SELinux preventing login (Fedora 16)
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 13 02:55:53 UTC 2012
On 04/12/2012 08:47 PM, Braden McDaniel wrote:
> On Thu, 2012-04-12 at 16:10 -0400, Daniel J Walsh wrote:
>> On 04/11/2012 10:27 PM, Braden McDaniel wrote:
>>> On Wed, 2012-04-11 at 17:27 -0400, Paul W. Frields wrote:
>>>> On Wed, Apr 11, 2012 at 03:37:45PM -0400, Braden McDaniel wrote:
>>>>> On Wed, 2012-04-11 at 15:25 -0400, Daniel J Walsh wrote:
>>>>>> Are you booted with SELinux in permissive mode of disabled?
>>>>>
>>>>> I'm booted with it disabled:
>>>>>
>>>>> # cat /etc/selinux/config | grep disabled # disabled - No
>>>>> SELinux policy is loaded. SELINUX=disabled
>>>>>
>>>>>> ausearch -m avc
>>>>>
>>>>> That's long; I'll attach it.
>>>>
>>>> You might want to try this as root first, after saving your work:
>>>>
>>>> touch /.autorelabel ; reboot
>>>
>>> I did that previously; but it didn't seem to help. (Perhaps because I
>>> still had SELinux disabled when I did it?)
>>>
>>>> Running SELinux disabled is unnecessary. Running in permissive mode
>>>> is much better, since it allows you to switch back and forth without
>>>> labeling problems.
>>>>
>>>> When you run in disabled mode, SELinux labels aren't written to the
>>>> disk when files are created, so when you try to turn SELinux on
>>>> later, it results in lots of denial errors. Permissive mode does
>>>> pretty much the same thing as enforcing mode, but any denials are
>>>> ignored, so SELinux won't prevent access.
>>>
>>> That's likely how I got myself into this. I had disabled it while
>>> attempting to troubleshoot something else. I probably installed and/or
>>> updated some packages before I remembered to turn it back on.
>>>
>>> So I changed to "permissive" and did the autorelabel thing again. This
>>> time I was able to zero in on some messages that were likely
>>> pertinent; and the SELinux troubleshooter suggested:
>>>
>>> setsebool -P authlogin_nsswitch_use_ldap 1
>>>
>>> I'll continue to run "permissive" for a little while longer and see if
>>> that fixes it.
>>>
>>
>>
>> What AVC indicated that you needed this?
>
> Unfortunately, I deleted it. However, I think it was one corresponding to
> a /var/log/messages entry like this one:
>
> Apr 10 23:58:31 rail setroubleshoot: SELinux is preventing
> /usr/libexec/accounts-daemon from name_connect access on the tcp_socket .
> For complete SELinux messages. run sealert -l
> aeded892-dec1-4e6d-87ce-7c10a4e42e2b
>
>> Are you using pam_ldap? ldap for user authorization?
>>
>> We just added the ability for samba to use ldap, out of the box.
>
> I am using Kerberos for authentication; but I'm using LDAP for user
> information.
>
> (Though I get the impression that login is currently falling back to local
> authentication; because I don't have a Kerberos ticket after I log in.)
>
But you are not use sssd for this. Anyways do you still believe you are
having SELinux issues?
More information about the users
mailing list