Re: [RFC PATCH] use sulogin in single-user mode
Once upon a time, Bill Nottingham nott...@redhat.com said: We have an existing bug where if you're in single-user mode, and SELinux is active, various commands don't print to the console. The root of this is the single-user shell isn't running in the right SELinux context, as there's nothing to distinguish this from the 'normal' shells run during bootup. By far, the simplest fix is to run something that starts a shell via a 'normal' login-ish mechanism. Hence, the attached patch that switches to sulogin for single user mode. One other note about this: this would break with a separate /usr and a failure in mounting /usr, because (at least in F12) /sbin/sulogin is linked against libfreebl3.so (which is in /usr/lib{,64}). It looks like libfreebl3.so was moved from /lib{,64} in F11 to /usr/lib{,64} in F12, but the changelog doesn't say why. This is already a problem, because an fsck failure tries to start sulogin (and if the fsck failure is on /usr, you're hosed). I'd still prefer this to be configurable according to local policy (e.g. use a /sbin/single-user-shell program that can try sulogin, /bin/bash, /bin/dash, etc., possibly according to something in /etc/sysconfig). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: [RFC PATCH] use sulogin in single-user mode
Chris Adams (cmad...@hiwaay.net) said: How about moving /usr/bin/runcon to /bin and using that to call bash instead? The problem is that the context it needs to run at isn't static; it depends on the policy of the machine. Hence, you don't want to hardcode a runcon call in the script. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: [RFC PATCH] use sulogin in single-user mode
On 10-01-22 13:29:11, Bruno Wolff III wrote: On Fri, Jan 22, 2010 at 13:15:04 -0500, Tony Nelson tonynel...@georgeanelson.com wrote: Put SELinux into Permissive mode for single-user mode? Or just print a suggestion to do that? (I'd think that SELinux would normally be perceived as an obstacle to the normal uses of single- user mode.) I think doing it automatically is a bad idea. It doesn't save much over typing setenforce 0. It does however reduce the security of the system if you do it by default and there is a vulnerable window before you get setenforce 1 entered. What external threats is the system vulnerable to in single-user mode? Networking is off and there are no other users. The only threat I know of is PEBKAC. The notice seems odd, but I don't think it would cause actual problems. I just think it would be odd to know to boot to run level 1 without knowing how to set selinux to permissive mode. 1) not when you're just starting out. 2) not when you're hurrying because an important system won't boot. 3) not when you forgot about selinux. The notice should print only when /selinux/enforce exists and contains 1 (/usr may not be mounted, so we can't depend on /usr/sbin/ sestatus at that time). -- TonyN.:' mailto:tonynel...@georgeanelson.com ' http://www.georgeanelson.com/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel