Non-root console login issue! (was: Problem with VNC and SELinux:FC4)

Daniel J Walsh dwalsh at redhat.com
Tue Dec 20 19:20:25 UTC 2005 

Daniel B. Thurman wrote:
>> From: fedora-list-bounces at redhat.com
>> [mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel B. Thurman
>> Sent: Saturday, December 17, 2005 2:30 PM
>> To: For users of Fedora Core releases
>> Cc: Fedora SELinux support list for users & developers.
>> Subject: Non-root console login issue! (was: Problem with VNC and
>> SELinux:FC4)
>>
>>
>>     
>>> From: fedora-list-bounces at redhat.com
>>> [mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel B. Thurman
>>> Sent: Friday, December 16, 2005 6:11 PM
>>> To: For users of Fedora Core releases (E-mail)
>>> Cc: Fedora SELinux support list for users & developers.
>>> Subject: Problem with VNC and SELinux: FC4
>>>
>>>
>>>
>>> Folks,
>>>
>>> With the new SELinux updates, it appears that root,
>>> other than normal users can login to Fedora via VNC
>>> Server?  My VNC Server is setup such that I am using
>>> xinitd for VNC Server requests.
>>>
>>> Another problem I noticed is that when I log into my
>>> Fedora system via VNC as root user, and open a xterm
>>> window and run a su - <normal-user>, I get back a
>>> SElinux message:
>>>
>>> ================================================
>>> # su - dan
>>> Your default context is: user_u:system_r:kernel_t.
>>>
>>> Do you want to want to choose a different one? [n]
>>> ================================================
>>>
>>> It is *possible* that this problem came up when
>>> I had to make a copy of my filesystem to another
>>> hard-disk for the purpose of creating a /boot
>>> partition (my bad) and copied/restored the filesystem
>>> back over to the main drive.  I don't think I made
>>> any copy/restore mistakes as I know the fs permissions
>>> are correct but I cannot speak for filesystem journaling
>>> or whatever that keeps track of the SELinux attributes.
>>>
>>> In any case, what can I do to resolve my VNC and/or su
>>> issue knowing that SElinux has something to do with it?
>>>
>>> Thanks!
>>> Dan Thurman
>>>
>>>       
>> Problem is not related to SELinux and not really related
>> to VNC. It turns out that I cannot log into the console
>> as a non-root user and I get a message saying:
>>
>> =======================================================
>> Your session lasted less than 10 seconds. If you have not
>> logged out yourself, this could mean that there is some
>> installation problem or that you may be out of diskspace.
>> Try logging in with one of the failsafe sessions to see if
>> you can fix this problem.
>>
>> [] View details (~/.xsession-errors file)
>> =======================================================
>>
>> The problem here is that the .xsession-errors file does
>> not exist.  I also note from /var/log/message file:
>>
>> =======================================================
>> Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for 
>> user dant by (uid=0)
>> Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for 
>> user dant
>> Dec 17 12:45:32 linux dbus: avc:  0 AV entries and 0/512 
>> buckets used, longest chain length 0
>> =======================================================
>>
>> And from /var/log/audit/audit.log
>> =======================================================
>> type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397 
>> uid=0 auid=4294967295 msg='PAM authentication: user=dant 
>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>> result=Success)'
>> type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397 
>> uid=0 auid=4294967295 msg='PAM accounting: user=dant 
>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>> result=Success)'
>> type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397 
>> uid=0 auid=4294967295 msg='PAM setcred: user=dant 
>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>> result=Success)'
>> type=USER_START msg=audit(1134858412.307:3932): user pid=3397 
>> uid=0 auid=4294967295 msg='PAM session open: user=dant 
>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>> result=Success)'
>> =======================================================
>>
>> File:
>> # ls -l /usr/bin/gdm-binary
>> -rwxr-xr-x  1 root root 251668 May 23  2005 /usr/bin/gdm-binary
>>
>> HALLLLLP!  Please :-)
>>
>> Dan
>>
>>     
>
> Sorry - had to add this tidbit....  seems that SElinux may be
> involved or maybe my file journaling is messed up after a "restore"?
>
> I tried to create a new user account to see if by doing this
> I would get a correct security context and be able to log
> into the console but WHOA!!!  What is going on here!?!?!?
>
> =======================================================
> [root at linux ~]# useradd dant2
> useradd: cannot rewrite password file
> [root at linux ~]#
> =======================================================
> File: /var/log/audit/audit.log:
>
> 94967295 msg='useradd: op=adding home directory acct=dant2 res=success'
> type=AVC msg=audit(1134859204.879:4004): avc:  denied  { create } for  pid=19177 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
> type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 syscall=39 success=no exit=-13 a0=bfd81470 a1=1ed a2=98fd2ef a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
> type=CWD msg=audit(1134859204.879:4004):  cwd="/root"
> type=PATH msg=audit(1134859204.879:4004): item=0 name="/home/dant2/.kde" flags=10  inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
> type=AVC msg=audit(1134859204.883:4005): avc:  denied  { create } for  pid=19177 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file
> type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 syscall=5 success=no exit=-13 a0=bfd817e4 a1=8241 a2=1b6 a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
> type=CWD msg=audit(1134859204.883:4005):  cwd="/root"
> type=PATH msg=audit(1134859204.883:4005): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user pid=19177 uid=0 auid=4294967295 msg='useradd: op=adding user acct=dant2 res=failed'
> =======================================================
>
> Dan
>
>   
Looks like you have a labeling problem.  file_t files should not exist 
if your system is properly labeled.  This either indicates you booted 
with selinux=0 or you added additional disks.

You can relabel by executing

touch /.autorelabel
reboot


--

More information about the fedora-selinux-list mailing list