Re: su after disk reorganization.

On Mon, 28 Nov 2005, Stephen Smalley wrote:

> On Mon, 2005-11-28 at 10:39 -0500, Matthew Saltzman wrote:
> > I rebuilt my system disk to change the partitioning arrangment.  This
> > involved copying everything off, repartitioning, copying everything
> > back, and creating a new initrd.
> >
> > Almost everything seems to work now except that when I su, after the
> > password prompt, I get the following prompt:
> >
> >         $ su
> >         Password:
> >         Your default context is root:system_r:kernel_t.
> >
> >         Do you want to choose a different one? [n]
> >
> > That didn't happen before.  I tried autorelabel, but it had no effect.
> >
> > What did the copy fail to preserve, and how can I fix it?
> Can you run:
>         /usr/sbin/sestatus -v | grep -v active
> and show the results?
#  /usr/sbin/sestatus -v | grep -v active
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 19
Policy from config file:        targeted

Policy booleans:

Process contexts:
Current context:                  root:system_r:kernel_t
Init context:                     system_u:system_r:init_t
/sbin/mingetty                    system_u:system_r:kernel_t
/usr/sbin/sshd                    system_u:system_r:kernel_t

File contexts:
Controlling term:                 system_u:object_r:devpts_t
/etc/passwd                       system_u:object_r:etc_t
/etc/shadow                       system_u:object_r:shadow_t
/bin/bash                         system_u:object_r:shell_exec_t
/bin/login                        system_u:object_r:login_exec_t
/bin/sh                           system_u:object_r:bin_t -> 
system_u:object_r:shell_exec_t
/sbin/agetty                      system_u:object_r:getty_exec_t
/sbin/init                        system_u:object_r:init_exec_t
/sbin/mingetty                    system_u:object_r:getty_exec_t
/usr/sbin/sshd                    system_u:object_r:sshd_exec_t
/lib/libc.so.6                    system_u:object_r:lib_t -> 
system_u:object_r:shlib_t
/lib/ld-linux.so.2                system_u:object_r:lib_t -> 
system_u:object_r:ld_so_t

> Offhand, I would have assumed that the copy simply failed to preserve
> the security.selinux attributes, but you said that you tried relabeling
> (/sbin/fixfiles relabel) and presumably rebooted afterwards.  Or perhaps
> you just touched /.autorelabel and rebooted?  Maybe that isn't working
> properly?  Try relabeling explicitly.
I just touched /.autorelabel.  The relabel did proceed as ordered on 
reboot.  Here are the results of explicit relablel:
# /sbin/fixfiles relabel

    Files in the /tmp directory may be labeled incorrectly, this command
    can remove all files in /tmp.  If you choose to remove files from 
/tmp,
    a reboot will be required after completion.

    Do you wish to clean out the /tmp directory [N]? y
/.autofsck: Permission denied
/usr/sbin/setfiles:  unable to relabel /.autofsck to 
system_u:object_r:etc_runtime_t
/etc/rhgb/temp: Permission denied
/usr/sbin/setfiles:  unable to relabel /etc/rhgb/temp to 
system_u:object_r:mnt_t/etc/blkid.tab: Permission denied
/usr/sbin/setfiles:  unable to relabel /etc/blkid.tab to 
system_u:object_r:etc_runtime_t
/etc/resolv.conf.predhclient: Permission denied
/usr/sbin/setfiles:  unable to relabel /etc/resolv.conf.predhclient to 
system_u:object_r:net_conf_t
/var/run/utmp: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/utmp to 
system_u:object_r:initrc_var_run_t
/var/run/dhclient-eth0.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/dhclient-eth0.pid to 
system_u:object_r:dhcpc_var_run_t
/var/run/syslogd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/syslogd.pid to 
system_u:object_r:syslogd_var_run_t
/var/run/klogd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/klogd.pid to 
system_u:object_r:klogd_var_run_t
/var/run/rpc.statd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/rpc.statd.pid to 
system_u:object_r:rpcd_var_run_t
/var/run/sdp: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/sdp to 
system_u:object_r:bluetooth_var_run_t
/var/run/nifd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/nifd.pid to 
system_u:object_r:howl_var_run_t
/var/run/acpid.socket: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/acpid.socket to 
system_u:object_r:apmd_var_run_t
/var/run/ntpd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/ntpd.pid to 
system_u:object_r:ntpd_var_run_t
/var/run/sendmail.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/sendmail.pid to 
system_u:object_r:sendmail_var_run_t
/var/run/sm-client.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/sm-client.pid to 
system_u:object_r:sendmail_var_run_t
/var/run/crond.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/crond.pid to 
system_u:object_r:crond_var_run_t
/var/run/atd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/run/atd.pid to 
system_u:object_r:crond_var_run_t
/var/log/rpmpkgs: Permission denied
/usr/sbin/setfiles:  unable to relabel /var/log/rpmpkgs to 
system_u:object_r:rpm_log_t
/home/mjs/.Xauthority: Permission denied
/usr/sbin/setfiles:  unable to relabel /home/mjs/.Xauthority to 
user_u:object_r:user_home_t
/home/mjs/.gpilotd.pid: Permission denied
/usr/sbin/setfiles:  unable to relabel /home/mjs/.gpilotd.pid to 
user_u:object_r:user_home_t

After rebooting, the problem is apparently solved, however.  Entering "su" 
and password results in a root prompt.
Thanks.

--
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs