[Fedora-livecd-list] Can't log in

Johan Vromans jvromans at squirrel.nl
Tue Sep 28 07:43:35 UTC 2010 

Johan Vromans <jvromans at squirrel.nl> writes:

> Bruno Wolff III <bruno at wolff.to> writes:
>
>> Going back through the thread, I see that at least one of the tests that
>> failed you indicated was done with 034. Perhaps some F14 package also got
>> updated that affected this.
>>
>> If you see the problem happen again, please let us know.
>
> I'll run some more tests...

Respin with repos fedora and fedora-updates, selinux enforced, yields
two AVC denials. Messages attached.

TBC,
        Johan

--- 1 ---
Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a disk drive to the system you can
relabel it using the restorecon command. For example if you saved the home
directory from a previous installation that did not use SELinux, 'restorecon -R
-v /home' will fix the labels. Otherwise you should relabel the entire file
system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                network [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           NetworkManager-0.8.1-6.git20100831.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-57.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.34.7-56.fc13.i686
                              #1 SMP Wed Sep 15 03:33:58 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Tue 28 Sep 2010 07:28:17 AM EDT
Last Seen                     Tue 28 Sep 2010 07:28:17 AM EDT
Local ID                      05243d80-2406-4557-bef4-f0fc31fa42e0
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1285673297.979:7): avc:  denied  { read } for  pid=923 comm="NetworkManager" name="network" dev=dm-0 ino=64332 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1285673297.979:7): arch=40000003 syscall=5 success=no exit=-13 a0=5102b3 a1=0 a2=365a3d a3=5102b3 items=0 ppid=1 pid=923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)


--- 2 ---
Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a disk drive to the system you can
relabel it using the restorecon command. For example if you saved the home
directory from a previous installation that did not use SELinux, 'restorecon -R
-v /home' will fix the labels. Otherwise you should relabel the entire file
system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:file_t:s0
Target Objects                macros.imgcreate [ file ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           abrt-1.1.13-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-57.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.34.7-56.fc13.i686
                              #1 SMP Wed Sep 15 03:33:58 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Tue 28 Sep 2010 07:28:31 AM EDT
Last Seen                     Tue 28 Sep 2010 07:28:31 AM EDT
Local ID                      cc2455d2-70e7-4202-9b8a-33957ef0b981
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1285673311.432:9): avc:  denied  { read } for  pid=1143 comm="abrtd" name="macros.imgcreate" dev=dm-0 ino=64333 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1285673311.432:9): arch=40000003 syscall=5 success=no exit=-13 a0=8ceab98 a1=8000 a2=1b6 a3=1a75e8 items=0 ppid=1142 pid=1143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)


--- ---

More information about the livecd mailing list