[Novalug] FC6 SELinux and disk replacement

Garrett Nievin gnievin at comcast.net
Mon Apr 9 20:42:53 EDT 2007 

Scott,

Your pointer was spot-on and got me fixed right back up.

I further discovered that I should have used the --xattrs option on tar, 
which in turn enables --selinux and --acls, which would have prevented 
the problem.  That's what happens when you go a few years without really 
reading release notes of O/S upgrades.

Cheers,
Garrett


On Fri, 6 Apr 2007, Garrett Nievin wrote:

> Thanks very much.  That's exactly the type of overview and pointer I needed. 
> This will be much easier and more interesting than I thought.
>
> Cheers,
> Garrett
>
> On Fri, 6 Apr 2007, Scott Musman wrote:
>
>> Garrett,
>> 
>> I'm certainly not a selinux expert, but I've been looking into it more
>> recently as it's gotten "much" better, and we are developing a tool that
>> we use to monitor it's messages to detect misuse patterns.
>> 
>> The short answer to your question is that I'm guessing you have selinux
>> in "enforcing" mode, and so it is doing exactly what it is supposed to
>> be doing: by denying what it thinks is unauthorized file accesses. When
>> you restored your files, all of the selinux file-system labels got lost
>> and selinux now needs to relabel the new file system to reflect the
>> changes. Once that has been done it should stop denying your fs accesses
>> and you should be o.k.
>> 
>> The URL below should help. See the last question..
>> 
>> http://optics.csufresno.edu/~kriehn/fedora/fedora_files/fc6/howto/selinux.html
>> 
>> Good luck,
>>
>> 		-- Scott
>> 
>> On Fri, 2007-04-06 at 17:04 -0400, Garrett Nievin wrote:
>>> Background:
>>> 
>>> I know diddlesquat about SELinux.
>>> 
>>> 
>>> Problem description:
>>> 
>>> I put a new hard disk in my laptop (another Hitachi which constantly
>>> load/unloads the heads with that clicking noise under Linux until you
>>> turn off power management with hdparm).
>>> 
>>> Anyway, I backed up the partitions with tar, formatted the new disk with
>>> a couple of partitions, restored the partitions, and reinstalled grub
>>> after tweaking the configuration a bit to allow for the partitions having
>>> different numbers than before (e.g. root was hda2 because hda1 had been
>>> some partition with Dell software on it; I didn't copy that partition, so
>>> root is now hda1).  In retrospect, I'd have kept the same partition
>>> numbers.
>>> 
>>> So, after I boot the first time, nobody can log in - permission denied on
>>> running the shell.  I reboot into single user, thinking that I forgot to
>>> set the proper permissions on the new / or /home filesystems, but all was
>>> fine.  All the same, strace showed that login was failing with EACCES
>>> when trying to execute /bin/bash at the end of a login sequence.
>>> 
>>> Eventually, I started syslogd and tried a login in single user mode.  As
>>> soon as I do, I see:
>>> 
>>> Apr 5 20:46:43 woody kernel: audit(1175820403.735:9): avc:  denied {
>>> entrypoint } for pid=1929 comm="sshd" name="bash" dev=hda1 ino=81954
>>> scontext=user_u:system_r:hotplug_t:s0
>>> tcontext=system_u:object_r:file_t:s0 tclass=file
>>> 
>>> The problem was revealed and I realized that I had no clue what to do
>>> about it.  I used to have a clue, but sold it on Ebay.
>>> 
>>> I finally "solved" the problem by doing an upgrade of Fedora from the CD.
>>> If the Internet was slow for you last night, that was me updating my
>>> laptop and torrenting the FC7t3 DVD.
>>> 
>>> The box seems to be more or less working now (using it to write this),
>>> but I'm still seeing messages like the ones below and I haven't given it
>>> a thorough workout.
>>> 
>>> 1. What happened?  Anybody get the license plate of that truck?
>>> 
>>> 2. Is there a simple way to fix it? I'm inclined to install a new Linux
>>> (maybe give Ubuntu another try) and just trash the root filesystem.  My
>>> new hard disk gives me lots of room to play around.
>>> 
>>> Cheers,
>>> Garrett
>>> 
>>> 
>>> Current message sample:
>>> 
>>> audit(1175889449.336:263): avc:  denied  { append } for  pid=2082
>>> comm="syslogd" name="spooler" dev=hda1 ino=1016124
>>> scontext=system_u:system_r:syslogd_t:s0
>>> tcontext=system_u:object_r:file_t:s0 tclass=file
>>> audit(1175889449.336:264): avc:  denied  { append } for  pid=2082
>>> comm="syslogd" name="boot.log" dev=hda1 ino=1016125
>>> scontext=system_u:system_r:syslogd_t:s0
>>> tcontext=system_u:object_r:file_t:s0 tclass=file
>>> audit(1175889449.511:265): avc:  denied  { read } for  pid=2098
>>> comm="mcstransd" name="config" dev=hda1 ino=115684
>>> scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:file_t:s0 tclass=file
>>> audit(1175889450.921:266): avc:  denied  { read } for  pid=2167
>>> comm="cupsd" name="libgnutls.so.13" dev=hda1 ino=164759
>>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:file_t:s0 tclass=lnk_file
>>> audit(1175889450.978:267): avc:  denied  { read } for  pid=2167
>>> comm="cupsd" name="libgnutls.so.13" dev=hda1 ino=164759
>>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:file_t:s0 tclass=lnk_file
>>> audit(1175889466.975:268): user pid=2110 uid=81 auid=4294967295
>>> subj=system_u:system_r:initrc_t:s0 msg='avc:  denied  { send_msg } for
>>> msgtype=method_call interface=org.freedesktop.DBus member=Hello
>>> dest=org.freedesktop.DBus spid=2377 scontext=system_u:system_r:rpm_t:s0
>>> tcontext=system_u:system_r:initrc_t:s0 tclass=dbus
>>> audit(1175889478.958:269): avc:  denied  { execmod } for  pid=2766
>>> comm="Xorg" name="r200_dri.so" dev=hda1 ino=298429
>>> scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:file_t:s0
>>> tclass=file
>>> audit(1175889520.900:270): avc:  denied  { execheap } for  pid=3027
>>> comm="mono" scontext=user_u:system_r:initrc_t:s0
>>> tcontext=user_u:system_r:initrc_t:s0 tclass=process
>>> 
>>> _______________________________________________
>>> Novalug mailing list
>>> Novalug at calypso.tux.org
>>> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>> 
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>

More information about the Novalug mailing list