F13->F14 upgrade + relabel = logins hosed: entrypoint access denied

06-01-2011, 01:27 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/31/2011 05:17 PM, Dave Mitchell wrote:
> I just tried to upgrade a F13 system to F14 using preupgrade.
> It seemed to go well, but I was getting a lot of AVC denials for NM
> and polkitd, and NM wasn't working properly. So I tried a 'touch
> /.autorelabel' and reboot. It seemed to work, but now I can't login. Any
> login attempt (via gdm or F2 console) immediately logs me back out again.
>
> /var/log/messages shows, for a console login as root:
>
> SELinux is preventing /bin/login from entrypoint access on the file /bin/bash
>
> and for a GUI-based login:
>
> SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /usr/bin/gnome-keyring/daemon
> SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /etc/X11/xinit/Xsession
>
> I can boot single user okay.
>
> I ran 'fixfiles restore' to relabel again and rebooted, and it made no
> difference.
>
> By comparing with a similar but un-upgraded (ie F13) working host, I
> found that the following are the same on both hosts:
>
> # ls -lZ /bin/login
> -rwxr-xr-x. root root system_u

bject_r:login_exec_t:s0 /bin/login
>
> # ls -lZ /bin/bash
> -rwxr-xr-x. root root system_u

bject_r:shell_exec_t:s0 /bin/bash
>
> Policy is the same apart from changes in ethereal and spamd:
>
> # sesearch --allow --neverallow --auditallow --dontaudit --type
> --role_allow --role_trans --range_trans
> | sort | egrep -v'ethereal|spam[cd]'
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 24
> Policy from config file: targeted
>
> While the two systems give the following:
>
> # rpm -q selinux-policy
> selinux-policy-3.7.19-101.fc13.noarch # F13 host
> selinux-policy-3.9.7-40.fc14.noarch # F14 borked host
>
> At this point I've exhausted my meager understanding of selinux.
>
> Any suggestions?
> Thanks.
>
It is an upgrade bug.

https://bugzilla.redhat.com/show_bug.cgi?id=702865#c13

explains how to fix it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3mPk8ACgkQrlYvE4MpobOiIQCggCBOdDhAJS fF6VQcNHBV/jK9
t/0An3HukI2lrdRG9F1BRec1X2+tVw4t
=vF+e
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

06-02-2011, 10:37 AM

On Wed, Jun 01, 2011 at 09:27:44AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/31/2011 05:17 PM, Dave Mitchell wrote:
> > I just tried to upgrade a F13 system to F14 using preupgrade.
> > It seemed to go well, but I was getting a lot of AVC denials for NM
> > and polkitd, and NM wasn't working properly. So I tried a 'touch
> > /.autorelabel' and reboot. It seemed to work, but now I can't login. Any
> > login attempt (via gdm or F2 console) immediately logs me back out again.
> >
> > /var/log/messages shows, for a console login as root:
> >
> > SELinux is preventing /bin/login from entrypoint access on the file /bin/bash
> >
> > and for a GUI-based login:
> >
> > SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /usr/bin/gnome-keyring/daemon
> > SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /etc/X11/xinit/Xsession
> >
> > I can boot single user okay.
> >
> > I ran 'fixfiles restore' to relabel again and rebooted, and it made no
> > difference.
> >
> > By comparing with a similar but un-upgraded (ie F13) working host, I
> > found that the following are the same on both hosts:
> >
> > # ls -lZ /bin/login
> > -rwxr-xr-x. root root system_u

bject_r:login_exec_t:s0 /bin/login
> >
> > # ls -lZ /bin/bash
> > -rwxr-xr-x. root root system_u

bject_r:shell_exec_t:s0 /bin/bash
> >
> > Policy is the same apart from changes in ethereal and spamd:
> >
> > # sesearch --allow --neverallow --auditallow --dontaudit --type
> > --role_allow --role_trans --range_trans
> > | sort | egrep -v'ethereal|spam[cd]'
> >
> > # sestatus
> > SELinux status: enabled
> > SELinuxfs mount: /selinux
> > Current mode: enforcing
> > Mode from config file: enforcing
> > Policy version: 24
> > Policy from config file: targeted
> >
> > While the two systems give the following:
> >
> > # rpm -q selinux-policy
> > selinux-policy-3.7.19-101.fc13.noarch # F13 host
> > selinux-policy-3.9.7-40.fc14.noarch # F14 borked host
> >
> > At this point I've exhausted my meager understanding of selinux.
> >
> > Any suggestions?
> > Thanks.
> >
> It is an upgrade bug.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=702865#c13
>
> explains how to fix it.

That fixed it, thanks.

--
Music lesson: a symbiotic relationship whereby a pupil's embellishments
concerning the amount of practice performed since the last lesson are
rewarded with embellishments from the teacher concerning the pupil's
progress over the corresponding period.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

06-02-2011, 01:33 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/31/2011 05:17 PM, Dave Mitchell wrote:
> I just tried to upgrade a F13 system to F14 using preupgrade.
> It seemed to go well, but I was getting a lot of AVC denials for NM
> and polkitd, and NM wasn't working properly. So I tried a 'touch
> /.autorelabel' and reboot. It seemed to work, but now I can't login. Any
> login attempt (via gdm or F2 console) immediately logs me back out again.
>
> /var/log/messages shows, for a console login as root:
>
> SELinux is preventing /bin/login from entrypoint access on the file /bin/bash
>
> and for a GUI-based login:
>
> SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /usr/bin/gnome-keyring/daemon
> SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /etc/X11/xinit/Xsession
>
> I can boot single user okay.
>
> I ran 'fixfiles restore' to relabel again and rebooted, and it made no
> difference.
>
> By comparing with a similar but un-upgraded (ie F13) working host, I
> found that the following are the same on both hosts:
>
> # ls -lZ /bin/login
> -rwxr-xr-x. root root system_u

bject_r:login_exec_t:s0 /bin/login
>
> # ls -lZ /bin/bash
> -rwxr-xr-x. root root system_u

bject_r:shell_exec_t:s0 /bin/bash
>
> Policy is the same apart from changes in ethereal and spamd:
>
> # sesearch --allow --neverallow --auditallow --dontaudit --type
> --role_allow --role_trans --range_trans
> | sort | egrep -v'ethereal|spam[cd]'
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 24
> Policy from config file: targeted
>
> While the two systems give the following:
>
> # rpm -q selinux-policy
> selinux-policy-3.7.19-101.fc13.noarch # F13 host
> selinux-policy-3.9.7-40.fc14.noarch # F14 borked host
>
> At this point I've exhausted my meager understanding of selinux.
>
> Any suggestions?
> Thanks.
>
There is an upgrade bug.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3nkUEACgkQrlYvE4MpobPn2wCcCtbxND85vJ h8CUNwo8954FG5
8TEAoLyvfvODB+3yx8XxuTs5ySpfj+TP
=w9KO
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines