I have not had time to do much testing, but first indications are that incorrect labeling was the culprit. I initiated a boot-time relabeling. When done, I restarted the system (in permissive mode), switched to enforcing mode (/usr/sbin/setenforce 1) and was able to log in normally from tty1, (while su'd as root in tty0) though there are plenty of 'avc: denied' messages in /var/log/messages and /var/log/audit/audit.log) that I need to look at. I still have the problem of reported Boolean errors that are scrolling too fast to read as selinux loads at boot time, and do not seem to be logged anywhere. Can you help with those? All I was able to make up from the fast-scrolling display is the word 'mozilla' repeated four or five times in an error message, followed by a Boolean error message. -----Original Message----- From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list-bounces@xxxxxxxxxx]On Behalf Of Stephen Smalley Sent: Friday, January 27, 2006 21:29 To: Valdis.Kletnieks@xxxxxx Cc: G Jahchan; Fedora SE Linux List Subject: Re: Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16 On Fri, 2006-01-27 at 14:18 -0500, Valdis.Kletnieks@xxxxxx wrote: > On Fri, 27 Jan 2006 11:44:07 EST, Stephen Smalley said: > > On Fri, 2006-01-27 at 17:49 +0200, G Jahchan wrote: > > > ls -Z /sbin/init > > > -rwxr-xr-x root root system_u:object_r:staff_home_t /sbin/init > > > > That's your problem - your filesystem is incorrectly labeled. Don't > > know how your /sbin/init program ended up with the type of a staff home > > directory; it should have init_exec_t. > > It's probably related to the strict policy whoopsage I reported - the system > would end up with only some 10% of the policy modules in place, and a restorecon > wouldn't include the *.fc rules for the missing modules - so some less-restrictive > rule would set the context (I ended up with almost everything as default_t, > but I could see how staff_home_t might happen too...) > > At one point, every single process on my laptop was running in kernel_t, because > the various init_t and similar types weren't defined, nor were the transitions for > them. Good thing I'm running in permissive. ;) Except that his message indicated that he is running FC4, not rawhide (look at his kernel and policy versions). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
