Re: SELinux is preventing /bin/login...access on the file /bin/bash

David Quigley <selinux@xxxxxxxxxxxxxxx> · Mon, 12 Dec 2011 07:30:30 -0500

It looks like your backup didn't backup the security labels. How did 
you make the back up? The way to get labels set back properly would be 
to book the kernel in permissive by adding enforcing=0 to the kernel 
command line. Note that this is different from selinux=0 which disables 
selinux completely. Then once you're in touch /.autorelabel and reboot. 
You might want to reboot with enforcing=0 once more just to make sure 
that it can relabel all of the files properly. If you're still having 
problems after that feel free to contact the fedora-selinux list and 
we'll work on figuring out your problem.

Dave

On 12/11/2011 16:40, jackson byers wrote:
> A new thread, was "F14 login fails on backup copy; gdm error?"
>
> Symptoms still same:
> I have a working F14 [call it F14usb8] on sda8 on my external usb.
>
> I made a backup copy onto my 2nd scsi disk, seen as sdc7 [call it 
> F14sdc7]
> This was preparation for using it for preupgrade to F16.
>
> Booting  F14sdc7 at first looks normal.
> But I am unable to log in.
>
>
> new data, re selinux, from  /mnt/sdc7/var/log/messages
>
> Dec 10 10:49:45 f14 kernel: [   99.305929] Xorg:1655 freeing invalid
> memtype f88e8000-f88f8000
> Dec 10 10:49:45 f14 kernel: [   99.305954] Xorg:1655 freeing invalid
> memtype f88f8000-f8908000
>
> Dec 10 10:49:47 f14 setroubleshoot: SELinux is preventing /bin/login
> from entrypoint access on the file /usr/bin/gnome-keyring-da
> emon. For complete SELinux messages. run sealert -l
> 78e20e61-45c0-47c7-a7e5-760752d2ae93
> Dec 10 10:49:50 f14 setroubleshoot: SELinux is preventing /bin/login
> from entrypoint access on the file /etc/X11/xinit/Xsession.
> For complete SELinux messages. run sealert -l
> 78e20e61-45c0-47c7-a7e5-760752d2ae93
>
>
> Dec 10 10:49:51 f14 kernel: [  105.540513] agpgart-intel 
> 0000:00:00.0:
> AGP 2.0 bridge
> Dec 10 10:49:51 f14 kernel: [  105.540538] agpgart-intel 
> 0000:00:00.0:
> putting AGP V2 device into 1x mode
> Dec 10 10:49:51 f14 kernel: [  105.540575] pci 0000:01:00.0: putting
> AGP V2 device into 1x mode
> Dec 10 10:49:51 f14 kernel: [  105.565791] [drm] Initialized card for
> AGP DMA.
> Dec 10 10:49:54 f14 gdm-simple-greeter[1807]: Gtk-WARNING:
> gtkwidget.c:5691: widget not within a GtkWindow
> Dec 10 10:49:55 f14 gdm-simple-greeter[1807]: WARNING: Unable to load
> CK history: no seat-id found
> Dec 10 10:50:25 f14 init[1]: getty@tty2.service holdoff time over,
> scheduling restart.
> Dec 10 10:50:34 f14 setroubleshoot: SELinux is preventing /bin/login
> from entrypoint access on the file /bin/bash. For complete S
> ELinux messages. run sealert -l 78e20e61-45c0-47c7-a7e5-760752d2ae93
> Dec 10 10:50:39 f14 init[1]: getty@tty2.service holdoff time over,
> scheduling restart.
> Dec 10 10:50:40 f14 setroubleshoot: SELinux is preventing /bin/login
> from entrypoint access on the file /bin/bash. For complete SELinux
> messages. run sealert -l 78e20e61-45c0-47c7-a7e5-760752d2ae93
> Dec 10 10:51:00 f14 init[1]: getty@tty2.service holdoff time over,
> scheduling restart.
> Dec 10 10:51:08 f14 setroubleshoot: SELinux is preventing /bin/login
> from entrypoint access on the file /bin/bash. For complete SELinux
> messages. run sealert -l 78e20e61-45c0-47c7-a7e5-760752d2ae93
> Dec 10 10:51:16 f14 init[1]: getty@tty2.service holdoff time over,
> scheduling restart.
> Dec 10 10:51:18 f14 setroubleshoot: SELinux is preventing /bin/login
> from entrypoint access on the file /bin/bash. For complete SELinux
> messages. run sealert -l 78e20e61-45c0-47c7-a7e5-760752d2ae93
>
> Since I can't login I can't run sealert
>
> reboot next day
> Dec 11 11:45:48 f14 kernel: imklog 4.6.3, log source = /proc/kmsg 
> started.
>
> again, same messages on this attempt,
> again, can't login
>
> dec 11 boot:
> Some avc:  denied
> root@f14 audit]# pwd
> /mnt/sdc7/var/log/audit
> root@f14 audit]# tail -40 audit.log |grep -i avc
> type=AVC msg=audit(1323632980.320:84): avc:  denied  { entrypoint }
> for  pid=1891 comm="gdm-session-wor"
> path="/usr/bin/gnome-keyring-daemon" dev=sdc7 ino=1025156
> scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:file_t:s0 tclass=file
> type=AVC msg=audit(1323632980.726:87): avc:  denied  { entrypoint }
> for  pid=1898 comm="gdm-session-wor" path="/etc/X11/xinit/Xsession"
> dev=sdc7 ino=801827
> scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:file_t:s0 tclass=file
> type=AVC msg=audit(1323633022.407:98): avc:  denied  { entrypoint }
> for  pid=1998 comm="login" path="/bin/bash" dev=sdc7 ino=817623
> scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:file_t:s0 tclass=file
> type=AVC msg=audit(1323633059.916:110): avc:  denied  { entrypoint }
> for  pid=2020 comm="login" path="/bin/bash" dev=sdc7 ino=817623
> scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:file_t:s0 tclass=file
> [root@f14 audit]#
>
> I don't know how to interpret any of  selinux messages.
> Is it possible selinux is preventing  login?
>
> Jack

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org