Major problems after upgrade from FC1

A. Gautier mada at gautier.org
Mon Jul 12 17:50:51 UTC 2004


I am about to pull what little is left of my hair out.  I decided to
upgrade from FC1 to FC2 by pointing yum to a FC2 repository and upgrading
all packages.  This worked for the most part but I am having massive
problems with SELinux. I am not sure that SELinux got setup properly.  One
of this biggest problems that I have is that crond now no longer runs.  I
have been following the Fedora SELinux FAQ to get up to speed with lots of
google searches and watching this list but I have not been able to solve
my problem.  My first problem is that system crond is not running.  My
user crontab is running fine.  So, my question is could someone help me

1.) Make sure my setup is correct.
2.) Get the correct policies setup (I am also having a problem with
postfix, but I think if I get #1 then there is enough info on the web to
solve that problem).

Also, the reason I think there is a configuration problem was because when
following the FAQ to add a user:

------------------------------
EXCERPT:
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id3004455

Q: How can I create a new Linux user account with the user's home
directory having the proper context?

A: You can create your new user with the standard useradd command, but
first you must become root with a context of sysadm_r. This context switch
has been incorporated into the su command:

%>su - root
   Your default context is root:sysadm_r:sysadm_t.
   Do you want to choose a different one? [n] n
%>useradd auser
%>ls -Z /home
   drwxr-xr-x  auser     auser     root:object_r:user_home_dir_t
/home/auser
------------------------------

So I thought if I ran ls -Z /home I would get a similar result?

------------------------------
OUTPUT: ls -Z /home

drwxr--r--+ <user>     <group>     (null)                           <user>

Also, I get the (null) report on all directories in /root.

------------------------------
OUTPUT: sudo /usr/sbin/sestatus -v
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           permissive
Policy version:         17

Policy booleans:
user_ping               inactive

Process contexts:
Current context:        user_u:sysadm_r:sysadm_t
Init context:           system_u:system_r:kernel_t
/sbin/mingetty          system_u:system_r:kernel_t
/usr/sbin/sshd          system_u:system_r:kernel_t

File contexts:
Controlling term:       user_u:object_r:devpts_t


-----------------
EXCERPT: /var/log/messages

Jul 12 12:00:00 sun kernel: audit(1089651600.583:0): avc:  denied  {
compute_user } for  pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t
tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.584:0): avc:  denied  {
compute_av
} for  pid=27396 exe=/usr/sbin/crond scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:security_t tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.586:0): avc:  denied  {
check_context } for  pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t
tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.586:0): avc:  denied  { write
} for  pid=27396 exe=/usr/sbin/crond name=exec dev=proc ino=1795424277
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t
tclass=file
Jul 12 12:00:00 sun kernel: audit(1089651600.587:0): avc:  denied  {
setexec } for  pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.587:0): avc:  denied  {
transition
} for  pid=27396 exe=/usr/sbin/crond path=/bin/bash dev=hda3 ino=3850263
scontext=system_u:system_r:kernel_t tcontext=user_u:sysadm_r:sysadm_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc:  denied  {
siginh } for  pid=27396 exe=/bin/bash scontext=system_u:system_r:kernel_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc:  denied  {
rlimitinh } for  pid=27396 exe=/bin/bash
scontext=system_u:system_r:kernel_t tcontext=user_u:sysadm_r:sysadm_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc:  denied  {
noatsecure
} for  pid=27396 exe=/bin/bash scontext=system_u:system_r:kernel_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
Jul 12 12:00:01 sun kernel: audit(1089651601.074:0): avc:  denied  {
execute } for  pid=27400 exe=/usr/sbin/crond name=sendmail.postfix
dev=hda3 ino=3391852 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sendmail_exec_t tclass=file
Jul 12 12:00:01 sun kernel: audit(1089651601.074:0): avc:  denied  {
execute_no_trans } for  pid=27400 exe=/usr/sbin/crond
path=/usr/sbin/sendmail.postfix dev=hda3 ino=3391852
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sendmail_exec_t tclass=file







More information about the selinux mailing list