Re: SELinux preventing login (Fedora 16)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/12/2012 08:47 PM, Braden McDaniel wrote:
> On Thu, 2012-04-12 at 16:10 -0400, Daniel J Walsh wrote:
>> On 04/11/2012 10:27 PM, Braden McDaniel wrote:
>>> On Wed, 2012-04-11 at 17:27 -0400, Paul W. Frields wrote:
>>>> On Wed, Apr 11, 2012 at 03:37:45PM -0400, Braden McDaniel wrote:
>>>>> On Wed, 2012-04-11 at 15:25 -0400, Daniel J Walsh wrote:
>>>>>> Are you booted with SELinux in permissive mode of disabled?
>>>>> 
>>>>> I'm booted with it disabled:
>>>>> 
>>>>> # cat /etc/selinux/config | grep disabled #     disabled - No
>>>>> SELinux policy is loaded. SELINUX=disabled
>>>>> 
>>>>>> ausearch -m avc
>>>>> 
>>>>> That's long; I'll attach it.
>>>> 
>>>> You might want to try this as root first, after saving your work:
>>>> 
>>>> touch /.autorelabel ; reboot
>>> 
>>> I did that previously; but it didn't seem to help. (Perhaps because I
>>> still had SELinux disabled when I did it?)
>>> 
>>>> Running SELinux disabled is unnecessary.  Running in permissive mode
>>>> is much better, since it allows you to switch back and forth without
>>>>  labeling problems.
>>>> 
>>>> When you run in disabled mode, SELinux labels aren't written to the
>>>> disk when files are created, so when you try to turn SELinux on
>>>> later, it results in lots of denial errors.  Permissive mode does
>>>> pretty much the same thing as enforcing mode, but any denials are
>>>> ignored, so SELinux won't prevent access.
>>> 
>>> That's likely how I got myself into this.  I had disabled it while 
>>> attempting to troubleshoot something else.  I probably installed and/or
>>>  updated some packages before I remembered to turn it back on.
>>> 
>>> So I changed to "permissive" and did the autorelabel thing again.  This
>>>  time I was able to zero in on some messages that were likely
>>> pertinent; and the SELinux troubleshooter suggested:
>>> 
>>> setsebool -P authlogin_nsswitch_use_ldap 1
>>> 
>>> I'll continue to run "permissive" for a little while longer and see if
>>> that fixes it.
>>> 
>> 
>> 
>> What AVC indicated that you needed this?
> 
> Unfortunately, I deleted it.  However, I think it was one corresponding to
> a /var/log/messages entry like this one:
> 
> Apr 10 23:58:31 rail setroubleshoot: SELinux is preventing
> /usr/libexec/accounts-daemon from name_connect access on the tcp_socket .
> For complete SELinux messages. run sealert -l
> aeded892-dec1-4e6d-87ce-7c10a4e42e2b
> 
>> Are you using pam_ldap?  ldap for user authorization?
>> 
>> We just added the ability for samba to use ldap, out of the box.
> 
> I am using Kerberos for authentication; but I'm using LDAP for user 
> information.
> 
> (Though I get the impression that login is currently falling back to local
> authentication; because I don't have a Kerberos ticket after I log in.)
> 
But you are not use sssd for this.  Anyways do you still believe you are
having SELinux issues?
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux