Description of problem: something has gone wrong with selinux and now i get selinux denials for just about everything and the boot drops me to a maintenance command line. i can't find any way to restore the system. (eveything runs fine with permissive or disabled.) in permissive, here's the first few lines of selinux stuff in the system log: Mar 15 00:47:20 desk kernel: audit(1173919581.873:2): policy loaded auid=4294967295 Mar 15 00:47:20 desk kernel: audit(1173919582.681:3): avc: denied { read } for pid=406 comm="mount" name="libblkid.so.1.0" dev=dm-0 ino=57376823 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file Mar 15 00:47:20 desk kernel: audit(1173919582.693:4): avc: denied { getattr } for pid=406 comm="mount" name="libblkid.so.1.0" dev=dm-0 ino=57376823 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file Mar 15 00:47:20 desk kernel: audit(1173919582.701:5): avc: denied { execute } for pid=406 comm="mount" name="libblkid.so.1.0" dev=dm-0 ino=57376823 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file Mar 15 00:47:20 desk kernel: audit(1173919585.185:6): avc: denied { search } for pid=432 comm="hwclock" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir Mar 15 00:47:20 desk kernel: audit(1173919589.394:7): avc: denied { search } for pid=510 comm="pam_console_app" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir i've tried a complete restorecon. i've switched selinux on and off and that's caused a lengthy relabel. i've even tried uninstalling and reinstalling the selinux-policy packages (which caused another relabel) but it makes no difference. help! Version-Release number of selected component (if applicable): 2.4.6-42.fc6
This looks like you have something badly labeled as samba_share_t. fixfiles -F restore should clean up the file context. Did you label something major as samba_share_t?
ooh. that looks like it's done something! i've got 3087 "Setfiles: relabeling" messages in my system log now! how is that different from the 'complete relabelling of entire filesystem' that's happened twice already during booting when changing selinux modes? anyway, yes "/" has been relabeled from samba_share_t to root_t by fixfiles. it's possible i tried to add a samba share of '/' at some point. (wouldn't expect that to render my system unbootable/insecure/whatever without a warning!) i'm pretty sure i haven't done any command-line stuff to relabel anything .. wouldn't know how and doubt i'd risk guessing - this is my main server. of those 3087 relabels i'd say about 10% are from samba_share_t. the rest are almost all from user_u to system_u. there are a few others including some from "root" to system_u. any idea at all what might have caused this? a lot of the files in the list are ones installed from non-standard repositories or copied from another system or installed from tarballs. also i've run the xen kernel (just dom0) for a while (including yum updates including selinux updates) and then switched back to non-xen. could that affect things? well, the last 'denied' message was six minutes before the fixfiles and that was over an hour ago (it was logging about one denial per minute) so i'm off to reboot. many thanks.