su after disk reorganization.

Matthew Saltzman mjs at ces.clemson.edu
Mon Nov 28 18:40:05 UTC 2005 

On Mon, 28 Nov 2005, Stephen Smalley wrote:

> On Mon, 2005-11-28 at 10:39 -0500, Matthew Saltzman wrote:
>> I rebuilt my system disk to change the partitioning arrangment.  This
>> involved copying everything off, repartitioning, copying everything
>> back, and creating a new initrd.
>>
>> Almost everything seems to work now except that when I su, after the
>> password prompt, I get the following prompt:
>>
>>  	$ su
>>  	Password:
>>  	Your default context is root:system_r:kernel_t.
>>
>>  	Do you want to choose a different one? [n]
>>
>> That didn't happen before.  I tried autorelabel, but it had no effect.
>>
>> What did the copy fail to preserve, and how can I fix it?
>
> Can you run:
> 	/usr/sbin/sestatus -v | grep -v active
> and show the results?

#  /usr/sbin/sestatus -v | grep -v active
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 19
Policy from config file:        targeted

Policy booleans:

Process contexts:
Current context:                  root:system_r:kernel_t
Init context:                     system_u:system_r:init_t
/sbin/mingetty                    system_u:system_r:kernel_t
/usr/sbin/sshd                    system_u:system_r:kernel_t

File contexts:
Controlling term:                 system_u:object_r:devpts_t
/etc/passwd                       system_u:object_r:etc_t
/etc/shadow                       system_u:object_r:shadow_t
/bin/bash                         system_u:object_r:shell_exec_t
/bin/login                        system_u:object_r:login_exec_t
/bin/sh                           system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty                      system_u:object_r:getty_exec_t
/sbin/init                        system_u:object_r:init_exec_t
/sbin/mingetty                    system_u:object_r:getty_exec_t
/usr/sbin/sshd                    system_u:object_r:sshd_exec_t
/lib/libc.so.6                    system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2                system_u:object_r:lib_t -> system_u:object_r:ld_so_t

>
> Offhand, I would have assumed that the copy simply failed to preserve
> the security.selinux attributes, but you said that you tried relabeling
> (/sbin/fixfiles relabel) and presumably rebooted afterwards.  Or perhaps
> you just touched /.autorelabel and rebooted?  Maybe that isn't working
> properly?  Try relabeling explicitly.

I just touched /.autorelabel.  The relabel did proceed as ordered on 
reboot.  Here are the results of explicit relablel:

# /sbin/fixfiles relabel

     Files in the /tmp directory may be labeled incorrectly, this command
     can remove all files in /tmp.  If you choose to remove files from 
/tmp,
     a reboot will be required after completion.

     Do you wish to clean out the /tmp directory [N]? y
/.autofsck: Permission denied
/usr/sbin/setfiles:  unable to relabel /.autofsck to system_u:object_r:etc_runtime_t
/etc/rhgb/temp: Permission denied
/usr/sbin/setfiles:  unable to relabel /etc/rhgb/temp to system_u:object_r:mnt_t/etc/blkid.tab: Permission denied
/usr/sbin/setfiles:  unable to relabel /etc/blkid.tab to system_u:object_r:etc_runtime_t
/etc/resolv.conf.predhclient: Permission denied
/usr/sbin/setfiles:  unable to relabel /etc/resolv.conf.predhclient to system_u:object_r:net_conf_t
/var/run/utmp: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/utmp to system_u:object_r:initrc_var_run_t
/var/run/dhclient-eth0.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/dhclient-eth0.pid to system_u:object_r:dhcpc_var_run_t
/var/run/syslogd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/syslogd.pid to system_u:object_r:syslogd_var_run_t
/var/run/klogd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/klogd.pid to system_u:object_r:klogd_var_run_t
/var/run/rpc.statd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/rpc.statd.pid to system_u:object_r:rpcd_var_run_t
/var/run/sdp: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/sdp to system_u:object_r:bluetooth_var_run_t
/var/run/nifd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/nifd.pid to system_u:object_r:howl_var_run_t
/var/run/acpid.socket: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/acpid.socket to system_u:object_r:apmd_var_run_t
/var/run/ntpd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/ntpd.pid to system_u:object_r:ntpd_var_run_t
/var/run/sendmail.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/sendmail.pid to system_u:object_r:sendmail_var_run_t
/var/run/sm-client.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/sm-client.pid to system_u:object_r:sendmail_var_run_t
/var/run/crond.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/crond.pid to system_u:object_r:crond_var_run_t
/var/run/atd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/atd.pid to system_u:object_r:crond_var_run_t
/var/log/rpmpkgs: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/log/rpmpkgs to system_u:object_r:rpm_log_t
/home/mjs/.Xauthority: Permission denied
/usr/sbin/setfiles:  unable to relabel /home/mjs/.Xauthority to user_u:object_r:user_home_t
/home/mjs/.gpilotd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /home/mjs/.gpilotd.pid to user_u:object_r:user_home_t

After rebooting, the problem is apparently solved, however.  Entering "su" 
and password results in a root prompt.

Thanks.

-- 
 		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

More information about the fedora-selinux-list mailing list