Sommario: SELinux impedisce l'accesso /usr/libexec/gdm-session-worker "create" . Descrizione dettagliata: [SELinux è in modalità permissiva. Questo accesso non è stato negato.] SELinux ha negato l'accesso richiesto da gdm-session-wor. Non è previsto che questo accesso venga richiesto da gdm-session-wor, e tale accesso può segnalare un tentativo di intrusione. È anche possibile che questo sia provocato dalla specifica versione o dalla configurazione dell'applicazione per richiedere un ulteriore accesso. Abilitazione accesso in corso: E' possibile generare un modulo di politica locale per consentire questo accesso - consultare le FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Inviare un bug report. Informazioni aggiuntive: Contesto della sorgente system_u:system_r:xdm_t:s0-s0:c0.c1023 Contesto target system_u:system_r:pam_console_t:s0 Oggetti target None [ key ] Sorgente gdm-session-wor Percorso della sorgente /usr/libexec/gdm-session-worker Porta <Sconosciuto> Host (rimosso) Sorgente Pacchetti RPM gdm-2.32.0-1.fc14 Pacchetti RPM target RPM della policy selinux-policy-3.9.7-12.fc14 Selinux abilitato True Tipo di policy targeted Modalità Enforcing Permissive Nome plugin catchall Host Name (rimosso) Piattaforma Linux (rimosso) 2.6.35.6-48.fc14.i686.PAE #1 SMP Fri Oct 22 15:27:53 UTC 2010 i686 i686 Conteggio avvisi 2 Primo visto sab 27 nov 2010 16:47:09 CET Ultimo visto sab 27 nov 2010 17:29:10 CET ID locale ba308396-50ef-4e4e-bbdb-6c1a0484719a Numeri di linea Messaggi Raw Audit node=(rimosso) type=AVC msg=audit(1290875350.221:10): avc: denied { create } for pid=2411 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:pam_console_t:s0 tclass=key node=(rimosso) type=SYSCALL msg=audit(1290875350.221:10): arch=40000003 syscall=4 success=yes exit=35 a0=a a1=852c130 a2=23 a3=852c130 items=0 ppid=2229 pid=2411 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,gdm-session-wor,xdm_t,pam_console_t,key,create audit2allow suggests: #============= xdm_t ============== allow xdm_t pam_console_t:key create;
suddenly I could not login on my graphical console. Disabling Selinux or setting to Permissive makes it work fine
I restarted in mode 3 (text) and at password input I get Authentication failure...
before these updates, system was working Nov 27 15:07:12 Updated: libselinux-2.0.96-6.fc14.1.i686 Nov 27 15:07:16 Updated: pulseaudio-libs-0.9.21-7.fc14.i686 Nov 27 15:07:16 Updated: libudev-161-7.fc14.i686 Nov 27 15:07:20 Updated: udev-161-7.fc14.i686 Nov 27 15:07:22 Updated: openssh-5.5p1-24.fc14.2.i686 Nov 27 15:07:23 Updated: alsa-lib-1.0.23-2.fc14.i686 Nov 27 15:07:26 Updated: pulseaudio-0.9.21-7.fc14.i686 Nov 27 15:07:27 Updated: pulseaudio-utils-0.9.21-7.fc14.i686 Nov 27 15:07:28 Updated: pulseaudio-libs-zeroconf-0.9.21-7.fc14.i686 Nov 27 15:07:29 Updated: pulseaudio-libs-glib2-0.9.21-7.fc14.i686 Nov 27 15:07:30 Updated: libselinux-utils-2.0.96-6.fc14.1.i686 Nov 27 15:07:32 Updated: policycoreutils-2.0.83-33.2.fc14.i686 Nov 27 15:07:34 Updated: libselinux-python-2.0.96-6.fc14.1.i686 Nov 27 15:07:36 Updated: policycoreutils-python-2.0.83-33.2.fc14.i686 Nov 27 15:07:37 Updated: evince-libs-2.32.0-2.fc14.i686 Nov 27 15:07:38 Updated: 1:telepathy-mission-control-5.6.1-1.fc14.i686 Nov 27 15:08:01 Updated: empathy-2.32.2-1.fc14.i686 Nov 27 15:08:08 Updated: evince-2.32.0-2.fc14.i686 Nov 27 15:08:08 Updated: pulseaudio-module-zeroconf-0.9.21-7.fc14.i686 Nov 27 15:08:08 Updated: pulseaudio-module-bluetooth-0.9.21-7.fc14.i686 Nov 27 15:08:09 Updated: pulseaudio-module-gconf-0.9.21-7.fc14.i686 Nov 27 15:08:09 Updated: pulseaudio-module-jack-0.9.21-7.fc14.i686 Nov 27 15:08:10 Updated: openssh-askpass-5.5p1-24.fc14.2.i686 Nov 27 15:08:11 Updated: openssh-server-5.5p1-24.fc14.2.i686 Nov 27 15:08:12 Updated: openssh-clients-5.5p1-24.fc14.2.i686 Nov 27 15:08:13 Updated: libgudev1-161-7.fc14.i686 Nov 27 15:08:15 Updated: man-db-2.5.7-6.fc14.i686 Nov 27 15:08:17 Updated: openjpeg-libs-1.3-10.fc14.i686 Nov 27 15:08:17 Updated: xorg-x11-server-common-1.9.1-3.fc14.i686 Nov 27 15:08:19 Updated: policycoreutils-gui-2.0.83-33.2.fc14.i686 Nov 27 15:08:21 Updated: pulseaudio-libs-devel-0.9.21-7.fc14.i686 Nov 27 15:08:21 Updated: pulseaudio-esound-compat-0.9.21-7.fc14.i686 Nov 27 15:08:27 Updated: alsa-lib-devel-1.0.23-2.fc14.i686 Nov 27 15:08:29 Updated: libudev-devel-161-7.fc14.i686 Nov 27 15:08:30 Updated: dracut-006-5.fc14.noarch Nov 27 15:08:32 Updated: libselinux-devel-2.0.96-6.fc14.1.i686 Nov 27 15:08:32 Updated: pulseaudio-gdm-hooks-0.9.21-7.fc14.i686 Nov 27 15:08:33 Updated: xorg-x11-server-Xorg-1.9.1-3.fc14.i686 Nov 27 15:47:28 Updated: openldap-2.4.23-4.fc14.i686 Nov 27 15:47:29 Updated: samba-winbind-clients-3.5.6-71.fc14.i686 Nov 27 15:47:30 Updated: libuuid-2.18-4.6.fc14.i686 Nov 27 15:47:35 Updated: 1:qt-4.7.1-3.fc14.i686 Nov 27 15:47:50 Updated: samba-common-3.5.6-71.fc14.i686 Nov 27 15:47:51 Updated: libblkid-2.18-4.6.fc14.i686 Nov 27 15:47:52 Updated: libcurl-7.21.0-6.fc14.i686 Nov 27 15:47:52 Updated: libudev-161-8.fc14.i686 Nov 27 15:47:54 Updated: elfutils-libelf-0.150-1.fc14.i686 Nov 27 15:47:55 Updated: elfutils-libs-0.150-1.fc14.i686 Nov 27 15:47:56 Updated: libmount-2.18-4.6.fc14.i686 Nov 27 15:48:02 Updated: util-linux-ng-2.18-4.6.fc14.i686 Nov 27 15:48:07 Updated: udev-161-8.fc14.i686 Nov 27 15:48:08 Updated: sane-backends-libs-gphoto2-1.0.21-5.fc14.i686 Nov 27 15:48:13 Updated: sane-backends-libs-1.0.21-5.fc14.i686 Nov 27 15:48:20 Updated: sane-backends-1.0.21-5.fc14.i686 Nov 27 15:48:30 Updated: samba-3.5.6-71.fc14.i686 Nov 27 15:48:30 Updated: 1:qt-sqlite-4.7.1-3.fc14.i686 Nov 27 15:48:36 Updated: 1:qt-webkit-4.7.1-3.fc14.i686 Nov 27 15:48:46 Updated: 1:qt-x11-4.7.1-3.fc14.i686 Nov 27 15:48:49 Updated: ntpdate-4.2.6p3-0.1.rc10.fc14.i686 Nov 27 15:48:51 Updated: ntp-4.2.6p3-0.1.rc10.fc14.i686 Nov 27 15:49:02 Updated: wireshark-1.4.2-1.fc14.i686 Nov 27 15:49:03 Updated: foomatic-db-filesystem-4.0-22.20101123.fc14.noarch Nov 27 15:49:20 Updated: foomatic-db-ppds-4.0-22.20101123.fc14.noarch Nov 27 15:49:22 Updated: xsane-common-0.998-1.fc14.i686 Nov 27 15:49:25 Updated: bluefish-shared-data-2.0.2-4.fc14.noarch Nov 27 15:49:28 Updated: 6:kdelibs-common-4.5.3-3.fc14.i686 Nov 27 15:49:35 Updated: bluefish-2.0.2-4.fc14.i686 Nov 27 15:49:45 Updated: foomatic-db-4.0-22.20101123.fc14.noarch Nov 27 15:49:46 Updated: ntp-perl-4.2.6p3-0.1.rc10.fc14.i686 Nov 27 15:49:48 Updated: libudev-devel-161-8.fc14.i686 Nov 27 15:49:49 Updated: libcurl-devel-7.21.0-6.fc14.i686 Nov 27 15:49:52 Installed: paktype-naqsh-fonts-3.0-4.fc14.noarch Nov 27 15:49:57 Updated: xkeyboard-config-1.9-7.fc14.noarch Nov 27 15:50:04 Updated: xorg-x11-proto-devel-7.4-39.fc14.noarch Nov 27 15:50:05 Updated: pyserial-2.5-1.fc14.noarch Nov 27 15:50:10 Updated: perl-Image-ExifTool-8.40-1.fc14.noarch Nov 27 15:50:12 Updated: lohit-devanagari-fonts-2.4.3-8.fc14.noarch Nov 27 15:50:14 Updated: lohit-kannada-fonts-2.4.5-4.fc14.noarch Nov 27 15:50:16 Updated: logwatch-7.3.6-58.fc14.noarch Nov 27 15:50:18 Installed: paktype-tehreer-fonts-2.0-10.fc14.noarch Nov 27 15:50:39 Updated: 6:kdelibs-4.5.3-3.fc14.i686 Nov 27 15:50:41 Updated: xsane-0.998-1.fc14.i686 Nov 27 15:50:50 Updated: wireshark-gnome-1.4.2-1.fc14.i686 Nov 27 15:50:59 Updated: samba-swat-3.5.6-71.fc14.i686 Nov 27 15:51:04 Updated: crda-1.1.1_2010.11.22-1.fc14.i686 Nov 27 15:51:05 Updated: elfutils-0.150-1.fc14.i686 Nov 27 15:51:06 Updated: libgudev1-161-8.fc14.i686 Nov 27 15:51:09 Updated: gpredict-1.2-1.fc14.i686 Nov 27 15:51:10 Updated: curl-7.21.0-6.fc14.i686 Nov 27 15:51:13 Updated: parted-2.3-4.fc14.i686 Nov 27 15:51:26 Updated: samba-client-3.5.6-71.fc14.i686 Nov 27 15:51:32 Updated: samba-winbind-3.5.6-71.fc14.i686 Nov 27 15:51:36 Updated: 1:qt-mysql-4.7.1-3.fc14.i686 Nov 27 15:51:37 Updated: libsmbclient-3.5.6-71.fc14.i686 Nov 27 15:51:40 Updated: 1:quota-3.17-14.fc14.i686 Nov 27 15:51:41 Updated: libvpx-0.9.5-2.fc14.i686 Nov 27 15:51:42 Updated: schroedinger-1.0.10-1.fc14.i686 Nov 27 15:51:47 Updated: evolution-data-server-2.32.1-2.fc14.i686 Nov 27 15:51:50 Updated: lshw-B.02.15-1.fc14.i686 Nov 27 15:51:53 Updated: libicu-4.4.1-5.fc14.i686 Nov 27 15:51:56 Updated: xorg-x11-xkb-utils-7.5-1.fc14.i686 Nov 27 15:51:57 Updated: yp-tools-2.11-2.fc14.i686 Nov 27 15:51:58 Updated: libnetfilter_conntrack-0.9.0-1.fc14.i686 Nov 27 15:52:03 Updated: planner-0.14.4-27.fc14.i686 Nov 27 15:52:30 Erased: paktype-fonts-common Nov 27 21:57:18 Installed: selinux-policy-targeted-3.9.7-12.fc14.noarch Nov 27 22:20:37 Installed: selinux-policy-3.9.7-12.fc14.noarch
What does the following command say # id -Z Also did you do relabel after SELinux disabling? But I have feeling the policy was not installed properly. Does # yum reinstall selinux-policy-targeted complete successfully?
*** Bug 657717 has been marked as a duplicate of this bug. ***
*** Bug 657728 has been marked as a duplicate of this bug. ***
*** Bug 657729 has been marked as a duplicate of this bug. ***
*** Bug 657730 has been marked as a duplicate of this bug. ***
*** Bug 657731 has been marked as a duplicate of this bug. ***
*** Bug 657733 has been marked as a duplicate of this bug. ***
*** Bug 657732 has been marked as a duplicate of this bug. ***
*** Bug 657734 has been marked as a duplicate of this bug. ***
*** Bug 657735 has been marked as a duplicate of this bug. ***
*** Bug 657736 has been marked as a duplicate of this bug. ***
*** Bug 657737 has been marked as a duplicate of this bug. ***
*** Bug 657738 has been marked as a duplicate of this bug. ***
*** Bug 657740 has been marked as a duplicate of this bug. ***
*** Bug 657741 has been marked as a duplicate of this bug. ***
*** Bug 657742 has been marked as a duplicate of this bug. ***
*** Bug 657743 has been marked as a duplicate of this bug. ***
*** Bug 657751 has been marked as a duplicate of this bug. ***
*** Bug 657888 has been marked as a duplicate of this bug. ***
*** Bug 657886 has been marked as a duplicate of this bug. ***
id -Z system_u:system_r:pam_console_t:s0 System was working with Seinux targeted, then after some updates, I could not access my system, I disabled it t boot time with Selinux=0, then I re-enabled as permissive and at boot time it should have relabeled it as I saw working and rebooting I didn't get warnin/error during # yum reinstall selinux-policy-targeted but I got a bunch of AVC denials
# yum reinstall selinux-policy-targeted Plugin abilitati:allowdowngrade, presto, refresh-packagekit, remove-with-leaves, : show-leaves, upgrade-helper Impostazione processo di reinstallazione adobe-linux-i386 | 951 B 00:00 rpmfusion-free-updates | 3.3 kB 00:00 rpmfusion-nonfree-updates | 3.3 kB 00:00 updates | 4.7 kB 00:00 updates/primary_db | 1.9 MB 00:08 Risoluzione dipendenze --> Esecuzione del controllo di transazione ---> Pacchetto selinux-policy-targeted.noarch 0:3.9.7-12.fc14 settato per essere reinstalled --> Risoluzione delle dipendenze completata Dipendenze risolte ================================================================================ Pacchetto Arch Versione Repository Dim. ================================================================================ Reinstallazione: selinux-policy-targeted noarch 3.9.7-12.fc14 updates 2.4 M Riepilogo della transazione ================================================================================ Reinstall 1 Package(s) Dimensione totale del download: 2.4 M Dimensione installata: 2.8 M Procedere [s/N]: s Procedere [s/N]: y Download dei pacchetti: Setting up and reading Presto delta metadata updates/prestodelta | 286 kB 00:01 Processing delta metadata Package(s) data still to download: 2.4 M selinux-policy-targeted-3.9.7-12.fc14.noarch.rpm | 2.4 MB 00:10 Esecuzione rpm_check_debug Test di transazione in corso Test di transazione eseguito con successo Transazione in corso Installazione : selinux-policy-targeted-3.9.7-12.fc14.noarch 1/1 Can't stat exclude path "/var/lib/BackupPC", No such file or directory - ignoring. * Installato: selinux-policy-targeted.noarch 0:3.9.7-12.fc14 Completo!
(In reply to comment #24) > id -Z > system_u:system_r:pam_console_t:s0 > > > System was working with Seinux targeted, then after some updates, I could not > access my system, I disabled it t boot time with Selinux=0, then I re-enabled > as permissive and at boot time it should have relabeled it as I saw working and > rebooting > > I didn't get warnin/error during > # yum reinstall selinux-policy-targeted > > but I got a bunch of AVC denials # yum reinstall selinux-policy-targeted Please note this warning _______________________________________________________________________ Transazione in corso Installazione : selinux-policy-targeted-3.9.7-12.fc14.noarch 1/1 Can't stat exclude path "/var/lib/BackupPC", No such file or directory - ignoring. * Installato: selinux-policy-targeted.noarch 0:3.9.7-12.fc14 Completo! _______________________________________________________________________
Ok and I guess the problem still persists. If so, could you now try to execute # touch /.autorelabel; reboot and then after login in permissive mode add outputs of # semanage login -l # semanage user -l
[root@Casa antonio]# semanage login -l Nome di registrazione Utente di SELinux Gamma MLS/MCS __default__ system_u s0 root system_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 semanage user -l Etichettare MLS/ MLS/ Utente di SELinux Prefisso Livello MCS Gamma MCS Ruoli SELinux git_shell_u user s0 s0 git_shell_r guest_u guest s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u xguest s0 s0 xguest_r
Try to execute # semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ # semanage login -m -s unconfined_u root
semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ libsemanage.semanage_get_lock: Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK. (Resource temporarily unavailable).
su Password: [root@Casa antonio]# semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ [root@Casa antonio]# [root@Casa antonio]# semanage login -m -s unconfined_u root [root@Casa antonio]# semanage login -l Nome di registrazione Utente di SELinux Gamma MLS/MCS __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
OK, now try to reboot and log in. It should work.
It works fine!!! Tnx a lot: A final question: how could it happen??? Tnx again
Did you update from a very old version of fedora?
I went very smoothly from maybe Fedora Core 1 to Fedora 14 upgrading each release. Selinux was set to targeted in Fedora 14 (but also in Fedora 12), it worked fine for at least two weeks, then I got this problem.
Very strange. Some how you SELinux users file got screwed up. Since we have fixed this, I will close and watch for others having similar problems.
Just as final comment I have found this link: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html So, maybe not so uncommon
Yes I knew this was a problem around Fedora 9/10 time, when we were working heavily on confined users. We had some upgrade problems, but I have not heard of any problems in the last few releases.