I have upgraded the kernel to 2.6.14-1.1656 and pam to 0.79.9 (from 2.6.14-1.1653 & 0.79.8 respectively) and I am back to the drawing board. Authentication is no longer possible when in enforcing mode, but this time there are NO reported 'avc: denied' messages in any of the logs. The problem may not lie strictly with selinux, as even when in permissive mode, the first authentication attempt to a console always fails, but the second works (with the exact same credentials). Ditto when sudoing a command that requires authentication: never works the first time if in permissive mode, and not at all if in enforcing mode. su on the other hand always works in permissive mode, but never in enforcing mode. When in KDE, a locked station cannot be unlocked, regardless of the status of selinux - permissive or enforcing, it makes no difference. -----Original Message----- From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list-bounces@xxxxxxxxxx]On Behalf Of Stephen Smalley Sent: Monday, January 30, 2006 17:31 To: G Jahchan Cc: Fedora SE Linux List Subject: RE: Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16 On Mon, 2006-01-30 at 13:47 +0200, G Jahchan wrote: > I have not had time to do much testing, but first indications are that > incorrect labeling was the culprit. > > I initiated a boot-time relabeling. When done, I restarted the system (in > permissive mode), switched to enforcing mode (/usr/sbin/setenforce 1) and was > able to log in normally from tty1, (while su'd as root in tty0) though there > are plenty of 'avc: denied' messages in /var/log/messages and > /var/log/audit/audit.log) that I need to look at. > > I still have the problem of reported Boolean errors that are scrolling too fast > to read as selinux loads at boot time, and do not seem to be logged anywhere. > Can you help with those? All I was able to make up from the fast-scrolling > display is the word 'mozilla' repeated four or five times in an error message, > followed by a Boolean error message. Likely just stale boolean settings in your booleans.local file, which are just skipped with a warning. To reproduce, run: /usr/sbin/load_policy -b /etc/selinux/targeted/policy/policy.19 If you have any "boolean ... no longer in policy" messages, just remove those lines from your /etc/selinux/targeted/booleans.local file. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
