:hald_t:s0')
| `-hald-runner(`system_u:system_r:hald_t:s0')
| |-hald-addon-acpi(`system_u:system_r:hald_t:s0')
| |-hald-addon-cpuf(`system_u:system_r:hald_t:s0')
| |-hald-addon-inpu(`system_u:system_r:hald_t:s0')
| `-hald-addon-stor(`system_u:system_r:hald_t:s0')
|-irqbalance(`system_u:system_r:irqbalance_t:s0')
|-mingetty(`system_u:system_r:getty_t:s0')
|-mingetty(`system_u:system_r:getty_t:s0')
|-mingetty(`system_u:system_r:getty_t:s0')
|-mingetty(`system_u:system_r:getty_t:s0')
|-mingetty(`system_u:system_r:getty_t:s0')
|-nasd(`system_u:system_r:soundd_t:s0')
|-ntpd(`system_u:system_r:ntpd_t:s0')
|-restorecond(`system_u:system_r:restorecond_t:s0')
|-rpc.idmapd(`system_u:system_r:rpcd_t:s0')
|-rpc.statd(`system_u:system_r:rpcd_t:s0')
|-rpcbind(`system_u:system_r:rpcbind_t:s0')
|-rsyslogd(`system_u:system_r:syslogd_t:s0')
| |-{rsyslogd}(`system_u:system_r:syslogd_t:s0')
| `-{rsyslogd}(`system_u:system_r:syslogd_t:s0')
|-sendmail(`system_u:system_r:sendmail_t:s0')
|-sendmail(`system_u:system_r:sendmail_t:s0')
|-setroubleshootd(`system_u:system_r:setroubleshootd_t:s0')
| |-{setroubleshootd}(`system_u:system_r:setroubleshootd_t:s0')
| `-{setroubleshootd}(`system_u:system_r:setroubleshootd_t:s0')
|-smartd(`system_u:system_r:fsdaemon_t:s0')
|-sshd(`system_u:system_r:sshd_t:s0-s0:c0.c1023')
| `-sshd(`system_u:system_r:sshd_t:s0-s0:c0.c1023')
| `-bash(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
| `-pstree(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
|-udevd(`system_u:system_r:udev_t:s0-s0:c0.c1023')
`-yum-updatesd(`system_u:system_r:rpm_t:s0')
More information about the fedora-test-list
mailing list