selinux adventures/troubles

Daniel J Walsh dwalsh at redhat.com
Sun Jan 4 19:29:44 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michal Jaegermann wrote:
> On Sun, Jan 04, 2009 at 12:08:09PM -0500, Daniel J Walsh wrote:
>> Michal Jaegermann wrote:
>>> Something rather weird for 'id -Z':  system_u:system_r:system_crond_t:s0
>>> The other machine after an upgrades reports
>>> 'root:unconfined_r:unconfined_t:SystemLow-SystemHigh' which looks
>>> like something saner.
>>>
>>>> # semanage login -l
>>> Login Name                SELinux User              MLS/MCS Range            
>>>
>>> __default__               unconfined_u              s0-s0:c0.c1023           
>>> root                      system_u                  s0-s0:c0.c1023           
>>> system_u                  system_u                  s0-s0:c0.c1023           
>>>
>> I think the problem is logging in as root is screwed up.
> 
> Indeed.  I had that impression for quite a while.
> 
>> if you execute
>>
>> # semanage login -m -s unconfined_u root
>> This should cause root users to login in as unconfined_t automatically.
> 
> That indeed changes 'semanage login -l' output to
> 
> Login Name                SELinux User              MLS/MCS Range            
> 
> __default__               unconfined_u              s0-s0:c0.c1023           
> root                      unconfined_u              s0-s0:c0.c1023           
> system_u                  system_u                  s0-s0:c0.c1023
> 
> but it does not help that much.  I still get "Unable to get valid
> context for root" from a login and 'system_u:system_r:system_crond_t:s0'
> for 'id -Z'.  BTW - that does not generate any audit messages; only
> "error: ssh_selinux_setup_pty: security_compute_relabel: Invalid
> argument", and related, in /var/log/secure.
> 
>>    The sshd running as system_crond_t?
> 
> I told you this is weird.  All of that after an upgrade from F8 to
> F10.  I really would like to know why as surely this is not a result
> of me trying hard to mess things up.
> 
>> Does this happen on reboot?
> 
> That machine was rebooted a number of times and nothing changes.
> I cannot switch to 'enforcing' as the box is "remote" and most
> likely that would immediately cut me off.  Before an upgrade this
> was 'targeted' and 'enforcing'.  As I wrote before: after an upgrade
> I had to force relabelling on a reboot as otherwise most anything
> was only spitting on me.
> 
> BTW - I did some hacking and I do not see at this moment any "avc"
> type failure notificiations in /var/log/messages.  Only right now
> the box is rather quiet.  I am not sure what will happen when
> regular users will show up.
> 
>    Michal
> 
If you execute service sshd restart from the unconfined_t user does it
still start as system_crond_t?

I actually just upgraded my Fathers machine from F8 to F10 and had a
problem with the root account not being setup to login correctly.  But I
saw no problems with sshd?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklhDigACgkQrlYvE4MpobNQ3wCeOJMu4KZnGYTw2bQYJN/fcK/z
me8AniK3iq5McSk0s0uS+Jy3awck6HVE
=Wx8f
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list