-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Michal Jaegermann wrote:
On Sun, Jan 04, 2009 at 12:08:09PM -0500, Daniel J Walsh wrote:
Michal Jaegermann wrote:
Something rather weird for 'id -Z': system_u:system_r:system_crond_t:s0 The other machine after an upgrades reports 'root:unconfined_r:unconfined_t:SystemLow-SystemHigh' which looks like something saner.
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root system_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
I think the problem is logging in as root is screwed up.
Indeed. I had that impression for quite a while.
if you execute
# semanage login -m -s unconfined_u root This should cause root users to login in as unconfined_t automatically.
That indeed changes 'semanage login -l' output to
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023
but it does not help that much. I still get "Unable to get valid context for root" from a login and 'system_u:system_r:system_crond_t:s0' for 'id -Z'. BTW - that does not generate any audit messages; only "error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument", and related, in /var/log/secure.
The sshd running as system_crond_t?
I told you this is weird. All of that after an upgrade from F8 to F10. I really would like to know why as surely this is not a result of me trying hard to mess things up.
Does this happen on reboot?
That machine was rebooted a number of times and nothing changes. I cannot switch to 'enforcing' as the box is "remote" and most likely that would immediately cut me off. Before an upgrade this was 'targeted' and 'enforcing'. As I wrote before: after an upgrade I had to force relabelling on a reboot as otherwise most anything was only spitting on me.
BTW - I did some hacking and I do not see at this moment any "avc" type failure notificiations in /var/log/messages. Only right now the box is rather quiet. I am not sure what will happen when regular users will show up.
Michal
If you execute service sshd restart from the unconfined_t user does it still start as system_crond_t?
I actually just upgraded my Fathers machine from F8 to F10 and had a problem with the root account not being setup to login correctly. But I saw no problems with sshd?