On Thu, 2012-04-12 at 16:10 -0400, Daniel J Walsh wrote:
> On 04/11/2012 10:27 PM, Braden McDaniel wrote:
> > On Wed, 2012-04-11 at 17:27 -0400, Paul W. Frields wrote:
> >> On Wed, Apr 11, 2012 at 03:37:45PM -0400, Braden McDaniel wrote:
> >>> On Wed, 2012-04-11 at 15:25 -0400, Daniel J Walsh wrote:
> >>>> Are you booted with SELinux in permissive mode of disabled?
> >>>
> >>> I'm booted with it disabled:
> >>>
> >>> # cat /etc/selinux/config | grep disabled # disabled - No SELinux
> >>> policy is loaded. SELINUX=disabled
> >>>
> >>>> ausearch -m avc
> >>>
> >>> That's long; I'll attach it.
> >>
> >> You might want to try this as root first, after saving your work:
> >>
> >> touch /.autorelabel ; reboot
> >
> > I did that previously; but it didn't seem to help. (Perhaps because I still
> > had SELinux disabled when I did it?)
> >
> >> Running SELinux disabled is unnecessary. Running in permissive mode is
> >> much better, since it allows you to switch back and forth without
> >> labeling problems.
> >>
> >> When you run in disabled mode, SELinux labels aren't written to the disk
> >> when files are created, so when you try to turn SELinux on later, it
> >> results in lots of denial errors. Permissive mode does pretty much the
> >> same thing as enforcing mode, but any denials are ignored, so SELinux
> >> won't prevent access.
> >
> > That's likely how I got myself into this. I had disabled it while
> > attempting to troubleshoot something else. I probably installed and/or
> > updated some packages before I remembered to turn it back on.
> >
> > So I changed to "permissive" and did the autorelabel thing again. This
> > time I was able to zero in on some messages that were likely pertinent; and
> > the SELinux troubleshooter suggested:
> >
> > setsebool -P authlogin_nsswitch_use_ldap 1
> >
> > I'll continue to run "permissive" for a little while longer and see if that
> > fixes it.
> >
>
>
> What AVC indicated that you needed this?
Unfortunately, I deleted it. However, I think it was one corresponding
to a /var/log/messages entry like this one:
Apr 10 23:58:31 rail setroubleshoot: SELinux is preventing
/usr/libexec/accounts-daemon from name_connect access on the tcp_socket . For
complete SELinux messages. run sealert -l aeded892-dec1-4e6d-87ce-7c10a4e42e2b
> Are you using pam_ldap? ldap for
> user authorization?
>
> We just added the ability for samba to use ldap, out of the box.
I am using Kerberos for authentication; but I'm using LDAP for user
information.
(Though I get the impression that login is currently falling back to
local authentication; because I don't have a Kerberos ticket after I log
in.)
--
Braden McDaniel <[email protected]>
--
users mailing list
[email protected]
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
