Please take our Survey
logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Everything got broken. selinux-policy-targeted-1.17.30-2.90: msg#00181

Subject: Everything got broken. selinux-policy-targeted-1.17.30-2.90 
Hi, everyone.

Until two days ago, when I ran up2date, I had a machine running 
FC3 with SELinux targeted, user homedirs coming in over NFS, 
Apache running and segregated into httpd_t land, and so on and so forth.

I ran up2date.

And it all went to hell. The upgrade to selinux-policy-targeted-1.17.30-2.90 
prevented console logins, use of sudo, and startups from messagebus and httpd. 

It allowed, however for SSH logins, and use of 'su'.

Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.90.n
oarch.rpm, and I suffer from the same errors:

# /usr/sbin/getenforce
getenforce:  getenforce() failed

]# /usr/sbin/getsebool -a
getsebool: booleans.c:48: security_get_boolean_names: Assertion `selinux_mnt' 
failed.
Aborted

# cat /selinux/enforce
1

# cd /selinux/booleans
# ls

allow_ypbind           mysqld_disable_trans      squid_disable_trans
dhcpd_disable_trans    named_disable_trans       syslogd_disable_trans
httpd_disable_trans    named_write_master_zones  use_nfs_home_dirs
httpd_enable_cgi       nscd_disable_trans        use_samba_home_dirs
httpd_enable_homedirs  ntpd_disable_trans        use_syslogng
httpd_ssi_exec         portmap_disable_trans     winbind_disable_trans
httpd_tty_comm         postgresql_disable_trans  ypbind_disable_trans
httpd_unified          snmpd_disable_trans
# cat *
1 10 00 01 11 11 10 01 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

]# cat policyvers
18


Now, for the many multifarious wierdnesses that have sprung up on me:

I cannot log in to the console. 
TTY logins fail silently and X logins leave this in the syslog:

Mar 29 18:43:42 HOST gdm(pam_unix)[5945]: session opened for user root by 
(uid=0)
Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: child 5945 crashed of 
signal 6
Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: Slave crashed, killing 
its children

Clearly something is denied a resource by selinux, causing a crash that 
ends the login session. 

I cannot sudo:

% sudo su root
Password:
root:system_r:unconfined_t is not a valid context

Doing a sudo leaves this in /var/log/secure:
Mar 30 00:47:29 HOST sudo:     omri : TTY=pts/1 ; PWD=/nfs/newline/h1/omri ; 
USER=root ; COMMAND=/bin/su root

And this in /var/log/messages:
Mar 30 00:47:29 HOST sudo(pam_unix)[6028]: authentication failure; 
logname=omri uid=0 euid=0 tty=pts/1 ruser= rhost=  user=omri
Mar 30 00:47:29 HOST sudo[6028]: pam_krb5[6028]: authentication succeeds for 
'omri' (omri@xxxxxxxxxxxxx)


I can SSH in, but this gets left in the logs:

Mar 30 00:43:48 HOST sshd[5941]: error: Failed to set exec security context 
omri:system_r:unconfined_t for omri. Continuing in permissive mode

I can su just fine, which is what lets me play around with these things. 

The portmapper has its own difficulties:

Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc:  denied  { search } 
for  pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377 
scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t 
tclass=dir

Obviously, it's the console logins that I want to solve first and foremost.
Any help would be most appreciated.
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Desktop apps interoperability, Ivan Gyurdiev
Next by Date:  httpd controls ?, Jeremy Ardley
Previous by Thread:  different md5sums for files on /dev/cdrom, matousu
Next by Thread:  Re: Everything got broken. selinux-policy-targeted-1.17.30-2.90, Ivan Gyurdiev
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe