Description of problem: Unable to login when SELINUX=enforcing. Not on console, ssh or whatever. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.13-49.fc10.noarch selinux-policy-3.5.13-49.fc10.noarch libselinux-2.0.78-1.fc10.i386 libselinux-utils-2.0.78-1.fc10.i386 libselinux-python-2.0.78-1.fc10.i386 How reproducible: Change SELINUX=disabled to enforcing. Steps to Reproduce: 1. Change SELINUX=disabled to enforcing (policy targeted). 2. Restart 3. Try to login - NO WAY! Messages in /var/log/messages: kernel: type=1400 audit(1238064645.911:4): avc: denied { read } for pid=1424 comm="ip" name="ld.so.cache" dev=sda2 ino=67 249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file kernel: type=1400 audit(1238064645.942:5): avc: denied { read } for pid=1438 comm="ip" name="ld.so.cache" dev=sda2 ino=67 249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file kernel: type=1400 audit(1238064645.949:6): avc: denied { read } for pid=1446 comm="iwconfig" name="ld.so.cache" dev=sda2 ino=67249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file kernel: type=1400 audit(1238064647.406:7): avc: denied { read } for pid=1468 comm="ip" name="ld.so.cache" dev=sda2 ino=67 249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file kernel: type=1400 audit(1238064647.512:8): avc: denied { read } for pid=1532 comm="ifconfig" name="ld.so.cache" dev=sda2 ino=67249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file Mar 26 11:50:57 ls2ka kernel: type=1400 audit(1238064647.512:9): avc: denied { read } for pid=1532 comm="ifconfig" name="libselinux.so.1" dev=s da2 ino=858682 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file setroubleshoot: SELinux is preventing login (hotplug_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messa ges. run sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7 Mar 26 11:51:39 ls2ka init: tty2 main process ended, respawning Mar 26 11:51:39 ls2ka setroubleshoot: SELinux is preventing login (hotplug_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messa ges. run sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7 Mar 26 11:51:50 ls2ka init: tty2 main process ended, respawning Mar 26 11:51:50 ls2ka setroubleshoot: SELinux is preventing login (hotplug_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messa ges. run sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7 Mar 26 11:51:51 ls2ka acpid: client connected from 2991[0:0] Mar 26 11:51:51 ls2ka acpid: client connected from 2991[0:0] Mar 26 11:51:59 ls2ka setroubleshoot: SELinux is preventing access to files with the label, file_t. For complete SELinux messages. run sealert -l 9da225d5-acdd-4a40-bbe7-1049e9ddc0a0 Mar 26 11:51:59 ls2ka setroubleshoot: SELinux is preventing gdm-session-wor (hotplug_t) "entrypoint" to /etc/X11/xinit/Xsession (bin_t). For compl ete SELinux messages. run sealert -l f4bec33c-7158-4836-ad3b-3a15cc0d41c3 Mar 26 11:51:59 ls2ka acpid: client connected from 3459[0:0] Mar 26 11:52:00 ls2ka acpid: client connected from 3459[0:0] Mar 26 11:52:15 ls2ka setroubleshoot: SELinux is preventing access to files with the label, file_t. For complete SELinux messages. run sealert -l 9da225d5-acdd-4a40-bbe7-1049e9ddc0a0 Mar 26 11:52:15 ls2ka setroubleshoot: SELinux is preventing gdm-session-wor (hotplug_t) "entrypoint" to /etc/X11/xinit/Xsession (bin_t). For compl ete SELinux messages. run sealert -l f4bec33c-7158-4836-ad3b-3a15cc0d41c3 Trying to look up the errors is even worse: sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7 Traceback (most recent call last): File "/usr/bin/sealert", line 108, in <module> from setroubleshoot.analyze import * File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 43, in <module> from setroubleshoot.avc_audit import * File "/usr/lib/python2.5/site-packages/setroubleshoot/avc_audit.py", line 54, in <module> my_context = AvcContext(selinux.getcon()[1]) OSError: [Errno 22] Invalid argument [root@ls2ka ~]# sealert -l Traceback (most recent call last): File "/usr/bin/sealert", line 108, in <module> from setroubleshoot.analyze import * File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 43, in <module> from setroubleshoot.avc_audit import * File "/usr/lib/python2.5/site-packages/setroubleshoot/avc_audit.py", line 54, in <module> my_context = AvcContext(selinux.getcon()[1]) OSError: [Errno 22] Invalid argument [root@ls2ka ~]# 9da225d5-acdd-4a40-bbe7-1049e9ddc0a0 -bash: 9da225d5-acdd-4a40-bbe7-1049e9ddc0a0: command not found [root@ls2ka ~]# sealert -l 9da225d5-acdd-4a40-bbe7-1049e9ddc0a0 Traceback (most recent call last): File "/usr/bin/sealert", line 108, in <module> from setroubleshoot.analyze import * File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 43, in <module> from setroubleshoot.avc_audit import * File "/usr/lib/python2.5/site-packages/setroubleshoot/avc_audit.py", line 54, in <module> my_context = AvcContext(selinux.getcon()[1]) OSError: [Errno 22] Invalid argument [root@ls2ka ~]# sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7 Traceback (most recent call last): File "/usr/bin/sealert", line 108, in <module> from setroubleshoot.analyze import * File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 43, in <module> from setroubleshoot.avc_audit import * File "/usr/lib/python2.5/site-packages/setroubleshoot/avc_audit.py", line 54, in <module> my_context = AvcContext(selinux.getcon()[1]) OSError: [Errno 22] Invalid argument IT SEEMS SOMETHING PYTHON IS REALY BROKEN HERE. Actual results: Unable to login Expected results: Should be able to lgin Additional info: This is worse then Microsofts security implementations! BTW: If you try the SYSTEM-CONFIG-SELINUX tool and you change the settings of selinux with it from i.e. disabled to enforcing, a warning/question pops up if you enable it you have to re- label. HAS ANYONE NOTICED WHAT THIS UTIL DOES WHEN YOU SAY "NO" TO THAT QUESTION?
It also fucked up the zone files by setting the rights on the /var/named/chroot/var/named folder from named:named to root:named After disabling selinux, I had to set this back manually myself again. I am still checking the filesystem rights at this moment. I really hope that it's my own fault and not Fedora's.
Context file_t means you need to relabel the machine. Could you try to execute vi /etc/selinux/config Change the SELINUX field to say permissive touch /.autorelabel reboot to fix the labeling.
Is this going to change permissions on certain folders and/or files as well? It's a new production machine which services the network's dhcp, (d)dns, mail and proxy services. Right now it is working well and I would not want this configuration to be screwed.
It will change the SELinux labels only. It will not change any permissions.