selinux adventures/troubles
Daniel J Walsh
dwalsh at redhat.com
Sun Jan 4 19:29:44 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michal Jaegermann wrote:
> On Sun, Jan 04, 2009 at 12:08:09PM -0500, Daniel J Walsh wrote:
>> Michal Jaegermann wrote:
>>> Something rather weird for 'id -Z': system_u:system_r:system_crond_t:s0
>>> The other machine after an upgrades reports
>>> 'root:unconfined_r:unconfined_t:SystemLow-SystemHigh' which looks
>>> like something saner.
>>>
>>>> # semanage login -l
>>> Login Name SELinux User MLS/MCS Range
>>>
>>> __default__ unconfined_u s0-s0:c0.c1023
>>> root system_u s0-s0:c0.c1023
>>> system_u system_u s0-s0:c0.c1023
>>>
>> I think the problem is logging in as root is screwed up.
>
> Indeed. I had that impression for quite a while.
>
>> if you execute
>>
>> # semanage login -m -s unconfined_u root
>> This should cause root users to login in as unconfined_t automatically.
>
> That indeed changes 'semanage login -l' output to
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u s0-s0:c0.c1023
> root unconfined_u s0-s0:c0.c1023
> system_u system_u s0-s0:c0.c1023
>
> but it does not help that much. I still get "Unable to get valid
> context for root" from a login and 'system_u:system_r:system_crond_t:s0'
> for 'id -Z'. BTW - that does not generate any audit messages; only
> "error: ssh_selinux_setup_pty: security_compute_relabel: Invalid
> argument", and related, in /var/log/secure.
>
>> The sshd running as system_crond_t?
>
> I told you this is weird. All of that after an upgrade from F8 to
> F10. I really would like to know why as surely this is not a result
> of me trying hard to mess things up.
>
>> Does this happen on reboot?
>
> That machine was rebooted a number of times and nothing changes.
> I cannot switch to 'enforcing' as the box is "remote" and most
> likely that would immediately cut me off. Before an upgrade this
> was 'targeted' and 'enforcing'. As I wrote before: after an upgrade
> I had to force relabelling on a reboot as otherwise most anything
> was only spitting on me.
>
> BTW - I did some hacking and I do not see at this moment any "avc"
> type failure notificiations in /var/log/messages. Only right now
> the box is rather quiet. I am not sure what will happen when
> regular users will show up.
>
> Michal
>
If you execute service sshd restart from the unconfined_t user does it
still start as system_crond_t?
I actually just upgraded my Fathers machine from F8 to F10 and had a
problem with the root account not being setup to login correctly. But I
saw no problems with sshd?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklhDigACgkQrlYvE4MpobNQ3wCeOJMu4KZnGYTw2bQYJN/fcK/z
me8AniK3iq5McSk0s0uS+Jy3awck6HVE
=Wx8f
-----END PGP SIGNATURE-----
More information about the fedora-test-list
mailing list