Everything got broken. selinux-policy-targeted-1.17.30-2.90
Omri Schwarz
ocschwar at MIT.EDU
Wed Mar 30 05:56:48 UTC 2005
Hi, everyone.
Until two days ago, when I ran up2date, I had a machine running
FC3 with SELinux targeted, user homedirs coming in over NFS,
Apache running and segregated into httpd_t land, and so on and so forth.
I ran up2date.
And it all went to hell. The upgrade to selinux-policy-targeted-1.17.30-2.90
prevented console logins, use of sudo, and startups from messagebus and httpd.
It allowed, however for SSH logins, and use of 'su'.
Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.90.n
oarch.rpm, and I suffer from the same errors:
# /usr/sbin/getenforce
getenforce: getenforce() failed
]# /usr/sbin/getsebool -a
getsebool: booleans.c:48: security_get_boolean_names: Assertion `selinux_mnt'
failed.
Aborted
# cat /selinux/enforce
1
# cd /selinux/booleans
# ls
allow_ypbind mysqld_disable_trans squid_disable_trans
dhcpd_disable_trans named_disable_trans syslogd_disable_trans
httpd_disable_trans named_write_master_zones use_nfs_home_dirs
httpd_enable_cgi nscd_disable_trans use_samba_home_dirs
httpd_enable_homedirs ntpd_disable_trans use_syslogng
httpd_ssi_exec portmap_disable_trans winbind_disable_trans
httpd_tty_comm postgresql_disable_trans ypbind_disable_trans
httpd_unified snmpd_disable_trans
# cat *
1 10 00 01 11 11 10 01 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
]# cat policyvers
18
Now, for the many multifarious wierdnesses that have sprung up on me:
I cannot log in to the console.
TTY logins fail silently and X logins leave this in the syslog:
Mar 29 18:43:42 HOST gdm(pam_unix)[5945]: session opened for user root by
(uid=0)
Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: child 5945 crashed of
signal 6
Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: Slave crashed, killing
its children
Clearly something is denied a resource by selinux, causing a crash that
ends the login session.
I cannot sudo:
% sudo su root
Password:
root:system_r:unconfined_t is not a valid context
Doing a sudo leaves this in /var/log/secure:
Mar 30 00:47:29 HOST sudo: omri : TTY=pts/1 ; PWD=/nfs/newline/h1/omri ;
USER=root ; COMMAND=/bin/su root
And this in /var/log/messages:
Mar 30 00:47:29 HOST sudo(pam_unix)[6028]: authentication failure;
logname=omri uid=0 euid=0 tty=pts/1 ruser= rhost= user=omri
Mar 30 00:47:29 HOST sudo[6028]: pam_krb5[6028]: authentication succeeds for
'omri' (omri at SPACE.MIT.EDU)
I can SSH in, but this gets left in the logs:
Mar 30 00:43:48 HOST sshd[5941]: error: Failed to set exec security context
omri:system_r:unconfined_t for omri. Continuing in permissive mode
I can su just fine, which is what lets me play around with these things.
The portmapper has its own difficulties:
Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc: denied { search }
for pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377
scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t
tclass=dir
Obviously, it's the console logins that I want to solve first and foremost.
Any help would be most appreciated.
More information about the fedora-selinux-list
mailing list