On 6/4/05, Ian Puleston <ian@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Since updating to Kernel 2.6.11-1.1366_FC4, and now 2.6.11-1.1369_FC4, I
> haven't been able to login as root or any other user, getting error
> message "No shell: permission denied" on login followed by the login
> prompt again. This only happens with selinux, and does not happens if I
> boot with "selinux=no" - then it works fine and I can login OK. This is
> with login from the console after booting to level 3 (no X).
>
> In /var/log/messages I'm seeing the following when this happens:
>
> Jun 1 00:21:45 localhost login(pam_unix)[2704]: session opened for user
> ian by (uid=0)
> Jun 1 00:21:45 localhost login[2704]: Warning! Could not
> relabel /dev/tty1 with user_u:object_r:tty_device_t, not
> relabeling.Permission denied
> Jun 1 00:21:45 localhost -- ian[2704]: LOGIN ON tty1 BY ian
> Jun 1 00:21:45 localhost login(pam_unix)[2704]: session closed for user
> ian
>
> And I also see the following in there - don't know if this is relevant:
>
> Jun 1 00:21:28 localhost kernel: audit(1117610487.009:3): avc: denied
> { sys_admin } for pid=2078 comm="consoletype" capability=21
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
> tclass=capability
> Jun 1 00:21:28 localhost kernel: SELinux: initialized (dev rpc_pipefs,
> type rpc_pipefs), uses genfs_contexts
>
> Any ideas anyone (other than permanently turning off selinux)?
>
> Ian
>
>
> >From Ian Puleston:
> >
> > Now, with the new Kernel, I cannot login in at all. Trying to login as root
> > or another user gives an error "no shell" and then back to the login prompt.
> >
> > Is there any way to get round this other than a full re-install?
> >
> > Ian
> >
OK,.... a few suggestions/questions:
1. When you updated to new kernel, did you only update kernel or did
you also update the selinux policy packages? If not, do a full rawhide
update.
2. Probably need to relabel file system. Do 'touch /.autorelabel' (as
root) and reboot (without selinux=0). That will relabel the entire
filesystem(s) during reboot. (Go get coffee, as this will take a few
minutes.)
3. When you have problems like this, it better NOT to boot with
'selinux=0', but to boot with 'enforcing=0'. This leaves SELinux
'reporting but not enforcing', allowing it to properly label files
created or touched. Booting with 'selinux=0' will almost always
require (at least some) relabeling.
tom
--
Tom London