5:07 p.m.
From: fedora-list-bounces(a)redhat.com
[mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman
Sent: Saturday, December 17, 2005 2:30 PM
To: For users of Fedora Core releases
Cc: Fedora SELinux support list for users & developers.
Subject: Non-root console login issue! (was: Problem with VNC and
SELinux:FC4)
>From: fedora-list-bounces(a)redhat.com
>[mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman
>Sent: Friday, December 16, 2005 6:11 PM
>To: For users of Fedora Core releases (E-mail)
>Cc: Fedora SELinux support list for users & developers.
>Subject: Problem with VNC and SELinux: FC4
>
>
>
>Folks,
>
>With the new SELinux updates, it appears that root,
>other than normal users can login to Fedora via VNC
>Server? My VNC Server is setup such that I am using
>xinitd for VNC Server requests.
>
>Another problem I noticed is that when I log into my
>Fedora system via VNC as root user, and open a xterm
>window and run a su - <normal-user>, I get back a
>SElinux message:
>
>================================================
># su - dan
>Your default context is: user_u:system_r:kernel_t.
>
>Do you want to want to choose a different one? [n]
>================================================
>
>It is *possible* that this problem came up when
>I had to make a copy of my filesystem to another
>hard-disk for the purpose of creating a /boot
>partition (my bad) and copied/restored the filesystem
>back over to the main drive. I don't think I made
>any copy/restore mistakes as I know the fs permissions
>are correct but I cannot speak for filesystem journaling
>or whatever that keeps track of the SELinux attributes.
>
>In any case, what can I do to resolve my VNC and/or su
>issue knowing that SElinux has something to do with it?
>
>Thanks!
>Dan Thurman
>
Problem is not related to SELinux and not really related
to VNC. It turns out that I cannot log into the console
as a non-root user and I get a message saying:
=======================================================
Your session lasted less than 10 seconds. If you have not
logged out yourself, this could mean that there is some
installation problem or that you may be out of diskspace.
Try logging in with one of the failsafe sessions to see if
you can fix this problem.
[] View details (~/.xsession-errors file)
=======================================================
The problem here is that the .xsession-errors file does
not exist. I also note from /var/log/message file:
=======================================================
Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for
user dant by (uid=0)
Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for
user dant
Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512
buckets used, longest chain length 0
=======================================================
And from /var/log/audit/audit.log
=======================================================
type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397
uid=0 auid=4294967295 msg='PAM authentication: user=dant
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Success)'
type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397
uid=0 auid=4294967295 msg='PAM accounting: user=dant
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Success)'
type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397
uid=0 auid=4294967295 msg='PAM setcred: user=dant
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Success)'
type=USER_START msg=audit(1134858412.307:3932): user pid=3397
uid=0 auid=4294967295 msg='PAM session open: user=dant
exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
result=Success)'
=======================================================
File:
# ls -l /usr/bin/gdm-binary
-rwxr-xr-x 1 root root 251668 May 23 2005 /usr/bin/gdm-binary
HALLLLLP! Please :-)
Dan
Sorry - had to add this tidbit.... seems that SElinux may be
involved or maybe my file journaling is messed up after a "restore"?
I tried to create a new user account to see if by doing this
I would get a correct security context and be able to log
into the console but WHOA!!! What is going on here!?!?!?
=======================================================
[root@linux ~]# useradd dant2
useradd: cannot rewrite password file
[root@linux ~]#
=======================================================
File: /var/log/audit/audit.log:
94967295 msg='useradd: op=adding home directory acct=dant2 res=success'
type=AVC msg=audit(1134859204.879:4004): avc: denied { create } for pid=19177
comm="useradd" name=".kde" scontext=root:system_r:kernel_t
tcontext=user_u:object_r:user_home_t tclass=dir
type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 syscall=39 success=no exit=-13
a0=bfd81470 a1=1ed a2=98fd2ef a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd"
exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.879:4004): cwd="/root"
type=PATH msg=audit(1134859204.879:4004): item=0 name="/home/dant2/.kde"
flags=10 inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
type=AVC msg=audit(1134859204.883:4005): avc: denied { create } for pid=19177
comm="useradd" name="passwd+" scontext=root:system_r:kernel_t
tcontext=system_u:object_r:file_t tclass=file
type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 syscall=5 success=no exit=-13
a0=bfd817e4 a1=8241 a2=1b6 a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd"
exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.883:4005): cwd="/root"
type=PATH msg=audit(1134859204.883:4005): item=0 name="/etc/passwd+" flags=310
inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user pid=19177 uid=0 auid=4294967295
msg='useradd: op=adding user acct=dant2 res=failed'
=======================================================
Dan
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
1:20 p.m.
New subject: Non-root console login issue! (was: Problem with VNC and SELinux:FC4)
Daniel B. Thurman wrote:
> From: fedora-list-bounces(a)redhat.com
> [mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman
> Sent: Saturday, December 17, 2005 2:30 PM
> To: For users of Fedora Core releases
> Cc: Fedora SELinux support list for users & developers.
> Subject: Non-root console login issue! (was: Problem with VNC and
> SELinux:FC4)
>
>
>
>> From: fedora-list-bounces(a)redhat.com
>> [mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman
>> Sent: Friday, December 16, 2005 6:11 PM
>> To: For users of Fedora Core releases (E-mail)
>> Cc: Fedora SELinux support list for users & developers.
>> Subject: Problem with VNC and SELinux: FC4
>>
>>
>>
>> Folks,
>>
>> With the new SELinux updates, it appears that root,
>> other than normal users can login to Fedora via VNC
>> Server? My VNC Server is setup such that I am using
>> xinitd for VNC Server requests.
>>
>> Another problem I noticed is that when I log into my
>> Fedora system via VNC as root user, and open a xterm
>> window and run a su - <normal-user>, I get back a
>> SElinux message:
>>
>> ================================================
>> # su - dan
>> Your default context is: user_u:system_r:kernel_t.
>>
>> Do you want to want to choose a different one? [n]
>> ================================================
>>
>> It is *possible* that this problem came up when
>> I had to make a copy of my filesystem to another
>> hard-disk for the purpose of creating a /boot
>> partition (my bad) and copied/restored the filesystem
>> back over to the main drive. I don't think I made
>> any copy/restore mistakes as I know the fs permissions
>> are correct but I cannot speak for filesystem journaling
>> or whatever that keeps track of the SELinux attributes.
>>
>> In any case, what can I do to resolve my VNC and/or su
>> issue knowing that SElinux has something to do with it?
>>
>> Thanks!
>> Dan Thurman
>>
>>
> Problem is not related to SELinux and not really related
> to VNC. It turns out that I cannot log into the console
> as a non-root user and I get a message saying:
>
> =======================================================
> Your session lasted less than 10 seconds. If you have not
> logged out yourself, this could mean that there is some
> installation problem or that you may be out of diskspace.
> Try logging in with one of the failsafe sessions to see if
> you can fix this problem.
>
> [] View details (~/.xsession-errors file)
> =======================================================
>
> The problem here is that the .xsession-errors file does
> not exist. I also note from /var/log/message file:
>
> =======================================================
> Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for
> user dant by (uid=0)
> Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for
> user dant
> Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512
> buckets used, longest chain length 0
> =======================================================
>
> And from /var/log/audit/audit.log
> =======================================================
> type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397
> uid=0 auid=4294967295 msg='PAM authentication: user=dant
> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
> result=Success)'
> type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397
> uid=0 auid=4294967295 msg='PAM accounting: user=dant
> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
> result=Success)'
> type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397
> uid=0 auid=4294967295 msg='PAM setcred: user=dant
> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
> result=Success)'
> type=USER_START msg=audit(1134858412.307:3932): user pid=3397
> uid=0 auid=4294967295 msg='PAM session open: user=dant
> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0
> result=Success)'
> =======================================================
>
> File:
> # ls -l /usr/bin/gdm-binary
> -rwxr-xr-x 1 root root 251668 May 23 2005 /usr/bin/gdm-binary
>
> HALLLLLP! Please :-)
>
> Dan
>
>
Sorry - had to add this tidbit.... seems that SElinux may be
involved or maybe my file journaling is messed up after a "restore"?
I tried to create a new user account to see if by doing this
I would get a correct security context and be able to log
into the console but WHOA!!! What is going on here!?!?!?
=======================================================
[root@linux ~]# useradd dant2
useradd: cannot rewrite password file
[root@linux ~]#
=======================================================
File: /var/log/audit/audit.log:
94967295 msg='useradd: op=adding home directory acct=dant2 res=success'
type=AVC msg=audit(1134859204.879:4004): avc: denied { create } for pid=19177
comm="useradd" name=".kde" scontext=root:system_r:kernel_t
tcontext=user_u:object_r:user_home_t tclass=dir
type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 syscall=39 success=no exit=-13
a0=bfd81470 a1=1ed a2=98fd2ef a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd"
exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.879:4004): cwd="/root"
type=PATH msg=audit(1134859204.879:4004): item=0 name="/home/dant2/.kde"
flags=10 inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
type=AVC msg=audit(1134859204.883:4005): avc: denied { create } for pid=19177
comm="useradd" name="passwd+" scontext=root:system_r:kernel_t
tcontext=system_u:object_r:file_t tclass=file
type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 syscall=5 success=no exit=-13
a0=bfd817e4 a1=8241 a2=1b6 a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd"
exe="/usr/sbin/useradd"
type=CWD msg=audit(1134859204.883:4005): cwd="/root"
type=PATH msg=audit(1134859204.883:4005): item=0 name="/etc/passwd+" flags=310
inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user pid=19177 uid=0 auid=4294967295
msg='useradd: op=adding user acct=dant2 res=failed'
=======================================================
Dan
Looks like you have a labeling problem. file_t files should not exist
if your system is properly labeled. This either indicates you booted
with selinux=0 or you added additional disks.
You can relabel by executing
touch /.autorelabel
reboot
--
6716
days inactive
6719
days old
selinux@lists.fedoraproject.org
1 comments
2 participants
participants (2)
-
Dan Thurman -
Daniel J Walsh