Re: trying to understand SELinux message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marko Vojinovic wrote:
On Monday 16 November 2009 05:47:43 Paul Allen Newell wrote:
I am not certain why I would want to
disable SELinux as it clearly is part of the Fedora package and is
trying to tell me that something isn't right.

Good thinking. You definitely do not want to disable SELinux. It is there for a good reason, even if one doesn't know the details of what that reason is.
Yes, I know I should not start X server or login as root ...

So why did you do it then? Disabled root GUI is also the default for a reason, just as SELinux. They are multiple protective layers that try to secure your system from any malicious activity, including your own.

and that is
not my normal work habit. But I would expect that I should still be able
to do such and not have SELinux bark unless there was something wrong.
It is the "what is wrong" that I am trying to understand and correct.

What is wrong (technically) is you moving files across directories without changing their SELinux context appropriately. At least that appears so based on the info you provided.

However...

What is wrong (essentially) is precisely logging in as root in a GUI. This is disabled by default in Fedora, and SELinux policy assumes you run the default configuration. Once you enabled root GUI and started poking around in it, it was just a matter of time before SELinux starts yelling at you doing this or that wrong. I cannot tell exactly what SELinux is complaining about until you provide some setroubleshoot info, but it is definitely because you logged in a GUI as root, played around with things and then did something SELinux doesn't like. And it will keep happening over and over unless you stop using root GUI.

If you are more familiar with Windows world, this would be like logging in with admin privileges, disabling antivirus software and automatic updates, and then asking "why does the system keep alerting me that security might be compromised?". Well, you compromised it.

So much for understanding.

As for correcting the error, I can advise the following:

1) Find all files that you have been mv-ing as root, and move them back to their original location.
2) Stop using root GUI.
3) Learn that mv keeps SELinux labels in contrast to cp which changes them appropriately. Understand that this is intentional feature of mv and cp. The file and directory labels are displayed by "ll -Z". 4) Whenever you need root access use "su -" to log in as root, or learn to configure and use sudo. Use only your normal user account for GUI. 5) For regular system administration you don't even need to use su and sudo, because the system should ask you for the root password whenever you start a GUI app that needs elevated privileges. 6) If SELinux keeps complaining more, learn how to use setroubleshoot utility and post the output here on the list. People will help you correct it all, but only after you make sure not to produce any more problems by using root GUI.

HTH.

Best, :-)
Marko

Marko:

Appreciate the reply.

The information provided about SELinux context is what I was trying to understand. I am sufficiently newbie to not really understand what SELinux is doing and, given your info and the post about "SELinux is preventing the gdm-session-wor from using potentially mislabeled
files (.dmrc)." make it very obvious what I did to incur the warnings.

I now can backtrack my actions and see what I did wrong. Lesson learned regarding SELinux labels.

This upcoming weekend, I will go back and su to root to correct using the suggestions you provided.

There is a strong temptation to defend my logging in as root just like a child defends an indefensible action. So, to you and everyone who said "don't do it", I have no defense. I'm not from a Windows world, I'm old-school Unix where the only way some things could be fixed was to su to root and it was just easier for big tasks to log in as root. No excuse for that now, but old habits die hard. Once again, no defense on my part ... I've offered my lame reason just to show its lame.

Thanks,
Paul


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux