Did you remember to do a 'fixfiles relabel' after installing the new policy files?
If not, I suggest you reboot single-user mode, and then run 'fixfiles relabel'. You probably want fixfiles to clean out /tmp, so move/copy anything you need before running it.
tom ------------------------------------------------------------------------
* /From/: Richard Hally <rhally mindspring com> * /To/: fedora-selinux-list redhat com * /Subject/: enforcing mode problems * /Date/: Tue, 08 Jun 2004 22:43:44 -0400
------------------------------------------------------------------------ when running with the latest "strict" policy in enforcing mode, 'su -' does not work.
[richard new2 richard]$ su - Password: could not open session
(ctrl-alt-f1 to a console, switch to permissive)
[richard new2 richard]$ su - Password: [root new2 root]#
It works but does't ask if I want a different context.
When I went to the console it asked if I wanted a different context. Attached is the syslog messages file.
Please see the attached messages file for other "AVC denied" messages as well.
HTH Richard Hally
p.s. [root new2 root]# rpm -q selinux-policy-strict selinux-policy-strict-1.13.4-2
Tom London wrote:
Did you remember to do a 'fixfiles relabel' after installing the new policy files?
If not, I suggest you reboot single-user mode, and then run 'fixfiles relabel'. You probably want fixfiles to clean out /tmp, so move/copy anything you need before running it.
tom
- /From/: Richard Hally <rhally mindspring com>
- /To/: fedora-selinux-list redhat com
- /Subject/: enforcing mode problems
- /Date/: Tue, 08 Jun 2004 22:43:44 -0400
when running with the latest "strict" policy in enforcing mode, 'su -' does not work.
[richard new2 richard]$ su - Password: could not open session
Thanks for the suggestion. This system was installed over the past weekend and updated to the (then) latest strict policy. "fixfiles relabel" was run then to allow going to enforcing mode. "yum update" updated the policy today. I am wondering if "fixfiles relabel" will be necessary every time policy is updated? Richard Hally
selinux@lists.fedoraproject.org