My home is fully labeled default_t after a kernel crash

Dominick Grift domg472 at gmail.com
Thu Aug 27 11:20:48 UTC 2009 

On Thu, Aug 27, 2009 at 12:46:51PM +0200, Laurent Rineau wrote:
> On my F11 x64 machine, this morning, I have launch that command:
> 
> sudo semanage fcontext -a -t textrel_shlib_t 
> /opt/intel/Compiler/11.0/081/mkl/lib/em64t/libmkl_core.so
> 
> After that, my X11 server freezed. I managed to login on the machine with ssh, 
> but sudo got permission denied. :-(
Ouch
> 
> Then I have done:
> - A soft shutdown with the power button. That shutdown was successful.
> - Power on the machine. Boot the default kernel. Lots of AVC on the console. 
> X11 and mingetty unable to launch.
> - Reboot with "enforcing=0 autorelabel=1 single". Relabelling seems ok.
> - Reboot (with no selinux boot parameters). X11 and GDM ok. But just after I 
> tried to login, a popup told me something about permission denied on $HOME, 
> using HOME=/. Obviously, that failed!
> - Reboot with enforcing=0.
> 
> Then I have managed to understand that the problem is that almost all my files 
> in $HOME are labeled: "system_u:object_r:default_t:s0" (actually all my $HOME 
> but files with customized context).
> 
> Another problem: unconfined_u has disappeared!
> $ id -Z
> user_u:user_r:user_t:s0
> 
> $ sudo semanage user -l
>                 Labeling   MLS/       MLS/
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux 
> Roles
> 
> guest_u         user       s0         s0                             guest_r
> root            user       s0         s0-s0:c0.c1023                 staff_r 
> sysadm_r system_r unconfined_r
> staff_u         user       s0         s0-s0:c0.c1023                 staff_r 
> sysadm_r system_r
> sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
> system_u        user       s0         s0-s0:c0.c1023                 system_r
> user_u          user       s0         s0                             user_r
> xguest_u        user       s0         s0                             xguest_r
> 
> 
> 
> I have search on the web for a solution, but the only solutions proposed where  
> /.autorelabel! :-(
> 
> That is why I am looking for a clue here...
> 
> 
> The machine is under F11, with updates. My configuration:
> 
> $ rpm -qa \*selinux\* \*semana\* | sort
> libselinux-2.0.80-1.fc11.i586
> libselinux-2.0.80-1.fc11.x86_64
> libselinux-debuginfo-2.0.80-1.fc11.x86_64
> libselinux-devel-2.0.80-1.fc11.x86_64
> libselinux-python-2.0.80-1.fc11.x86_64
> libselinux-utils-2.0.80-1.fc11.x86_64
> libsemanage-2.0.31-4.fc11.x86_64
> libsemanage-python-2.0.31-4.fc11.x86_64
> selinux-policy-3.6.12-78.fc11.noarch
> selinux-policy-targeted-3.6.12-78.fc11.noarch
> 
> $ uname -a
> Linux matisse.localdomain 2.6.29.6-217.2.8.fc11.x86_64 #1 SMP Sat Aug 15 
> 01:06:26 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
> 
> $ sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        targeted
> 
> (But the machine was in enforcing mode at the beginning of the story.)
> 
I'd probably reinstall selinux-policy
mv /etc/selinux/targeted /etc/selinux/targeted.backup

yum remove selinux-policy*
yum install selinux-policy selinux-policy-targeted
touch /.autorelabel && reboot

> -- 
> Laurent Rineau
> http://fedoraproject.org/wiki/LaurentRineau
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090827/f61d336f/attachment.sig>

More information about the fedora-selinux-list mailing list