Red Hat Bugzilla – Bug 465604
Can't execute su due to user confinement
Last modified: 2008-10-20 10:00:01 EDT
Description of problem: I just installed Fedora 10 beta with the x86_64 DVD. I ran into the problem that Dan Walsh mentions here: http://danwalsh.livejournal.com/21067.html, except it was a fresh new install, not an upgrade. Running "semanage login -l" showed exactly what he said was shown on a system prior to Fedora 9: #semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0-s0:c0.c1023 root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 Of course, Rawhide is not prior to Fedora 9 :) After running the 3 commands that are mentioned, and relogin, everything was fixed: # semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u # semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ # semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root (I needed the first one as my system didn't know about unconfined_u, as semanage told me). So I ran into the exact same issue, but as it happened on a fresh new install of Rawhide, I thought it might be worth reporting it. Before running those semanage commands, I tried to fully update my system and reboot, which didn't fix anything.
Forgot to mention the versions I have. Right after the install, those were the versions on the F10beta x86_64 DVD (sorry, didn't check before updating) Now I have versions: selinux-policy-3.5.9-4.fc10.noarch libselinux-python-2.0.73-1.fc10.x86_64 selinux-policy-targeted-3.5.9-4.fc10.noarch libselinux-utils-2.0.73-1.fc10.x86_64 libselinux-2.0.73-1.fc10.x86_64 As I said, problem was not fixed only by updating the system.
Did you see any error messages during the install? Any errors in the log files in /root?
Created attachment 319588 [details] Installation log: /root/install.log Interesting part is around line 733
Created attachment 319589 [details] Installation log: /root/install.log.syslog Seems like there's nothing here.
I didn't see any error during installation. I can see the following in the file install.log: <long list of "installing xxx.rpm> ... Installation de selinux-policy-targeted-3.5.7-1.fc10.noarch SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.23: Invalid argument /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. /usr/sbin/semanage: Could not commit semanage transaction libsemanage.validate_handler: selinux user unconfined_u does not exist libsemanage.validate_handler: seuser mapping [__default__ -> (unconfined_u, s0-s0:c0.c1023)] is invalid libsemanage.dbase_llist_iterate: could not iterate over records /usr/sbin/semanage: Could not commit semanage transaction Installation de system-config-rootpassword-1.99.4-1.fc9.noarch ... <continuing the long list of yyy.rpm> There doesn't seem to be anything of interest in install.log.syslog, however, both are attached so that you can review them more thouroughly if needed.
By the way, when I followed the steps on your blog, I did: # semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ This returned me the same error as above: "selinux user unconfined_u does not exist" (not sure about the exact phrasing). So I then ran the 3 commands in the order specified in the first comment of this report to first create the unconfined_u user and then fix the issue with login.
I checked a couple of fresh installs of F10 and have not seen this problem, also this is the only bug report I have seen. So I think this is fixed in the latest F10 releases. If you can recreate it on with current f10 please reopen.
Any "security:" messages from the kernel in /var/log/messages upon the attempted policy load?
I'm not sure what you mean by "upon the attempted policy load"... Do you mean when I ran the 3 "semanage" commands ? If that's it, I can't find any occurence of the string "secur" in the /var/log/messages from this day. I looked in the other /var/log/messages (more recent one) and there is no occurence of this string as well (I searched with grep -i in both cases). I'll try to reinstall it this week end to see if I can reproduce this issue. Before that, are there other logs you want me to look at ?
Take a look for secur in /root/anaco* Or any install log.
Ok, here's what I have in /root: # ls anaconda-ks.cfg install.log install.log.syslog And here's what I get when searching for 'secur': # grep -ri secur /root/* # Yeap, nothing :-/ By the way, what I said in my previous comment was wrong: I did have some occurences of the 'secur' string in /var/log/messages: # grep -ri 'secur' -A 1 /var/log/messages* /var/log/messages:Oct 6 20:22:18 rawhide kernel: Security Framework initialized /var/log/messages-Oct 6 20:22:18 rawhide kernel: SELinux: Initializing. -- /var/log/messages:Oct 6 20:22:18 rawhide kernel: sdhci: Secure Digital Host Controller Interface driver /var/log/messages-Oct 6 20:22:18 rawhide kernel: sdhci: Copyright(c) Pierre Ossman (those two repeat several times, both in the latest log and in the one from the install day). Not sure it matters however :/ Are all the install logs in /root/ or are there somewhere else ?
I think they are just in root.
Just tried to reinstall on the same computer with the same DVD, I couldn't reproduce it. Looks like a random bug :-/ I'll reinstall again with each Rawhide snapshots (from snap2) on the same computer until the Fedora 10 Preview to see if I can reproduce it.
Ok Closing for now.