I know this may seem stupid, but why is SELinux PAM transitioning me like this?
Sep 15 20:25:48 Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session): Open Session
Sep 15 20:25:48 Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session): Open Session
Sep 15 20:25:48 Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session): Username= justin SELinux User = justin Level= s0
Sep 15 20:25:48 Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
Sep 15 20:25:48 Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session): set justin security context to justin:staff_r:insmod_t:s0
Sep 15 20:25:48 Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session): Key Creation Context justin:staff_r:insmod_t:s0 Assigned
Sep 15 20:25:48 Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session): set justin key creation context to justin:staff_r:insmod_t:s0
Sep 15 20:25:48 Linux-2 pam: gdm-password[957]: pam_unix(gdm-password:session): session opened for user justin by (uid=0)
I have had this in the past with other systems, but a relabel has always resolved this., now with using fedora 15 seems I have no idea! any ideas on what I may need to check? boolean?
Justin P. Mattock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/15/2011 11:40 PM, Justin Mattock wrote:
> I know this may seem stupid, but why is SELinux PAM transitioning
> me like this?
>
> Sep 15 20:25:48 Linux-2 pam: gdm-password[957]:
> pam_selinux(gdm-password:session): Open Session Sep 15 20:25:48
> Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session):
> Open Session Sep 15 20:25:48 Linux-2 pam: gdm-password[957]:
> pam_selinux(gdm-password:session): Username= justin SELinux User =
> justin Level= s0 Sep 15 20:25:48 Linux-2 pam: gdm-password[957]:
> pam_selinux(gdm-password:session): Security Context
> justin:staff_r:insmod_t:s0 Assigned Sep 15 20:25:48 Linux-2 pam:
> gdm-password[957]: pam_selinux(gdm-password:session): set justin
> security context to justin:staff_r:insmod_t:s0 Sep 15 20:25:48
> Linux-2 pam: gdm-password[957]: pam_selinux(gdm-password:session):
> Key Creation Context justin:staff_r:insmod_t:s0 Assigned Sep 15
> 20:25:48 Linux-2 pam: gdm-password[957]:
> pam_selinux(gdm-password:session): set justin key creation context
> to justin:staff_r:insmod_t:s0 Sep 15 20:25:48 Linux-2 pam:
> gdm-password[957]: pam_unix(gdm-password:session): session opened
> for user justin by (uid=0)
>
>
> I have had this in the past with other systems, but a relabel has
> always resolved this., now with using fedora 15 seems I have no
> idea! any ideas on what I may need to check? boolean?
>
> Justin P. Mattock
>
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
What is the context of the login program.
ps -eZ |grep sshd
For example.
The code asks what context to log in justin at based on its current
context. If the login program has a bizare context like unconfined_t
or initrc_t the code can get confused.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5zZFMACgkQrlYvE4MpobNmCACfRirK7RP5I1rQPy193KZAapl9
droAoK8wKjd9xgB+p5QSmueukch3ZUha
=1iP6
-----END PGP SIGNATURE-----
On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> ps -eZ |grep sshd
I dont have sshd running, but here is ps auxZ to give you an idea of
what I am seeing:
http://fpaste.org/u6IB/
if I adjust /etc/pam.d/login and add select_context to pam_selinux.so
then do init 3 in lilo I am able to have the context
justin:staff_r:staff_t:s0 the way it should. but as soon as I init 5
gdm starts up, and everything goes back to name:staff_r:insmod_t:s0
I think I am either missing a boolean to have the transisiton runing
properly, and/or pam.d or some config file somewhere needs to be adjusted.
keep in mind refpolicy has no patches added to it(not sure if I need any
for systemd), just plain git pull etc...
Justin P. Mattock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110916/904bf687/attachment.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
>> ps -eZ |grep sshd
> I dont have sshd running, but here is ps auxZ to give you an idea
> of what I am seeing: http://fpaste.org/u6IB/
>
> if I adjust /etc/pam.d/login and add select_context to
> pam_selinux.so then do init 3 in lilo I am able to have the
> context justin:staff_r:staff_t:s0 the way it should. but as soon
> as I init 5 gdm starts up, and everything goes back to
> name:staff_r:insmod_t:s0
>
> I think I am either missing a boolean to have the transisiton
> runing properly, and/or pam.d or some config file somewhere needs
> to be adjusted. keep in mind refpolicy has no patches added to
> it(not sure if I need any for systemd), just plain git pull
> etc...
>
> Justin P. Mattock
Well since you don't have a init_t running, I think your problem
starts there. Looks like your system is badly mislabeled or something
in init is broken. I take it this is not a Red Hat Based OS?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5zciMACgkQrlYvE4MpobOs4wCcD/KSvuhb5GxhPCZcMEDGI1dD
X70AnR2OLyUzsaLlDRmP0jm7ABwzFHBj
=aH02
-----END PGP SIGNATURE-----
On Fri, 2011-09-16 at 08:22 -0700, Justin P. Mattock wrote:
> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> > ps -eZ |grep sshd
> I dont have sshd running, but here is ps auxZ to give you an idea of
> what I am seeing:
> http://fpaste.org/u6IB/
Graphical environment is not running in the proper context.
Not even init has transitioned properly to its own context.
> if I adjust /etc/pam.d/login and add select_context to pam_selinux.so
> then do init 3 in lilo I am able to have the context
> justin:staff_r:staff_t:s0 the way it should. but as soon as I init 5
> gdm starts up, and everything goes back to name:staff_r:insmod_t:s0
>
> I think I am either missing a boolean to have the transisiton runing
Why don't you post the booleans that you're using then:
getsebool -a
For example, what are you using for init ? If you're using upstart, have
you set init_upstart=on ?
> properly, and/or pam.d or some config file somewhere needs to be adjusted.
> keep in mind refpolicy has no patches added to it(not sure if I need any
> for systemd), just plain git pull etc...
So are you using systemd for init ? There is a boolean called
init_systemd which possibly is similar to the above mentioned one for
upstart.
Start from tackling init running in the kernel context and not
transitioning to init_t. The rest might be mostly due to that: personal
experience.
> Justin P. Mattock
Guido
On Fri, 2011-09-16 at 11:58 -0400, Daniel J Walsh wrote:
> On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
> > On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> >> ps -eZ |grep sshd
> > I dont have sshd running, but here is ps auxZ to give you an idea
> > of what I am seeing: http://fpaste.org/u6IB/
> >
> > if I adjust /etc/pam.d/login and add select_context to
> > pam_selinux.so then do init 3 in lilo I am able to have the
> > context justin:staff_r:staff_t:s0 the way it should. but as soon
> > as I init 5 gdm starts up, and everything goes back to
> > name:staff_r:insmod_t:s0
> >
> > I think I am either missing a boolean to have the transisiton
> > runing properly, and/or pam.d or some config file somewhere needs
> > to be adjusted. keep in mind refpolicy has no patches added to
> > it(not sure if I need any for systemd), just plain git pull
> > etc...
> >
> > Justin P. Mattock
> Well since you don't have a init_t running, I think your problem
> starts there. Looks like your system is badly mislabeled or something
> in init is broken. I take it this is not a Red Hat Based OS?
Also please post the actual label of the init executable:
ls -lZ /sbin/init
or wherever that is.
It should be init_exec_t.
Init is the father of all processes, if it hasn't transitioned properly
to init_t soon after booting up, then it all goes tits up...
- check the label above;
- try relabeling the whole filesystem;
- try the init_systemd boolean if you are using systemd as init.
Please keep up informed on the progress.
Guido
On 09/16/2011 08:58 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/16/2011 11:22 AM, Justin P. Mattock wrote:
>> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
>>> ps -eZ |grep sshd
>> I dont have sshd running, but here is ps auxZ to give you an idea
>> of what I am seeing: http://fpaste.org/u6IB/
>>
>> if I adjust /etc/pam.d/login and add select_context to
>> pam_selinux.so then do init 3 in lilo I am able to have the
>> context justin:staff_r:staff_t:s0 the way it should. but as soon
>> as I init 5 gdm starts up, and everything goes back to
>> name:staff_r:insmod_t:s0
>>
>> I think I am either missing a boolean to have the transisiton
>> runing properly, and/or pam.d or some config file somewhere needs
>> to be adjusted. keep in mind refpolicy has no patches added to
>> it(not sure if I need any for systemd), just plain git pull
>> etc...
>>
>> Justin P. Mattock
> Well since you don't have a init_t running, I think your problem
> starts there. Looks like your system is badly mislabeled or something
> in init is broken. I take it this is not a Red Hat Based OS?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5zciMACgkQrlYvE4MpobOs4wCcD/KSvuhb5GxhPCZcMEDGI1dD
> X70AnR2OLyUzsaLlDRmP0jm7ABwzFHBj
> =aH02
> -----END PGP SIGNATURE-----
the system is fedora 15 nothing tweaked on it. just refpolicy from git
targeted form fedora works fine,
just thought I would give refpolicy-git a try.
think I need to read up on systemd
ls -Z /lib/systemd looks like this:
http://fpaste.org/WOFw/
wondering if maybe /etc/security/pam_env.conf is capable of putting me
into the right context, but then again if
this is just a label issue, then pam_env.conf is not touched.
Justin P. Mattock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110916/38c817a7/attachment-0001.html
On 09/16/2011 09:02 AM, Guido Trentalancia wrote:
> getsebool -a
at the bottom of the fpaste
as for init
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/init ->
../bin/systemd
looks like somewhere somehow the label was labeled wrong.
stange, I loaded refpolicy(mcs) from fedora's targeted then did sudo
make relabel from refpolicy even fixfiles relabel at another point in
time. there is no patch needed for systemd? that needs to be added to
refpolicy-git?
Justin P. Mattock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110916/806b4408/attachment.html
On 09/16/2011 09:02 AM, Guido Trentalancia wrote:
> On Fri, 2011-09-16 at 08:22 -0700, Justin P. Mattock wrote:
>> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
>>> ps -eZ |grep sshd
>> I dont have sshd running, but here is ps auxZ to give you an idea of
>> what I am seeing:
>> http://fpaste.org/u6IB/
> Graphical environment is not running in the proper context.
>
> Not even init has transitioned properly to its own context.
>
>> if I adjust /etc/pam.d/login and add select_context to pam_selinux.so
>> then do init 3 in lilo I am able to have the context
>> justin:staff_r:staff_t:s0 the way it should. but as soon as I init 5
>> gdm starts up, and everything goes back to name:staff_r:insmod_t:s0
>>
>> I think I am either missing a boolean to have the transisiton runing
> Why don't you post the booleans that you're using then:
>
> getsebool -a
>
> For example, what are you using for init ? If you're using upstart, have
> you set init_upstart=on ?
>
>> properly, and/or pam.d or some config file somewhere needs to be adjusted.
>> keep in mind refpolicy has no patches added to it(not sure if I need any
>> for systemd), just plain git pull etc...
> So are you using systemd for init ? There is a boolean called
> init_systemd which possibly is similar to the above mentioned one for
> upstart.
>
> Start from tackling init running in the kernel context and not
> transitioning to init_t. The rest might be mostly due to that: personal
> experience.
>
>> Justin P. Mattock
> Guido
>
looking more into fedora(s) structure of what they have:
/sbin/init -> ../bin/systemd
ls -lZ /sbin/init
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/init ->
../bin/systemd
[justin at Linux-2 ~]$ ls -lZ /bin/systemd
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /bin/systemd
using chcon on:
chcon system_u:object_r:init_exec_t:s0 /sbin/init
seems to not change this for whatever the reason. keep in mind I am not
sure how systemd runs or is setup.
Justin P. Mattock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110916/705b9953/attachment.html
On Fri, 2011-09-16 at 09:18 -0700, Justin P. Mattock wrote:
> On 09/16/2011 09:02 AM, Guido Trentalancia wrote:
> > getsebool -a
> at the bottom of the fpaste
> as for init
> lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/init
> -> ../bin/systemd
That's the label of the link. Need the label of the target:
ls -lZ /bin/systemd
or whatever that is.
> looks like somewhere somehow the label was labeled wrong.
> stange, I loaded refpolicy(mcs) from fedora's targeted then did sudo
> make relabel from refpolicy even fixfiles relabel at another point in
> time. there is no patch needed for systemd? that needs to be added to
> refpolicy-git?
Moving from Fedora targeted to refpolicy mcs is not just exactly a very
straight thing. As far as I remember when I first installed refpolicy I
hit the init_upstart boolean issue. That's why I recommend you look up
your init_systemd boolean:
setsebool init_systemd=on
> Justin P. Mattock
Guido
On Fri, 2011-09-16 at 09:24 -0700, Justin P. Mattock wrote:
> On 09/16/2011 09:02 AM, Guido Trentalancia wrote:
> > On Fri, 2011-09-16 at 08:22 -0700, Justin P. Mattock wrote:
> > > On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> > > > ps -eZ |grep sshd
> > > I dont have sshd running, but here is ps auxZ to give you an idea of
> > > what I am seeing:
> > > http://fpaste.org/u6IB/
> > Graphical environment is not running in the proper context.
> >
> > Not even init has transitioned properly to its own context.
> >
> > > if I adjust /etc/pam.d/login and add select_context to pam_selinux.so
> > > then do init 3 in lilo I am able to have the context
> > > justin:staff_r:staff_t:s0 the way it should. but as soon as I init 5
> > > gdm starts up, and everything goes back to name:staff_r:insmod_t:s0
> > >
> > > I think I am either missing a boolean to have the transisiton runing
> > Why don't you post the booleans that you're using then:
> >
> > getsebool -a
> >
> > For example, what are you using for init ? If you're using upstart, have
> > you set init_upstart=on ?
> >
> > > properly, and/or pam.d or some config file somewhere needs to be adjusted.
> > > keep in mind refpolicy has no patches added to it(not sure if I need any
> > > for systemd), just plain git pull etc...
> > So are you using systemd for init ? There is a boolean called
> > init_systemd which possibly is similar to the above mentioned one for
> > upstart.
> >
> > Start from tackling init running in the kernel context and not
> > transitioning to init_t. The rest might be mostly due to that: personal
> > experience.
> >
> > > Justin P. Mattock
> > Guido
> >
>
> looking more into fedora(s) structure of what they have:
> /sbin/init -> ../bin/systemd
>
> ls -lZ /sbin/init
> lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/init
> -> ../bin/systemd
> [justin at Linux-2 ~]$ ls -lZ /bin/systemd
> -rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /bin/systemd
Excellent.
> using chcon on:
> chcon system_u:object_r:init_exec_t:s0 /sbin/init
> seems to not change this for whatever the reason.
That's just the link, don't worry about that. The important is the label
on the target.
> keep in mind I am not sure how systemd runs or is setup.
Now move onto the next enabler:
setsebool -P init_systemd=on
In my previous message I did forget the "-P" option, that's vital.
> Justin P. Mattock
Guido
On 09/16/2011 09:27 AM, Guido Trentalancia wrote:
> On Fri, 2011-09-16 at 09:18 -0700, Justin P. Mattock wrote:
>> On 09/16/2011 09:02 AM, Guido Trentalancia wrote:
>>> getsebool -a
>> at the bottom of the fpaste
>> as for init
>> lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/init
>> -> ../bin/systemd
> That's the label of the link. Need the label of the target:
>
> ls -lZ /bin/systemd
>
> or whatever that is.
then systemd is labelled correctly:
ls -lZ /bin/systemd
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /bin/systemd
as for a boolean, the only one I can see _remotely_ close to init_systemd=on
is init_upstart --> on in of which is set to on.
>
>> looks like somewhere somehow the label was labeled wrong.
>> stange, I loaded refpolicy(mcs) from fedora's targeted then did sudo
>> make relabel from refpolicy even fixfiles relabel at another point in
>> time. there is no patch needed for systemd? that needs to be added to
>> refpolicy-git?
> Moving from Fedora targeted to refpolicy mcs is not just exactly a very
> straight thing. As far as I remember when I first installed refpolicy I
> hit the init_upstart boolean issue. That's why I recommend you look up
> your init_systemd boolean:
>
> setsebool init_systemd=on
>
>> Justin P. Mattock
> Guido
>
Justin P. Mattock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110916/85e3f59e/attachment.html