Re: F13->F14 upgrade + relabel = logins hosed: entrypoint access denied

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/31/2011 05:17 PM, Dave Mitchell wrote:
> I just tried to upgrade a F13 system to F14 using preupgrade.
> It seemed to go well, but I was getting a lot of AVC denials for NM
> and polkitd, and NM wasn't working properly. So I tried a 'touch
> /.autorelabel' and reboot.  It seemed to work, but now I can't login. Any
> login attempt (via gdm or F2 console) immediately logs me back out again.
> 
> /var/log/messages shows, for a console login as root:
> 
> SELinux is preventing /bin/login from entrypoint access on the file /bin/bash
> 
> and for a GUI-based login:
> 
> SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /usr/bin/gnome-keyring/daemon
> SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /etc/X11/xinit/Xsession
> 
> I can boot single user okay.
> 
> I ran 'fixfiles restore' to relabel again and rebooted, and it made no
> difference.
> 
> By comparing with a similar but un-upgraded (ie F13) working host, I
> found that the following are the same on both hosts:
> 
> # ls -lZ /bin/login
> -rwxr-xr-x. root root system_u:object_r:login_exec_t:s0 /bin/login
> 
> # ls -lZ /bin/bash
> -rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/bash
> 
> Policy is the same apart from changes in ethereal and spamd:
> 
> # sesearch --allow --neverallow --auditallow --dontaudit --type \
>     --role_allow --role_trans --range_trans \
>     | sort | egrep -v'ethereal|spam[cd]'
> 
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 24
> Policy from config file:        targeted
> 
> While the two systems give the following:
> 
> # rpm -q selinux-policy
> selinux-policy-3.7.19-101.fc13.noarch # F13 host
> selinux-policy-3.9.7-40.fc14.noarch   # F14 borked host
> 
> At this point I've exhausted my meager understanding of selinux.
> 
> Any suggestions?
> Thanks.
> 
It is an upgrade bug.

https://bugzilla.redhat.com/show_bug.cgi?id=702865#c13

explains how to fix it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3mPk8ACgkQrlYvE4MpobOiIQCggCBOdDhAJSfF6VQcNHBV/jK9
t/0An3HukI2lrdRG9F1BRec1X2+tVw4t
=vF+e
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux