SELinux preventing login (Fedora 16)
Braden McDaniel
braden at endoframe.com
Thu Apr 12 02:27:31 UTC 2012
On Wed, 2012-04-11 at 17:27 -0400, Paul W. Frields wrote:
> On Wed, Apr 11, 2012 at 03:37:45PM -0400, Braden McDaniel wrote:
> > On Wed, 2012-04-11 at 15:25 -0400, Daniel J Walsh wrote:
> > > Are you booted with SELinux in permissive mode of disabled?
> >
> > I'm booted with it disabled:
> >
> > # cat /etc/selinux/config | grep disabled
> > # disabled - No SELinux policy is loaded.
> > SELINUX=disabled
> >
> > > ausearch -m avc
> >
> > That's long; I'll attach it.
>
> You might want to try this as root first, after saving your work:
>
> touch /.autorelabel ; reboot
I did that previously; but it didn't seem to help. (Perhaps because I
still had SELinux disabled when I did it?)
> Running SELinux disabled is unnecessary. Running in permissive mode
> is much better, since it allows you to switch back and forth without
> labeling problems.
>
> When you run in disabled mode, SELinux labels aren't written to the
> disk when files are created, so when you try to turn SELinux on later,
> it results in lots of denial errors. Permissive mode does pretty much
> the same thing as enforcing mode, but any denials are ignored, so
> SELinux won't prevent access.
That's likely how I got myself into this. I had disabled it while
attempting to troubleshoot something else. I probably installed and/or
updated some packages before I remembered to turn it back on.
So I changed to "permissive" and did the autorelabel thing again. This
time I was able to zero in on some messages that were likely pertinent;
and the SELinux troubleshooter suggested:
setsebool -P authlogin_nsswitch_use_ldap 1
I'll continue to run "permissive" for a little while longer and see if
that fixes it.
--
Braden McDaniel <braden at endoframe.com>
More information about the users
mailing list