[Novalug] FC6 SELinux and disk replacement

Garrett Nievin gnievin at comcast.net
Fri Apr 6 18:45:35 EDT 2007 

Thanks very much.  That's exactly the type of overview and pointer I 
needed.  This will be much easier and more interesting than I thought.

Cheers,
Garrett

On Fri, 6 Apr 2007, Scott Musman wrote:

> Garrett,
>
> I'm certainly not a selinux expert, but I've been looking into it more
> recently as it's gotten "much" better, and we are developing a tool that
> we use to monitor it's messages to detect misuse patterns.
>
> The short answer to your question is that I'm guessing you have selinux
> in "enforcing" mode, and so it is doing exactly what it is supposed to
> be doing: by denying what it thinks is unauthorized file accesses. When
> you restored your files, all of the selinux file-system labels got lost
> and selinux now needs to relabel the new file system to reflect the
> changes. Once that has been done it should stop denying your fs accesses
> and you should be o.k.
>
> The URL below should help. See the last question..
>
> http://optics.csufresno.edu/~kriehn/fedora/fedora_files/fc6/howto/selinux.html
>
> Good luck,
>
> 		-- Scott
>
> On Fri, 2007-04-06 at 17:04 -0400, Garrett Nievin wrote:
>> Background:
>>
>> I know diddlesquat about SELinux.
>>
>>
>> Problem description:
>>
>> I put a new hard disk in my laptop (another Hitachi which constantly
>> load/unloads the heads with that clicking noise under Linux until you
>> turn off power management with hdparm).
>>
>> Anyway, I backed up the partitions with tar, formatted the new disk with
>> a couple of partitions, restored the partitions, and reinstalled grub
>> after tweaking the configuration a bit to allow for the partitions having
>> different numbers than before (e.g. root was hda2 because hda1 had been
>> some partition with Dell software on it; I didn't copy that partition, so
>> root is now hda1).  In retrospect, I'd have kept the same partition
>> numbers.
>>
>> So, after I boot the first time, nobody can log in - permission denied on
>> running the shell.  I reboot into single user, thinking that I forgot to
>> set the proper permissions on the new / or /home filesystems, but all was
>> fine.  All the same, strace showed that login was failing with EACCES
>> when trying to execute /bin/bash at the end of a login sequence.
>>
>> Eventually, I started syslogd and tried a login in single user mode.  As
>> soon as I do, I see:
>>
>> Apr 5 20:46:43 woody kernel: audit(1175820403.735:9): avc:  denied {
>> entrypoint } for pid=1929 comm="sshd" name="bash" dev=hda1 ino=81954
>> scontext=user_u:system_r:hotplug_t:s0
>> tcontext=system_u:object_r:file_t:s0 tclass=file
>>
>> The problem was revealed and I realized that I had no clue what to do
>> about it.  I used to have a clue, but sold it on Ebay.
>>
>> I finally "solved" the problem by doing an upgrade of Fedora from the CD.
>> If the Internet was slow for you last night, that was me updating my
>> laptop and torrenting the FC7t3 DVD.
>>
>> The box seems to be more or less working now (using it to write this),
>> but I'm still seeing messages like the ones below and I haven't given it
>> a thorough workout.
>>
>> 1. What happened?  Anybody get the license plate of that truck?
>>
>> 2. Is there a simple way to fix it? I'm inclined to install a new Linux
>> (maybe give Ubuntu another try) and just trash the root filesystem.  My
>> new hard disk gives me lots of room to play around.
>>
>> Cheers,
>> Garrett
>>
>>
>> Current message sample:
>>
>> audit(1175889449.336:263): avc:  denied  { append } for  pid=2082
>> comm="syslogd" name="spooler" dev=hda1 ino=1016124
>> scontext=system_u:system_r:syslogd_t:s0
>> tcontext=system_u:object_r:file_t:s0 tclass=file
>> audit(1175889449.336:264): avc:  denied  { append } for  pid=2082
>> comm="syslogd" name="boot.log" dev=hda1 ino=1016125
>> scontext=system_u:system_r:syslogd_t:s0
>> tcontext=system_u:object_r:file_t:s0 tclass=file
>> audit(1175889449.511:265): avc:  denied  { read } for  pid=2098
>> comm="mcstransd" name="config" dev=hda1 ino=115684
>> scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:file_t:s0 tclass=file
>> audit(1175889450.921:266): avc:  denied  { read } for  pid=2167
>> comm="cupsd" name="libgnutls.so.13" dev=hda1 ino=164759
>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:file_t:s0 tclass=lnk_file
>> audit(1175889450.978:267): avc:  denied  { read } for  pid=2167
>> comm="cupsd" name="libgnutls.so.13" dev=hda1 ino=164759
>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:file_t:s0 tclass=lnk_file
>> audit(1175889466.975:268): user pid=2110 uid=81 auid=4294967295
>> subj=system_u:system_r:initrc_t:s0 msg='avc:  denied  { send_msg } for
>> msgtype=method_call interface=org.freedesktop.DBus member=Hello
>> dest=org.freedesktop.DBus spid=2377 scontext=system_u:system_r:rpm_t:s0
>> tcontext=system_u:system_r:initrc_t:s0 tclass=dbus
>> audit(1175889478.958:269): avc:  denied  { execmod } for  pid=2766
>> comm="Xorg" name="r200_dri.so" dev=hda1 ino=298429
>> scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:file_t:s0
>> tclass=file
>> audit(1175889520.900:270): avc:  denied  { execheap } for  pid=3027
>> comm="mono" scontext=user_u:system_r:initrc_t:s0
>> tcontext=user_u:system_r:initrc_t:s0 tclass=process
>>
>> _______________________________________________
>> Novalug mailing list
>> Novalug at calypso.tux.org
>> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>

More information about the Novalug mailing list