On Tue, 2005-06-14 at 22:10 -0400, Steven Knight wrote: > Help! > > Yesterday afternoon, my home FC3 system took a power hit (not > unusual, unfortunately). Nothing seemed particularly amiss, it > came back up on its own (while I was still at work) and I reconnected > and used it for several hours without noticing anything unsual. > This is probably unrelated to what follows, but I mention it just > in case it's not. > > Upon arriving home, I logged back in on my desktop and noticed my > Red Hat update icon on the top taskbar was red and pulsing. I went > ahead and su'ed up and fired up "yum update". It asked for permission > to update about 17 packages (I noticed GAIM on the list, but otherwise > didn't pay much attention), but being used to reliable updates before, > I went ahead and installed all of them without a second thought. > > First sign of trouble: I could no longer ls, df, or do just about > anything. Error messages were complaining about "Permission denied" > for /lib/tls/libc.so.6 (and possibly other libraries), even when I > tried to do anything from my su shell. > > Figuring (naively) that I had some kind of package version skew, I > (naively) tried rebooting to see if that would clear things up. > Bad, hasty decision: I now get an immediate kernel panic as follows > (modulo typos from transcribing the information by hand): > > Uncompressing Linux... Ok, booting the kernel. > ACPI: BIOS age (1999) fails cutoff (2001, acpi=force is required to enable ACPI > audit(1118711202.065:0): initialized > Red Hat nash version 4.1.18 starting > audit(1118711209.899:0): avc: denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=hdd2 ino=528350 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:filet tcall=file > /sbin/init: error while loading shared libraries: /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied > Kernel panic - not syncing: Attempted to kill init! > > After poking around, I figured out that this permission error was > connected to selinux. My guess is that selinux-policy-target might > have been part of the updates I installed, but like I said, > I wasn't paying attention. (Note that I installed the selinux > RPM(s) by default when I first installed FC, but I've never bothered > to really understand or do anything with them, so don't presume > any coherent administrative behavior on my part.) > > Some additional searches pointed me to /sbin/fixfiles, and the idea > that relabelling might be necessary. So I tried booting up on > Knoppix and mounting my filesystems in their usual configuration > relative to each other. I then chroot'ed to the root of my > reconstructed file systems and ran "fixfiles relabel". This seemed > to relabel a bunch of stuff, but it wouldn't relabel anything on > my root partition, claiming that was mounted read-only. (It wasn't > relative to Knoppix, so I think that's an artifact of chroot > behavior.) > > Interestingly enough, the /lib/tls/libc.so.6 file mentioned in the > error message never showed up as a file that fixfiles tried to > relabel. > > I tried rebooting anyway with the same panic as above. > > Since I'm not actually "doing anything" with selinux, I'd be fine > with completely disabling it and/or removing it from my system, but > I can't even figure out how to get to the point of being able to > do that. How can I either work the right magic to label the above > file appropriate and/or get past this panic, or else just disable/remove > selinux so I can get going again? You can use the rescue disc...just download and burn the iso and boot it. Then at the commandline type "chroot /mnt/sysimage". It should allow you to get back into your system. Then just turn selinux off in /etc/selinux/config and reboot. http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/iso/FC3-i386-rescuecd.iso Once you get back into your system try Colin's advice: setsebool -P allow_execmod=true Hope this helps. :) Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list