Hi,

I had SELinux disabled in order to get some things working, and then enabled it again. I then rebooted. Now SELinux is not letting any of the users log in. Not even root. I've even tried from a remote terminal.

[root@bb X11]# ssh root@192.168.1.6
Unable to get valid context for root
Last login: Thu Jan 8 09:52:51 2009 from 192.168.1.7
Connection to 192.168.1.6 closed.

Anyone know how to get around this?

TIA,
- Ole

Try either booting into run-level 1 and disable SELinux, or at GRUB, add the 'selinux=off' option to the kernel boot parameter line.

V

OK - I booted into run level 1 and was able to disable selinux ( vi /etc/selinux/config) again, and then everything went back to normal. I think I have to put a .autorelabel file in / in order for selinux to relabel everything properly, but I did not try that yet.

Whoops - Sorry I did not see the reply before posting my own. Thanks for the help - excellent advice!
- Ole

...in order to get some things working...Did this include manually editing /etc/passwd, /etc/shadow and/or /etc/group? If so, you could have lost the SELinux contexts for these files so SELinux will refuse to allow programs to use them (unless you are logging on in single-user mode).

If that is the caserestorecon -rv /etcmight help put things right again. the "-v" flag will list all the corrections the command makes.

Hi Steve,

I'm not brave enough to manually edit :-), but I'll give your command a shot anyways, maybe something else is goofy:

[root@ole workspace]# restorecon -rv /etc
[root@ole workspace]#

Does not look like there's anything up there. I'm surprised that the system is doing what it's doing. I turned off SELinux to build and run some custom packages and then I turned it back on. Seems like a bug, but I'm not sure how to file a bug report, since I don't know how to reproduce the problem....

Thanks,
- Ole

Did you get any messages in /var/log/secure, /var/log/audit/audit.log, dmesg, /var/log/messages?

can you provides us with the following info:

ls -lZ /etc/selinux/targeted/contexts/users
semanage user -l
semanage login -l

Also try a full file system relabel just to be sure your contexts arent messed up (touch /.autorelabel && reboot)
when you disable selinux then the file contexts may get messed up so when you reenable you should restore the contexts.

I cannot think of any good reason to disable selinux. It is better to just put it into the permissive mode. (interusion detection mode instead of intrusion prevention). Atleast this will not mess up contexts much. (enforcing=0 in grub)

ls -lZ /etc/selinux/targeted/contexts/users

[root@ole Documents]# ls -lZ /etc/selinux/targeted/contexts/users
-rw-r--r-- root root ? guest_u
-rw-r--r-- root root ? root
-rw-r--r-- root root ? staff_u
-rw-r--r-- root root ? unconfined_u
-rw-r--r-- root root ? user_u
-rw-r--r-- root root ? xguest_u

semanage user -l

[root@ole Documents]# semanage user -l

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles

guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r

semanage login -l
[root@ole Documents]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ unconfined_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023

I'm definitely going with "permissive" from now on :-). I'm sure you're right - the file contexts are probably off. I just did touch /.autorelabel and set selinux back to enforcing. I'll reboot now and see whether everything works OK. If not, I'll post back.

Thanks,
- Ole

OK - It works fine now after relabeling. Thanks again for helping straighten it out!
- Ole

I ended up creating a bug report.

https://bugzilla.redhat.com/post_bug.cgi

Per the Fedora documentation (See the bottom):
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Main_Configuration_File.html

The file system should be relabeled automatically when changing from disabled to permissive or enforcing.

Ooops - No ticket number in the url - This is the ticket number:
479590