SELinux preventing login (Fedora 16)
Daniel J Walsh
dwalsh at redhat.com
Thu Apr 12 20:10:42 UTC 2012
On 04/11/2012 10:27 PM, Braden McDaniel wrote:
> On Wed, 2012-04-11 at 17:27 -0400, Paul W. Frields wrote:
>> On Wed, Apr 11, 2012 at 03:37:45PM -0400, Braden McDaniel wrote:
>>> On Wed, 2012-04-11 at 15:25 -0400, Daniel J Walsh wrote:
>>>> Are you booted with SELinux in permissive mode of disabled?
>>>
>>> I'm booted with it disabled:
>>>
>>> # cat /etc/selinux/config | grep disabled # disabled - No SELinux
>>> policy is loaded. SELINUX=disabled
>>>
>>>> ausearch -m avc
>>>
>>> That's long; I'll attach it.
>>
>> You might want to try this as root first, after saving your work:
>>
>> touch /.autorelabel ; reboot
>
> I did that previously; but it didn't seem to help. (Perhaps because I still
> had SELinux disabled when I did it?)
>
>> Running SELinux disabled is unnecessary. Running in permissive mode is
>> much better, since it allows you to switch back and forth without
>> labeling problems.
>>
>> When you run in disabled mode, SELinux labels aren't written to the disk
>> when files are created, so when you try to turn SELinux on later, it
>> results in lots of denial errors. Permissive mode does pretty much the
>> same thing as enforcing mode, but any denials are ignored, so SELinux
>> won't prevent access.
>
> That's likely how I got myself into this. I had disabled it while
> attempting to troubleshoot something else. I probably installed and/or
> updated some packages before I remembered to turn it back on.
>
> So I changed to "permissive" and did the autorelabel thing again. This
> time I was able to zero in on some messages that were likely pertinent; and
> the SELinux troubleshooter suggested:
>
> setsebool -P authlogin_nsswitch_use_ldap 1
>
> I'll continue to run "permissive" for a little while longer and see if that
> fixes it.
>
What AVC indicated that you needed this? Are you using pam_ldap? ldap for
user authorization?
We just added the ability for samba to use ldap, out of the box.
More information about the users
mailing list