On Mon, Aug 10, 2009 at 9:55 AM, Daniel J Walsh<dwalsh@xxxxxxxxxx> wrote: > On 08/10/2009 09:06 AM, max bianco wrote: >> On Mon, Aug 10, 2009 at 7:45 AM, Stephen Smalley<sds@xxxxxxxxxxxxx> wrote: >>> On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote: >>>> Peter Joseph wrote: >>>>>> enforcing =0 should work. >>>>>> are you putting it the right area in grub/lilo? >>>>>> also you should be able to just change >>>>>> /etc/selinux/config >>>>>> set to permissive mode to avoid using the boot command line. >>>>>> or >>>>>> setenforce 0 >>>>>> and >>>>>> echo 0> /selinux/enforce >>>>>> to put the policy in permissive mode until things get cleaned. >>>>>> Justin P. Mattock >>>>>> >>>>> -- >>>>> SELinux has to be completely DISABLED for anybody to log in. Changing >>>>> /etc/selinux/config to a permissive mode is of no use. >>>>> I am thinking about trying to change all booleans from deny to allow (wow, >>>>> what a monstrous task). After all, that is how this trouble started in the >>>>> first place. >>>>> PJ >>>>> >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list@xxxxxxxxxx >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>>>> >>>>> >>>>> >>>> yeah but booleans don't mess with the >>>> MBR or the bootloader of the kernel? >>> >>> No, they are part of the policy image (if set persistently). >>> >>> But the booleans only affect what allow rules are enabled at any given >>> time. If the system is in permissive mode, then the boolean settings >>> shouldn't prevent anything from working; they will just affect what avc >>> denials get logged. >>> >>> enforcing=0 on the kernel command line or SELINUX=permissive >>> in /etc/selinux/config should resolve any SELinux-related denials. >>> >>> Out of curiosity, you didn't happen to change the xserver_object_manager >>> boolean, did you? >>> >> It was the unconfined_login boolean that got him. >> >> >> > So disabling unconfined_login boolean stopped him from being able to login? > That's what he told me. I told him to check xserver_allow_execmem and unconfined_login. It would have hit the list but I did the reply instead of reply all. Anyway he said the unconfined_login fixed his problem. here it is: On Sun, Aug 9, 2009 at 4:51 PM, <peterjb@xxxxxxxx> wrote: >>check the xserver_allow_execmem and unconfined_login booleans. > > You got it! The problem stems from unconfined_login --> off. > > Thanks for your help. > > pj > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
