2 Sep 2012 spstarr   » (Apprentice)

sshd kicking you out? Check your SELinux labeling!

KDE Project:

So, on my Fedora Rawhide box, somehow it refused to allow logins via ssh, somehow SELinux in permissive mode was spewing failures left and right.

Aug 28 13:35:27 panic kernel: [ 67.224233] type=1400 audit(1346175322.774:78): avc: denied { read } for pid=618 comm="fedora-storage-" name="ld.so.cache" dev=dm-0 ino=1271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Aug 28 13:35:27 panic kernel: [ 67.226381] type=1400 audit(1346175322.778:79): avc: denied { open } for pid=618 comm="fedora-storage-" name="ld.so.cache" dev=dm-0 ino=1271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file

And so forth, now even though SELinux was in permissive mode, sshd was dropping all connections, including to localhost with write error: broken pipe.

If you encounter such situation, do a yum reinstall selinux-policy selinux-policy-targeted -y , reboot and at grub prompt, edit selection and append to linux options with autorelabel=1 to force selinux to relabel to fix any broken permissions. It's possible my specific rawhide snapshot broke in some spectacular way (which I wouldn't expect to affect when in permissive mode!)

*phew*! This is what you get for using Rawhide on a dev box, but it's also a good exercise if you really want to learn how to recover from unusual system issues.

Enjoy!

Shawn

Syndicated 2012-09-02 03:03:25 from spstarr's blog

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!