On Mon, 28 Nov 2005, Stephen Smalley wrote:
On Mon, 2005-11-28 at 10:39 -0500, Matthew Saltzman wrote:
I rebuilt my system disk to change the partitioning arrangment. This
involved copying everything off, repartitioning, copying everything
back, and creating a new initrd.
Almost everything seems to work now except that when I su, after the
password prompt, I get the following prompt:
$ su
Password:
Your default context is root:system_r:kernel_t.
Do you want to choose a different one? [n]
That didn't happen before. I tried autorelabel, but it had no effect.
What did the copy fail to preserve, and how can I fix it?
Can you run:
/usr/sbin/sestatus -v | grep -v active
and show the results?
# /usr/sbin/sestatus -v | grep -v active
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 19
Policy from config file: targeted
Policy booleans:
Process contexts:
Current context: root:system_r:kernel_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:kernel_t
/usr/sbin/sshd system_u:system_r:kernel_t
File contexts:
Controlling term: system_u:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Offhand, I would have assumed that the copy simply failed to preserve
the security.selinux attributes, but you said that you tried relabeling
(/sbin/fixfiles relabel) and presumably rebooted afterwards. Or perhaps
you just touched /.autorelabel and rebooted? Maybe that isn't working
properly? Try relabeling explicitly.
I just touched /.autorelabel. The relabel did proceed as ordered on
reboot. Here are the results of explicit relablel:
# /sbin/fixfiles relabel
Files in the /tmp directory may be labeled incorrectly, this command
can remove all files in /tmp. If you choose to remove files from
/tmp,
a reboot will be required after completion.
Do you wish to clean out the /tmp directory [N]? y
/.autofsck: Permission denied
/usr/sbin/setfiles: unable to relabel /.autofsck to system_u:object_r:etc_runtime_t
/etc/rhgb/temp: Permission denied
/usr/sbin/setfiles: unable to relabel /etc/rhgb/temp to system_u:object_r:mnt_t/etc/blkid.tab: Permission denied
/usr/sbin/setfiles: unable to relabel /etc/blkid.tab to system_u:object_r:etc_runtime_t
/etc/resolv.conf.predhclient: Permission denied
/usr/sbin/setfiles: unable to relabel /etc/resolv.conf.predhclient to system_u:object_r:net_conf_t
/var/run/utmp: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/utmp to system_u:object_r:initrc_var_run_t
/var/run/dhclient-eth0.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/dhclient-eth0.pid to system_u:object_r:dhcpc_var_run_t
/var/run/syslogd.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/syslogd.pid to system_u:object_r:syslogd_var_run_t
/var/run/klogd.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/klogd.pid to system_u:object_r:klogd_var_run_t
/var/run/rpc.statd.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/rpc.statd.pid to system_u:object_r:rpcd_var_run_t
/var/run/sdp: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/sdp to system_u:object_r:bluetooth_var_run_t
/var/run/nifd.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/nifd.pid to system_u:object_r:howl_var_run_t
/var/run/acpid.socket: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/acpid.socket to system_u:object_r:apmd_var_run_t
/var/run/ntpd.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/ntpd.pid to system_u:object_r:ntpd_var_run_t
/var/run/sendmail.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/sendmail.pid to system_u:object_r:sendmail_var_run_t
/var/run/sm-client.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/sm-client.pid to system_u:object_r:sendmail_var_run_t
/var/run/crond.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/crond.pid to system_u:object_r:crond_var_run_t
/var/run/atd.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /var/run/atd.pid to system_u:object_r:crond_var_run_t
/var/log/rpmpkgs: Permission denied
/usr/sbin/setfiles: unable to relabel /var/log/rpmpkgs to system_u:object_r:rpm_log_t
/home/mjs/.Xauthority: Permission denied
/usr/sbin/setfiles: unable to relabel /home/mjs/.Xauthority to user_u:object_r:user_home_t
/home/mjs/.gpilotd.pid: Permission denied
/usr/sbin/setfiles: unable to relabel /home/mjs/.gpilotd.pid to user_u:object_r:user_home_t
After rebooting, the problem is apparently solved, however. Entering "su"
and password results in a root prompt.
Thanks.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
