5:46 a.m.
On my F11 x64 machine, this morning, I have launch that command:
sudo semanage fcontext -a -t textrel_shlib_t
/opt/intel/Compiler/11.0/081/mkl/lib/em64t/libmkl_core.so
After that, my X11 server freezed. I managed to login on the machine with ssh,
but sudo got permission denied. :-(
Then I have done:
- A soft shutdown with the power button. That shutdown was successful.
- Power on the machine. Boot the default kernel. Lots of AVC on the console.
X11 and mingetty unable to launch.
- Reboot with "enforcing=0 autorelabel=1 single". Relabelling seems ok.
- Reboot (with no selinux boot parameters). X11 and GDM ok. But just after I
tried to login, a popup told me something about permission denied on $HOME,
using HOME=/. Obviously, that failed!
- Reboot with enforcing=0.
Then I have managed to understand that the problem is that almost all my files
in $HOME are labeled: "system_u:object_r:default_t:s0" (actually all my $HOME
but files with customized context).
Another problem: unconfined_u has disappeared!
$ id -Z
user_u:user_r:user_t:s0
$ sudo semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux
Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
I have search on the web for a solution, but the only solutions proposed where
/.autorelabel! :-(
That is why I am looking for a clue here...
The machine is under F11, with updates. My configuration:
$ rpm -qa \*selinux\* \*semana\* | sort
libselinux-2.0.80-1.fc11.i586
libselinux-2.0.80-1.fc11.x86_64
libselinux-debuginfo-2.0.80-1.fc11.x86_64
libselinux-devel-2.0.80-1.fc11.x86_64
libselinux-python-2.0.80-1.fc11.x86_64
libselinux-utils-2.0.80-1.fc11.x86_64
libsemanage-2.0.31-4.fc11.x86_64
libsemanage-python-2.0.31-4.fc11.x86_64
selinux-policy-3.6.12-78.fc11.noarch
selinux-policy-targeted-3.6.12-78.fc11.noarch
$ uname -a
Linux matisse.localdomain 2.6.29.6-217.2.8.fc11.x86_64 #1 SMP Sat Aug 15
01:06:26 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
(But the machine was in enforcing mode at the beginning of the story.)
--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
6:20 a.m.
On Thu, Aug 27, 2009 at 12:46:51PM +0200, Laurent Rineau wrote:
On my F11 x64 machine, this morning, I have launch that command:
sudo semanage fcontext -a -t textrel_shlib_t
/opt/intel/Compiler/11.0/081/mkl/lib/em64t/libmkl_core.so
After that, my X11 server freezed. I managed to login on the machine with ssh,
but sudo got permission denied. :-(
Ouch
Then I have done:
- A soft shutdown with the power button. That shutdown was successful.
- Power on the machine. Boot the default kernel. Lots of AVC on the console.
X11 and mingetty unable to launch.
- Reboot with "enforcing=0 autorelabel=1 single". Relabelling seems ok.
- Reboot (with no selinux boot parameters). X11 and GDM ok. But just after I
tried to login, a popup told me something about permission denied on $HOME,
using HOME=/. Obviously, that failed!
- Reboot with enforcing=0.
Then I have managed to understand that the problem is that almost all my files
in $HOME are labeled: "system_u:object_r:default_t:s0" (actually all my $HOME
but files with customized context).
Another problem: unconfined_u has disappeared!
$ id -Z
user_u:user_r:user_t:s0
$ sudo semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux
Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
I have search on the web for a solution, but the only solutions proposed where
/.autorelabel! :-(
That is why I am looking for a clue here...
The machine is under F11, with updates. My configuration:
$ rpm -qa \*selinux\* \*semana\* | sort
libselinux-2.0.80-1.fc11.i586
libselinux-2.0.80-1.fc11.x86_64
libselinux-debuginfo-2.0.80-1.fc11.x86_64
libselinux-devel-2.0.80-1.fc11.x86_64
libselinux-python-2.0.80-1.fc11.x86_64
libselinux-utils-2.0.80-1.fc11.x86_64
libsemanage-2.0.31-4.fc11.x86_64
libsemanage-python-2.0.31-4.fc11.x86_64
selinux-policy-3.6.12-78.fc11.noarch
selinux-policy-targeted-3.6.12-78.fc11.noarch
$ uname -a
Linux matisse.localdomain 2.6.29.6-217.2.8.fc11.x86_64 #1 SMP Sat Aug 15
01:06:26 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
(But the machine was in enforcing mode at the beginning of the story.)
I'd probably reinstall selinux-policy
mv /etc/selinux/targeted /etc/selinux/targeted.backup
yum remove selinux-policy*
yum install selinux-policy selinux-policy-targeted
touch /.autorelabel && reboot
--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
3:20 a.m.
On Thursday 27 August 2009 13:20:48 Dominick Grift wrote:
I'd probably reinstall selinux-policy
mv /etc/selinux/targeted /etc/selinux/targeted.backup
yum remove selinux-policy*
yum install selinux-policy selinux-policy-targeted
touch /.autorelabel && reboot
That worked! I had to reboot with selinux=0 before reinstalling selinux-
policy\*, because otherwise the rpm scripts had failures (probably a conflict
with the corrupted selinux policy that was in memory). I have redone all that
with the boot parameter selinux=0, then a reboot without that parameter, and I
no longer have AVC in audit.log (and my user and home directory are label
unconfined_u).
Thanks for the help!
By the way, I have retyped the semanage command that started the incident, and
it ran smoothly this time! :-)
--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
5369
days inactive
5370
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
Dominick Grift -
Laurent Rineau