-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michal Jaegermann wrote:
On Sun, Jan 04, 2009 at 12:08:09PM -0500, Daniel J Walsh wrote:
> Michal Jaegermann wrote:
>> Something rather weird for 'id -Z': system_u:system_r:system_crond_t:s0
>> The other machine after an upgrades reports
>> 'root:unconfined_r:unconfined_t:SystemLow-SystemHigh' which looks
>> like something saner.
>>
>>> # semanage login -l
>> Login Name SELinux User MLS/MCS Range
>>
>> __default__ unconfined_u s0-s0:c0.c1023
>> root system_u s0-s0:c0.c1023
>> system_u system_u s0-s0:c0.c1023
>>
> I think the problem is logging in as root is screwed up.
Indeed. I had that impression for quite a while.
> if you execute
>
> # semanage login -m -s unconfined_u root
> This should cause root users to login in as unconfined_t automatically.
That indeed changes 'semanage login -l' output to
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
but it does not help that much. I still get "Unable to get valid
context for root" from a login and 'system_u:system_r:system_crond_t:s0'
for 'id -Z'. BTW - that does not generate any audit messages; only
"error: ssh_selinux_setup_pty: security_compute_relabel: Invalid
argument", and related, in /var/log/secure.
> The sshd running as system_crond_t?
I told you this is weird. All of that after an upgrade from F8 to
F10. I really would like to know why as surely this is not a result
of me trying hard to mess things up.
> Does this happen on reboot?
That machine was rebooted a number of times and nothing changes.
I cannot switch to 'enforcing' as the box is "remote" and most
likely that would immediately cut me off. Before an upgrade this
was 'targeted' and 'enforcing'. As I wrote before: after an upgrade
I had to force relabelling on a reboot as otherwise most anything
was only spitting on me.
BTW - I did some hacking and I do not see at this moment any "avc"
type failure notificiations in /var/log/messages. Only right now
the box is rather quiet. I am not sure what will happen when
regular users will show up.
Michal
If you execute service sshd restart from the unconfined_t user does it
still start as system_crond_t?
I actually just upgraded my Fathers machine from F8 to F10 and had a
problem with the root account not being setup to login correctly. But I
saw no problems with sshd?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAklhDigACgkQrlYvE4MpobNQ3wCeOJMu4KZnGYTw2bQYJN/fcK/z
me8AniK3iq5McSk0s0uS+Jy3awck6HVE
=Wx8f
-----END PGP SIGNATURE-----