Cannot login with selinux on

Tom London selinux at gmail.com
Sun Jun 5 15:54:02 UTC 2005 

On 6/4/05, Ian Puleston <ian at underpressuredivers.com> wrote:
> Since updating to Kernel 2.6.11-1.1366_FC4, and now 2.6.11-1.1369_FC4, I
> haven't been able to login as root or any other user, getting error
> message "No shell: permission denied" on login followed by the login
> prompt again. This only happens with selinux, and does not happens if I
> boot with "selinux=no" - then it works fine and I can login OK. This is
> with login from the console after booting to level 3 (no X).
> 
> In /var/log/messages I'm seeing the following when this happens:
> 
> Jun  1 00:21:45 localhost login(pam_unix)[2704]: session opened for user
> ian by (uid=0)
> Jun  1 00:21:45 localhost login[2704]: Warning!  Could not
> relabel /dev/tty1 with user_u:object_r:tty_device_t, not
> relabeling.Permission denied
> Jun  1 00:21:45 localhost  -- ian[2704]: LOGIN ON tty1 BY ian
> Jun  1 00:21:45 localhost login(pam_unix)[2704]: session closed for user
> ian
> 
> And I also see the following in there - don't know if this is relevant:
> 
> Jun  1 00:21:28 localhost kernel: audit(1117610487.009:3): avc:  denied
> { sys_admin } for  pid=2078 comm="consoletype" capability=21
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
> tclass=capability
> Jun  1 00:21:28 localhost kernel: SELinux: initialized (dev rpc_pipefs,
> type rpc_pipefs), uses genfs_contexts
> 
> Any ideas anyone (other than permanently turning off selinux)?
> 
> Ian
> 
> 
> >From Ian Puleston:
> >
> > Now, with the new Kernel, I cannot login in at all. Trying to login as root
> > or another user gives an error "no shell" and then back to the login prompt.
> >
> > Is there any way to get round this other than a full re-install?
> >
> > Ian
> >
OK,.... a few suggestions/questions:

1. When you updated to new kernel, did you only update kernel or did
you also update the selinux policy packages? If not, do a full rawhide
update.

2. Probably need to relabel file system. Do 'touch /.autorelabel' (as
root) and reboot (without selinux=0). That will relabel the entire
filesystem(s) during reboot. (Go get coffee, as this will take a few
minutes.)

3. When you have problems like this, it better NOT to boot with
'selinux=0', but to boot with 'enforcing=0'. This leaves SELinux
'reporting but not enforcing', allowing it to properly label files
created or touched.  Booting with 'selinux=0' will almost always
require (at least some) relabeling.

tom
-- 
Tom London

More information about the fedora-test-list mailing list