Fedora Linux Support Community & Resources Center
  #1  
Old 7th December 2008, 10:53 AM
dpawson Offline
Registered User
 
Join Date: Dec 2006
Posts: 119
SELinux takes over my machine

Installed FC10 this week.

Re-booted this morning.

Unable to remove some of my own files.

[dpawson@marge tests]$ ls -al pipe4.xsl~
-rw-r--r-- 1 dpawson dpawson 1122 2008-12-06 12:56 pipe4.xsl~
[dpawson@marge tests]$ chmod 744 pipe4.xsl~
chmod: changing permissions of `pipe4.xsl~': Permission denied

Tried various other options

[dpawson@marge ~]$ su -
bash: su: command not found


Tried /system/log out/switch user

Unable to start new display

An SELinux policy prevents this sender from sending this message to
this recipient (rejected message had interface
"org.gnome.DisplayManager.LocalDisplayFactory" member
"CreateTransientDisplay" error name "(unset)" destination
"org.gnome.DisplayManager")

Reboot, login as root, not recognised.

Try to run a script

[dpawson@marge blog]$ ls -al new
-rwxr-xr-x 1 dpawson dpawson 195 2008-06-02 20:04 new
[dpawson@marge blog]$ ./new
bash: ./new: Permission denied


Is there any way as an 'ordinary' user (seems I'm not deemed competent to
run my own machine) I can get control back
Reply With Quote
  #2  
Old 7th December 2008, 11:25 AM
dgrift Offline
Registered User
 
Join Date: Dec 2008
Posts: 11
Hello, can you provide us with some details?

1. did you install from livecd or from the installation dvd.
2. can you paste the output of this command: id
3. can you paste the output of this command: ls -alZ ~
4. can you paste the output of the following commands:
- rpm -qa | grep policycoreutils
- rpm -qa | grep selinux

I already have a suspicion about what your issue may be. if my guess is right then this may or may not fix it:

1. log in as root (press control-alt-f2) and log in as user root. Then add a new user to test: /usr/sbin/useradd -Z unconfined_u testuser
2. alternatively you could boot the system in permissive mode by appending "enforcing=0" in the grub menu on the kernel boot line (this will allow you to start the system in "Permissive"mode. Permissive mode means that SELinux allows everything but logs would be denials.

Last edited by dgrift; 7th December 2008 at 11:31 AM.
Reply With Quote
  #3  
Old 7th December 2008, 11:30 AM
dpawson Offline
Registered User
 
Join Date: Dec 2006
Posts: 119
Installed from installation dvd
[dpawson@marge ~]$ id
uid=500(dpawson) gid=500(dpawson) groups=500(dpawson),504(apach) context=user_u:user_r:user_t:s0

[dpawson@marge ~]$ ls -alZ ~
ls: cannot access /home/dpawson/.gvfs: Transport endpoint is not connected
drwx------ dpawson dpawson system_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x root root system_u:object_r:home_root_t:s0 ..
-rw-r--r-- dpawson dpawson unconfined_u:object_r:user_home_t:s0 2007.11.mab
drwxr-xr-x dpawson dpawson unconfined_u:object_r:user_home_t:s0 .ActiveState
drwx------ dpawson dpawson system_u:object_r:nsplugin_home_t:s0 .adobe
-rw-r--r-- dpawson dpawson unconfined_u:object_r:user_home_t:s0 .aspell.en.prepl
-rw-r--r-- dpawson dpawson unconfined_u:object_r:user_home_t:s0 .aspell.en.pws
drwxr-xr-x dpawson dpawson unconfined_u:object_r:user_home_t:s0 .audacity-data
-rw------- dpawson dpawson unconfined_u:object_r:user_home_t:s0 .bash_history
-rw-r--r-- dpawson dpawson system_u:object_r:user_home_t:s0 .bash_logout
-rw-r--r-- dpawson dpawson system_u:object_r:user_home_t:s0 .bash_profile
-rwxr-xr-x dpawson dpawson unconfined_u:object_r:user_home_t:s0 .bashrc
drwxr-xr-x dpawson dpawson unconfined_u:object_r:user_home_t:s0 .batik
drwxr-xr-x dpawson dpawson unconfined_u:object_r:user_home_t:s0 .bibble
drwxrwxr-x dpawson dpawson unconfined_u:object_r:user_home_t:s0 bin

....

[dpawson@marge ~]$ rpm -qa | grep policycoreutils
policycoreutils-2.0.57-11.fc10.i386
policycoreutils-gui-2.0.57-11.fc10.i386


[dpawson@marge ~]$ rpm -qa | grep selinux
libselinux-2.0.73-1.fc10.i386
libselinux-python-2.0.73-1.fc10.i386
selinux-policy-targeted-3.5.13-26.fc10.noarch
libselinux-devel-2.0.73-1.fc10.i386
selinux-policy-3.5.13-26.fc10.noarch
libselinux-utils-2.0.73-1.fc10.i386
Reply With Quote
  #4  
Old 7th December 2008, 11:41 AM
dgrift Offline
Registered User
 
Join Date: Dec 2008
Posts: 11
Thanks , Yes this confirms my suspicion:

your default user is an unprivileged user (user_u)

user_u cannot use su or become a privileged user.

To solve this either : control-alt-f2, log in as root and add a "unconfined user" or reload the system into permissive mode my appending "enforcing=0" in the grub menu on the kernel boot line if the first option does not work.

once you become root, add a unconfined user by running this command: /usr/sbin/useradd -Z unconfined_u testuser, log in as this user and then confirm your "id" and try to run the su command again.

I do not know how this happened in the first place. it seems that SELinux is still a bit buggy. Issue likethis should be reported to bugzilla.redhat.com in either the policycoreutils, or selinux-policy componenent, so that these issue can be fixed asap

Last edited by dgrift; 7th December 2008 at 11:43 AM.
Reply With Quote
  #5  
Old 7th December 2008, 11:42 AM
dpawson Offline
Registered User
 
Join Date: Dec 2006
Posts: 119
Finally managed to get in as root using ssh.

[root@marge ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ unconfined_u s0-s0:c0.c1023
dpawson user_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023


Is that any help?
Reply With Quote
  #6  
Old 7th December 2008, 11:53 AM
dgrift Offline
Registered User
 
Join Date: Dec 2008
Posts: 11
Yes, the followinf commands may or may not solve your issue:

/usr/sbin/semanage login -m -s unconfined_u -r s0-s0:c0.c1023 dpawson

alternatively add a new user in the unconfined domain: /usr/sbin/useradd -Z unconfined_u dpawson2
Reply With Quote
  #7  
Old 7th December 2008, 11:53 AM
dpawson Offline
Registered User
 
Join Date: Dec 2006
Posts: 119
Quote:
Originally Posted by dgrift View Post
Thanks , Yes this confirms my suspicion:
To solve this either : control-alt-f2, log in as root and add a "unconfined user" or reload the system into permissive mode my appending "enforcing=0" in the grub menu on the kernel boot line if the first option does not work.

once you become root, add a unconfined user by running this command: /usr/sbin/useradd -Z unconfined_u testuser, log in as this user and then confirm your "id" and try to run the su command again.

I do not know how this happened in the first place. it seems that SELinux is still a bit buggy. Issue likethis should be reported to bugzilla.redhat.com in either the policycoreutils, or selinux-policy componenent, so that these issue can be fixed asap
#useradd -Z unconfined_u testuser
seems not to be working, adding -p xxxx
for a password isn't helping.
Seems the user isn't being created?

I agree with your diagnosis... how to cure it please?

Can I change the selinux user for dpawson from user_u to unconfined_u ?
Is that possible?
Reply With Quote
  #8  
Old 7th December 2008, 11:56 AM
dpawson Offline
Registered User
 
Join Date: Dec 2006
Posts: 119
Quote:
Originally Posted by dgrift View Post
Yes, the followinf commands may or may not solve your issue:

/usr/sbin/semanage login -m -s unconfined_u -r s0-s0:c0.c1023 dpawson

alternatively add a new user in the unconfined domain: /usr/sbin/useradd -Z unconfined_u dpawson2


the semanage command failed
I.e. I couldn't su when I logged in as dpawson?


Question
# useradd -Z unconfined_u dpawson2

do you mean dpawson (I.e. the user_u selinux user?)
Reply With Quote
  #9  
Old 7th December 2008, 12:05 PM
dgrift Offline
Registered User
 
Join Date: Dec 2008
Posts: 11
Looks like the latest SELinux (policycoreutils) updates messed some things up.

This issue should be reported to bugzilla.redhat.com into the policycoreutils component so that it can be fixed as soon as possible.

Until then you may want to put SELinux into permissive mode:

There are a few ways to do this:

you can, as root, edit the /etc/selinux/config file and replace "enforcing" by "permissive"
- or you can , as root, run system-config-selinux and onthe main screen where it shows "enforce" or "enforcing" choose "Permissive"from the drop-down menu.
- or you can , when you load the system, press escape to go into the grub menu and edit the kernel boot line to append "enforcing=0"
- to temporarily put selinux in permissive mode run the command: /usr/sbin/setenforce 0 as root)

These solutions should cause SELinux to load into a permissive mode. Permissive mode will allow everything that SELinux would normally deny. But SELinux will still report "would be" security violations.
Reply With Quote
  #10  
Old 7th December 2008, 12:09 PM
dpawson Offline
Registered User
 
Join Date: Dec 2006
Posts: 119
Quote:
Originally Posted by dgrift View Post
Yes, the followinf commands may or may not solve your issue:

/usr/sbin/semanage login -m -s unconfined_u -r s0-s0:c0.c1023 dpawson

unconfined_u dpawson2

I think it did work. I just had to reboot for it to take effect!

[dpawson@marge ~]$ id
uid=500(dpawson) gid=500(dpawson) groups=500(dpawson),504(apach) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Exept I still can't log in as root from the boot up screen.

Bigger question, how t disable selinux altogether?
It's stopping me working, so for me it's a waste of time.

/System/Administration/SELinux manage shows it set to
Enforcing
Enforcing
Targeted
as the 'status'.

Surely there's a simple way to get rid of it?

Tks for the help btw. V.much appreciated.
Reply With Quote
  #11  
Old 7th December 2008, 12:14 PM
dgrift Offline
Registered User
 
Join Date: Dec 2008
Posts: 11
Disabling SELinux is not recommended. your issue is now solved for a big part.

To disable SElinux you should change its status to preferable: Permissive (this will not disable SELinux but put it in "intrusion detection mode" as opposed to "intrusion prevention mode". e.g. it will not deny security violation but it will report them. So that you can atleast be aware of security violations when they happen.

To completely disable SELinux, put the selinux status to "Disabled" (this is really not recommended and it is discouraged)

The reason that you cannot log in as root from the boot up screen has nothing t o do with SELinux

if you disable SELinux you will only fool yourself and you will make it harder for you to accept it. You do need it. Sooner rather then later you will have to learn to work with it.

Last edited by dgrift; 7th December 2008 at 12:19 PM.
Reply With Quote
  #12  
Old 7th December 2008, 12:32 PM
dpawson Offline
Registered User
 
Join Date: Dec 2006
Posts: 119
Quote:
Originally Posted by dgrift View Post
Disabling SELinux is not recommended. your issue is now solved for a big part.

To disable SElinux you should change its status to preferable: Permissive (this will not disable SELinux but put it in "intrusion detection mode" as opposed to "intrusion prevention mode". e.g. it will not deny security violation but it will report them. So that you can atleast be aware of security violations when they happen.

To completely disable SELinux, put the selinux status to "Disabled" (this is really not recommended and it is discouraged)

The reason that you cannot log in as root from the boot up screen has nothing t o do with SELinux

if you disable SELinux you will only fool yourself and you will make it harder for you to accept it. You do need it. Sooner rather then later you will have to learn to work with it.
Err.. you're beginning to sound like the thought police dgrift?

I tried that. Doing the remap on boot it reported dozens of ?? types? in the contexts as being not mapped, so it has its knickers in a twist anyhow.

If Fedora want this on board they ought to find a way of presenting the information
in a usable manner.


Again, thanks for your help. I'll go elsewhere for the logon bug.
Reply With Quote
  #13  
Old 8th December 2008, 02:29 AM
joshland Offline
Registered User
 
Join Date: Dec 2008
Posts: 2
Using SELinux

Quote:
Originally Posted by dgrift View Post
Disabling SELinux is not recommended.

....

if you disable SELinux you will only fool yourself and you will make it harder for you to accept it. You do need it. Sooner rather then later you will have to learn to work with it.
Disabling SELinux != Fooling(self)

Sometimes 'disabling SELinux' is equivalent to 'using my machine successfully'. SELinux may be a good thing, but for the past five years, it's been a gigantic PITA. I understand that the batshiat crazy security community wants to use the rest of us as guinea pigs for testing, but seriously. "Fooling yourself" is not the byproduct of disabling it. You're fooling yourself if you think that disabling is the end of the world.

I think that Fedora should have a big label, on text login:

"To disable SELinux type: xxxxxxxx"
Reply With Quote
  #14  
Old 8th December 2008, 01:00 PM
dpawson Offline
Registered User
 
Join Date: Dec 2006
Posts: 119
Summary:

1. To get rid of selinux

Figure out how to log on as root. Alternatives for me were Alt F2, or ssh root@localhost

As root, edit /etc/selinux/config

Change the line which sets the 'mode' for selinux to
SELINUX=disabled

To allow root to log on as a normal user (for brief periods) with the GUI,
change /etc/pam.d/gdm
Replace
auth required pam_succeed_if.so user != root quiet
with
auth required pam_succeed_if.so

HTH others who feel the same as I about SELinux.
Until a more human face is put on its silly error messages I can imagine
many more rejecting it.
Linux tools are supposed to be there to help us do a job, not hinder us.
Currently selinux is a real hinderance.

DaveP
Reply With Quote
  #15  
Old 8th December 2008, 08:11 PM
joshland Offline
Registered User
 
Join Date: Dec 2008
Posts: 2
Thumbs up Disabling SELinux

Quote:
Originally Posted by dpawson View Post
Summary:

....

HTH others who feel the same as I about SELinux.
Until a more human face is put on its silly error messages I can imagine
many more rejecting it.
Linux tools are supposed to be there to help us do a job, not hinder us.
Currently selinux is a real hinderance.
Amen. BTW: I don't have a problem disabling it, I was just poking about to see if anyone else was having any similar issues. (Which I didn't post about). I usually disable SELinux, and in a deep secret part of me, I am glad that FC is working on getting it right. Hoo-RA. I just wanted to say: Let's make disabling it easy-sleazy. (For Admins).

Finally, I am hardcore: I added "selinux=0" to my kernel boot line. I did set the userspace utilities with /etc/sysconfig/selinux, but thanks for the response. I am sure they'll make it awesome someday, but I wonder how much longer before it's clear to the end user what's going on.
Reply With Quote
Reply

Tags
selinux fc10

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
selinux: hand tweaking policieand yum selinux-policy updates: overriden or perserved? mbiggerstaff Security and Privacy 2 20th January 2014 09:52 PM
How to install packages of online machine into Offline machine bilol Installation, Upgrades and Live Media 2 20th January 2009 11:52 AM
Problem with QEMU and Virtual Machine Manager after updates, guest machine slow otnateos Using Fedora 6 12th April 2008 04:29 PM
ca a module built on another machine with the same kernel run on a different machine? GreenJelly Using Fedora 0 23rd July 2007 02:53 AM


Current GMT-time: 15:27 (Thursday, 18-12-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Incheon South Korea Travel Photos on Instagram - McDonald Travel Photos - Eques Photos on Instagram - Mercado 28 Photos on Instagram - Busan, South Korea Travel Photos