-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michal Jaegermann wrote: > On Sun, Jan 04, 2009 at 12:08:09PM -0500, Daniel J Walsh wrote: >> Michal Jaegermann wrote: >>> Something rather weird for 'id -Z': system_u:system_r:system_crond_t:s0 >>> The other machine after an upgrades reports >>> 'root:unconfined_r:unconfined_t:SystemLow-SystemHigh' which looks >>> like something saner. >>> >>>> # semanage login -l >>> Login Name SELinux User MLS/MCS Range >>> >>> __default__ unconfined_u s0-s0:c0.c1023 >>> root system_u s0-s0:c0.c1023 >>> system_u system_u s0-s0:c0.c1023 >>> >> I think the problem is logging in as root is screwed up. > > Indeed. I had that impression for quite a while. > >> if you execute >> >> # semanage login -m -s unconfined_u root >> This should cause root users to login in as unconfined_t automatically. > > That indeed changes 'semanage login -l' output to > > Login Name SELinux User MLS/MCS Range > > __default__ unconfined_u s0-s0:c0.c1023 > root unconfined_u s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 > > but it does not help that much. I still get "Unable to get valid > context for root" from a login and 'system_u:system_r:system_crond_t:s0' > for 'id -Z'. BTW - that does not generate any audit messages; only > "error: ssh_selinux_setup_pty: security_compute_relabel: Invalid > argument", and related, in /var/log/secure. > >> The sshd running as system_crond_t? > > I told you this is weird. All of that after an upgrade from F8 to > F10. I really would like to know why as surely this is not a result > of me trying hard to mess things up. > >> Does this happen on reboot? > > That machine was rebooted a number of times and nothing changes. > I cannot switch to 'enforcing' as the box is "remote" and most > likely that would immediately cut me off. Before an upgrade this > was 'targeted' and 'enforcing'. As I wrote before: after an upgrade > I had to force relabelling on a reboot as otherwise most anything > was only spitting on me. > > BTW - I did some hacking and I do not see at this moment any "avc" > type failure notificiations in /var/log/messages. Only right now > the box is rather quiet. I am not sure what will happen when > regular users will show up. > > Michal > If you execute service sshd restart from the unconfined_t user does it still start as system_crond_t? I actually just upgraded my Fathers machine from F8 to F10 and had a problem with the root account not being setup to login correctly. But I saw no problems with sshd? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklhDigACgkQrlYvE4MpobNQ3wCeOJMu4KZnGYTw2bQYJN/fcK/z me8AniK3iq5McSk0s0uS+Jy3awck6HVE =Wx8f -----END PGP SIGNATURE----- -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
