SELinux preventing login (Fedora 16)

[Daniel J Walsh]

On 04/11/2012 10:27 PM, Braden McDaniel wrote:
> On Wed, 2012-04-11 at 17:27 -0400, Paul W. Frields wrote:
>> On Wed, Apr 11, 2012 at 03:37:45PM -0400, Braden McDaniel wrote:
>>> On Wed, 2012-04-11 at 15:25 -0400, Daniel J Walsh wrote:
>>>> Are you booted with SELinux in permissive mode of disabled?
>>> 
>>> I'm booted with it disabled:
>>> 
>>> # cat /etc/selinux/config | grep disabled #     disabled - No SELinux
>>> policy is loaded. SELINUX=disabled
>>> 
>>>> ausearch -m avc
>>> 
>>> That's long; I'll attach it.
>> 
>> You might want to try this as root first, after saving your work:
>> 
>> touch /.autorelabel ; reboot
> 
> I did that previously; but it didn't seem to help. (Perhaps because I still
> had SELinux disabled when I did it?)
> 
>> Running SELinux disabled is unnecessary.  Running in permissive mode is
>> much better, since it allows you to switch back and forth without 
>> labeling problems.
>> 
>> When you run in disabled mode, SELinux labels aren't written to the disk
>> when files are created, so when you try to turn SELinux on later, it
>> results in lots of denial errors.  Permissive mode does pretty much the
>> same thing as enforcing mode, but any denials are ignored, so SELinux
>> won't prevent access.
> 
> That's likely how I got myself into this.  I had disabled it while 
> attempting to troubleshoot something else.  I probably installed and/or 
> updated some packages before I remembered to turn it back on.
> 
> So I changed to "permissive" and did the autorelabel thing again.  This 
> time I was able to zero in on some messages that were likely pertinent; and
> the SELinux troubleshooter suggested:
> 
> setsebool -P authlogin_nsswitch_use_ldap 1
> 
> I'll continue to run "permissive" for a little while longer and see if that
> fixes it.
> 


What AVC indicated that you needed this?  Are you using pam_ldap?  ldap for
user authorization?

We just added the ability for samba to use ldap, out of the box.