Re: SELinux preventing login (Fedora 16)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/11/2012 08:01 PM, Braden McDaniel wrote:

[I posted this first to the users list by mistake; but I meant for it to
go here.]

I have a Fedora 16 box where something seems to have gone sideways with
SELinux.  I am unable to log into the box with SELinux enabled.  I see
messages in /var/log/messages that look like this:

         Apr 11 02:40:06 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:40:06 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:40:07 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:40:10 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:40:26 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:40:58 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:42:02 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:42:02 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:42:02 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:42:06 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:42:14 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:42:30 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Apr 11 02:43:02 rail setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b

I tried doing a full relabel; but that had no noticeable effect.  If I
boot to single user mode and disable SELinux (via /etc/selinux/config),
I'm able to log in and things appear to be functional.  Well, with the
caveat that the suggestion in the message to run sealert yields this:

         # sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
         Opps, sealert hit an error!

         Traceback (most recent call last):
           File "/usr/bin/sealert", line 668, in<module>
             proxy_obj = bus.get_object(dbus_system_bus_name, dbus_system_object_path)
           File "/usr/lib/python2.7/site-packages/dbus/bus.py", line 244, in get_object
             follow_name_owner_changes=follow_name_owner_changes)
           File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 241, in __init__
             self._named_service = conn.activate_name_owner(bus_name)
           File "/usr/lib/python2.7/site-packages/dbus/bus.py", line 183, in activate_name_owner
             self.start_service_by_name(bus_name)
           File "/usr/lib/python2.7/site-packages/dbus/bus.py", line 281, in start_service_by_name
             'su', (bus_name, flags)))
           File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 630, in call_blocking
             message, timeout)
         DBusException: org.freedesktop.DBus.Error.Spawn.ChildExited: Launch helper exited with unknown return code 3

Any idea what happened here and how I might actually fix it?


Could you attach output of

$ ausearch -m avc

with SELinux in permissive mode if you log in.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux