SELinux preventing login (Fedora 16)

Fri Apr 13 02:55:53 UTC 2012

On 04/12/2012 08:47 PM, Braden McDaniel wrote:
> On Thu, 2012-04-12 at 16:10 -0400, Daniel J Walsh wrote:
>> On 04/11/2012 10:27 PM, Braden McDaniel wrote:
>>> On Wed, 2012-04-11 at 17:27 -0400, Paul W. Frields wrote:
>>>> On Wed, Apr 11, 2012 at 03:37:45PM -0400, Braden McDaniel wrote:
>>>>> On Wed, 2012-04-11 at 15:25 -0400, Daniel J Walsh wrote:
>>>>>> Are you booted with SELinux in permissive mode of disabled?
>>>>> 
>>>>> I'm booted with it disabled:
>>>>> 
>>>>> # cat /etc/selinux/config | grep disabled #     disabled - No
>>>>> SELinux policy is loaded. SELINUX=disabled
>>>>> 
>>>>>> ausearch -m avc
>>>>> 
>>>>> That's long; I'll attach it.
>>>> 
>>>> You might want to try this as root first, after saving your work:
>>>> 
>>>> touch /.autorelabel ; reboot
>>> 
>>> I did that previously; but it didn't seem to help. (Perhaps because I
>>> still had SELinux disabled when I did it?)
>>> 
>>>> Running SELinux disabled is unnecessary.  Running in permissive mode
>>>> is much better, since it allows you to switch back and forth without
>>>>  labeling problems.
>>>> 
>>>> When you run in disabled mode, SELinux labels aren't written to the
>>>> disk when files are created, so when you try to turn SELinux on
>>>> later, it results in lots of denial errors.  Permissive mode does
>>>> pretty much the same thing as enforcing mode, but any denials are
>>>> ignored, so SELinux won't prevent access.
>>> 
>>> That's likely how I got myself into this.  I had disabled it while 
>>> attempting to troubleshoot something else.  I probably installed and/or
>>>  updated some packages before I remembered to turn it back on.
>>> 
>>> So I changed to "permissive" and did the autorelabel thing again.  This
>>>  time I was able to zero in on some messages that were likely
>>> pertinent; and the SELinux troubleshooter suggested:
>>> 
>>> setsebool -P authlogin_nsswitch_use_ldap 1
>>> 
>>> I'll continue to run "permissive" for a little while longer and see if
>>> that fixes it.
>>> 
>> 
>> 
>> What AVC indicated that you needed this?
> 
> Unfortunately, I deleted it.  However, I think it was one corresponding to
> a /var/log/messages entry like this one:
> 
> Apr 10 23:58:31 rail setroubleshoot: SELinux is preventing
> /usr/libexec/accounts-daemon from name_connect access on the tcp_socket .
> For complete SELinux messages. run sealert -l
> aeded892-dec1-4e6d-87ce-7c10a4e42e2b
> 
>> Are you using pam_ldap?  ldap for user authorization?
>> 
>> We just added the ability for samba to use ldap, out of the box.
> 
> I am using Kerberos for authentication; but I'm using LDAP for user 
> information.
> 
> (Though I get the impression that login is currently falling back to local
> authentication; because I don't have a Kerberos ticket after I log in.)
> 
But you are not use sssd for this.  Anyways do you still believe you are
having SELinux issues?