Enabled SELINUX now can't login....

[Evil-I]

Hi there,

I was sorting out security on my recently installed FC5 box, I enabled the firewall with all the appropriate ports added etc and decided to turn on SELINUX in enforce mode as well (not having used this before....should have known better I suppose). Now I can't get into my box either by ssh (it asks for username and password then closes the puttyssh viewer once you hit enter on the password) or locally (input username and password then get an error message saying "cannot start the session as there has been an internal error")

The next dialogue that appears tells me that as my session lasted less than 10 seconds etc..... but does give me a tick box to see the (-/.xsession-errors file with following content.

/etc/gdm/PreSession/Default: Registering your session with wtmp and utmp
/etc/gdm/PreSession/Default: running: usr/bin/sessreg -a -w /var/log/wtmp -u /var/run/utmp -x "/var/gdm/:0.Xservers" -h "" -l ":0" "server"
session_child_run: Could not exec /etc/X11/xinit/Xsession default

I've not tried using linux rescue or anything to try and get into the box yet, to be honest just being able to turn selinux off would be fine by me. Can anyone suggest a. Whats happened and b. a way to make it stop!

Any help greatly appreciated,

E-I

[jbannon]

Can you login at the console as root? If so, try tying the following:

setsebool -P allow_execstack=1
setsebool -P allow_execmod=1

This should allow you to get into X. You also need to sort out the ssh side as I don't think it's just enough to trust it as a service in the firewall. I don't know how to do this last bit though.

[Evil-I]

Thanks for reply,

I've not been able to get terminal access from within the FC5 login screen as it always gives me the same error messages as above.

I booted from my Install DVD did 'linux rescue' and 'chroot /mnt/sysimage' then su for root. I ran the commands you suggested, unfotunately there was no change once I'd rebooted, same error messages as before.

Is there any way of disabling selinux from linux rescue? Its only a home server and I'm sure it will be fine with just its internal firewall and being behind a firewalled router as well.

Feel like I've opened pandoras box.... must keep reminding myself to not randomly turn things on in linux without having a good idea of what its going to do....Bugger!

Thanks again,

E-I

[Evil-I]

Got it sorted.....

Found this post by a very helpful chap on how to disable selinux in console from linux rescue.

http://forums.fedoraforum.org/forum/...elinux+console

I think SElinux is going to stay off for now until I have some time to get my head round it!
Thanks for your help,

E-I

[jbannon]

Yeah, I just looked it up on the manual page and then at /etc/selinux/config to see how it should be done. Funny thing though is that I haven't had any problems with selinux other than not setting allow_execstack and allow_execmod after upgrading the kernel and installing kmod-fglrx (you either get a blank screen or the menu panels appear but nothing is on them and dmesg tells you it can't reset to use the module properly). Documentation on selinux is kind of scanty, the books I have show how to set it but don't tell you what any of the variables actually do and if you set the above variables and look in /selinux they appear there but don't appear in the GUI admin tool. I leave it on for safety's sake but I don't suppose it's needed really for a home desktop. A server would be another matter however if it's open to the internet or in a DMZ.

[Evil-I]

This machine IS a server, although the only thing open to the internet is the teamspeak voice communication software, as well as the basic firewall setup in FC5 its also sat behind a router that has a SPI firewall built in, so hopefully that will be fine for my needs.

Anyway, thanks very much for your help my freind, its always appreciated!

Best,

E-I