Re: Non-root console login issue! (was: Problem with VNC and SELinux:FC4)

> From: fedora-list-bounces(a)redhat.com > [mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman > Sent: Saturday, December 17, 2005 2:30 PM > To: For users of Fedora Core releases > Cc: Fedora SELinux support list for users & developers. > Subject: Non-root console login issue! (was: Problem with VNC and > SELinux:FC4) > > > >> From: fedora-list-bounces(a)redhat.com >> [mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman >> Sent: Friday, December 16, 2005 6:11 PM >> To: For users of Fedora Core releases (E-mail) >> Cc: Fedora SELinux support list for users & developers. >> Subject: Problem with VNC and SELinux: FC4 >> >> >> >> Folks, >> >> With the new SELinux updates, it appears that root, >> other than normal users can login to Fedora via VNC >> Server? My VNC Server is setup such that I am using >> xinitd for VNC Server requests. >> >> Another problem I noticed is that when I log into my >> Fedora system via VNC as root user, and open a xterm >> window and run a su - <normal-user>, I get back a >> SElinux message: >> >> ================================================ >> # su - dan >> Your default context is: user_u:system_r:kernel_t. >> >> Do you want to want to choose a different one? [n] >> ================================================ >> >> It is *possible* that this problem came up when >> I had to make a copy of my filesystem to another >> hard-disk for the purpose of creating a /boot >> partition (my bad) and copied/restored the filesystem >> back over to the main drive. I don't think I made >> any copy/restore mistakes as I know the fs permissions >> are correct but I cannot speak for filesystem journaling >> or whatever that keeps track of the SELinux attributes. >> >> In any case, what can I do to resolve my VNC and/or su >> issue knowing that SElinux has something to do with it? >> >> Thanks! >> Dan Thurman >> >> > Problem is not related to SELinux and not really related > to VNC. It turns out that I cannot log into the console > as a non-root user and I get a message saying: > > ======================================================= > Your session lasted less than 10 seconds. If you have not > logged out yourself, this could mean that there is some > installation problem or that you may be out of diskspace. > Try logging in with one of the failsafe sessions to see if > you can fix this problem. > > [] View details (~/.xsession-errors file) > ======================================================= > > The problem here is that the .xsession-errors file does > not exist. I also note from /var/log/message file: > > ======================================================= > Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for > user dant by (uid=0) > Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for > user dant > Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512 > buckets used, longest chain length 0 > ======================================================= > > And from /var/log/audit/audit.log > ======================================================= > type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397 > uid=0 auid=4294967295 msg='PAM authentication: user=dant > exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 > result=Success)' > type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397 > uid=0 auid=4294967295 msg='PAM accounting: user=dant > exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 > result=Success)' > type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397 > uid=0 auid=4294967295 msg='PAM setcred: user=dant > exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 > result=Success)' > type=USER_START msg=audit(1134858412.307:3932): user pid=3397 > uid=0 auid=4294967295 msg='PAM session open: user=dant > exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 > result=Success)' > ======================================================= > > File: > # ls -l /usr/bin/gdm-binary > -rwxr-xr-x 1 root root 251668 May 23 2005 /usr/bin/gdm-binary > > HALLLLLP! Please :-) > > Dan > > Sorry - had to add this tidbit.... seems that SElinux may be involved or maybe my file journaling is messed up after a "restore"? I tried to create a new user account to see if by doing this I would get a correct security context and be able to log into the console but WHOA!!! What is going on here!?!?!? ======================================================= [root@linux ~]# useradd dant2 useradd: cannot rewrite password file [root@linux ~]# ======================================================= File: /var/log/audit/audit.log: 94967295 msg='useradd: op=adding home directory acct=dant2 res=success' type=AVC msg=audit(1134859204.879:4004): avc: denied { create } for pid=19177 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 syscall=39 success=no exit=-13 a0=bfd81470 a1=1ed a2=98fd2ef a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd" type=CWD msg=audit(1134859204.879:4004): cwd="/root" type=PATH msg=audit(1134859204.879:4004): item=0 name="/home/dant2/.kde" flags=10 inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00 type=AVC msg=audit(1134859204.883:4005): avc: denied { create } for pid=19177 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=file type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 syscall=5 success=no exit=-13 a0=bfd817e4 a1=8241 a2=1b6 a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd" type=CWD msg=audit(1134859204.883:4005): cwd="/root" type=PATH msg=audit(1134859204.883:4005): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user pid=19177 uid=0 auid=4294967295 msg='useradd: op=adding user acct=dant2 res=failed' ======================================================= Dan