On 04/12/2012 08:47 PM, Braden McDaniel wrote: > On Thu, 2012-04-12 at 16:10 -0400, Daniel J Walsh wrote: >> On 04/11/2012 10:27 PM, Braden McDaniel wrote: >>> On Wed, 2012-04-11 at 17:27 -0400, Paul W. Frields wrote: >>>> On Wed, Apr 11, 2012 at 03:37:45PM -0400, Braden McDaniel wrote: >>>>> On Wed, 2012-04-11 at 15:25 -0400, Daniel J Walsh wrote: >>>>>> Are you booted with SELinux in permissive mode of disabled? >>>>> >>>>> I'm booted with it disabled: >>>>> >>>>> # cat /etc/selinux/config | grep disabled # disabled - No >>>>> SELinux policy is loaded. SELINUX=disabled >>>>> >>>>>> ausearch -m avc >>>>> >>>>> That's long; I'll attach it. >>>> >>>> You might want to try this as root first, after saving your work: >>>> >>>> touch /.autorelabel ; reboot >>> >>> I did that previously; but it didn't seem to help. (Perhaps because I >>> still had SELinux disabled when I did it?) >>> >>>> Running SELinux disabled is unnecessary. Running in permissive mode >>>> is much better, since it allows you to switch back and forth without >>>> labeling problems. >>>> >>>> When you run in disabled mode, SELinux labels aren't written to the >>>> disk when files are created, so when you try to turn SELinux on >>>> later, it results in lots of denial errors. Permissive mode does >>>> pretty much the same thing as enforcing mode, but any denials are >>>> ignored, so SELinux won't prevent access. >>> >>> That's likely how I got myself into this. I had disabled it while >>> attempting to troubleshoot something else. I probably installed and/or >>> updated some packages before I remembered to turn it back on. >>> >>> So I changed to "permissive" and did the autorelabel thing again. This >>> time I was able to zero in on some messages that were likely >>> pertinent; and the SELinux troubleshooter suggested: >>> >>> setsebool -P authlogin_nsswitch_use_ldap 1 >>> >>> I'll continue to run "permissive" for a little while longer and see if >>> that fixes it. >>> >> >> >> What AVC indicated that you needed this? > > Unfortunately, I deleted it. However, I think it was one corresponding to > a /var/log/messages entry like this one: > > Apr 10 23:58:31 rail setroubleshoot: SELinux is preventing > /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . > For complete SELinux messages. run sealert -l > aeded892-dec1-4e6d-87ce-7c10a4e42e2b > >> Are you using pam_ldap? ldap for user authorization? >> >> We just added the ability for samba to use ldap, out of the box. > > I am using Kerberos for authentication; but I'm using LDAP for user > information. > > (Though I get the impression that login is currently falling back to local > authentication; because I don't have a Kerberos ticket after I log in.) > But you are not use sssd for this. Anyways do you still believe you are having SELinux issues? -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
