I keep getting SELinux error messages that state "SELinux is preventing samba (/usr/sbin/smbd) "search" to / (fusefs_t)." and the like, seems that pretty much everything I do generates some kind of error. I had SELinux set to permissive but I don't want to continue to run that way.

SELinux Troubleshooter won't work right now, it just gets stuck on "Load audit", I can see that at the bottom of the screen. But earlier it was working and I printed one page of output from it, the above error message is part of that. The Solution, it says, is to run the command "chcon -R -t samba_share_t /" when I do that I get page after page of error messages like "chcon: failed to change context of <filename/blah/blah/blah> to system_u:object_r:samba_share_t: Operation not supported"

This morning while checking my cron jobs I noticed that there was an explanation that stated chcon failed because SELinux was in permissive mode so I switched it to "Enforcing"; that may have been a mistake because it has been doing something for that last two hours-- the HDD light is flickering and it seems to be busy. I assume it is changing something on all the files so perhaps I shouldn't have done that.

About the SELinux Troubleshooter, when I first had a problem with it yesterday afternoon, (again, it was working fine yesterday morning) I believe it said it couldn't connect to the browser and it would retry after several seconds but after several iteration of that I closed it and restarted the computer. Now when I try it the page opens and it says it is connected but there is a horizontal bar that moves back and forth on a message that states "Load audit". I have left it trying like that for about 30 minutes to no avail.

So I have two issues going on, perhaps unrelated.

Thanks for any help.

I pressed Ctrl-Alt-F1 and saw that there was something running amuck, it was generating error message after error message and saying that something had exceeded... but I couldn't catch all of it because it was scrolling by so fast.

I tried to kill it with Ctrl-Z and Crtl-Q but it wouldn't stop. As a last resort I shut it off with the power button. I restarted the machine and saw a message during the boot about needed to use restorecon... but couldn't catch what it said. I remember that there is a some kind of bootup log file, I decided I would look at it when it finished booting up. I tried to login but if won't let me, it says I need to use some failsafe mode but I don't know how to do that. It says the disk may be full, I suspect it filled up because of the error messages.

At this point I can't do anything... I would sure appreciate some help here, this machine is my fileserver and I need to get it running.

Sounds like your root filesystem may be full. Try booting to single user with SELinux off by adding the following to the kernal command line

...and if that doesn't work boot a Live (or installer) CD, mount the appropriate partitions (if not mounted already) and check out logs in /WhereYouMountedIt/var/log/. You'll want to start with the one called "messages".

fmurphy and unSpawn,

Thanks for the reply,

I added a 1 and selinux=0 to the kernel line... it booted up and now I can see my filesystem, I looked at the messages file you spoke of, it is fairly large, 8240 bytes (or is it blocks when you use -s with ls?). What is the next step?


Gary

I was able to get one step further... I edited the /etc/selinux/config file and set the SELINUX=permissive and then rebooted, it had to do some resetting of the contexts but it did boot up.

So, now it is operational, I am back to the point of the SELinux Troubleshooter not working. The thing that I did that seemed to break that was the ""chcon -R -t samba_share_t /" I have seen somewhere that there is a "restorecon" command (or something similar), would that fix my problem?

I believe that I see the error I made, I should have used /extra for my samba share and I only put / which is root or something similar.

What if I try "restorecon -RF /" will that fix it? or is it "restorecon -R -F /" ?

Wouldn't it be easier as root to run "touch /.autorelabel; /sbin/reboot" (see the Decision tree for diagnosing AVC Message signatures)?

As unSpawn suggested, use "touch /.autorelabel; /sbin/reboot" to relabel your system back to it's 'default". Recursively changing the file context type of the root filesystem to samba_t using the chcon utility was frankly incorrect. I am surprised that the SELinux troubleshooter
outputted such a recommendation.

Fortunately for you, file context changes made using chmon do not persist across a reboot. For that you need to add a new policy mapping using semanage and apply the new policy context using restorecon.

If you provide us with details of the AVC messages relating to Samaba which are outputted, somebody here can tell you what to do to fix your issue.

A similar suggestion was made on the Fedoraforum by "Daniel" so I looked at the man page for touch yesterday afternoon but there was nothing in there about the /.autorelabel parameter so I was a little hesitant to try it. Also Daniel didn't mention the "; /sbin/reboot" that you added. Please help me understand what all of this means. I not only want to get this up and running again, but I want to understand what I am doing for the future.

What does the /.autorelabel do?

What does the ; /sbin/reboot do?

How do I view what the current contexts of the files are? I tried ls -l but that doesn't seem to be it.


Here is what Daniel said...

"At this point I would be tempted to relabel the entire system by issuing the command touch /.autorelabel and then rebooting. IMO better than trying to do it piecemeal via restorecon. This can take a while, depending on the number of disks/filesystems in your system.

As for enabling samba, instead of using chcon, I enabled it via the Administration/SELinux Administration dialog; at least that's what it's called in kde. Select the Boolean group and put samba in the filter. A dozen or so options come up of which I had to make Allow samba to share any file/directory read/write and Allow samba to run unconfined scripts to allow access to the drives from other boxes (both windows and linux).

Daniel"

Since I have not straightened out the contexts yet I have not looked ahead to the SELinux Administration dialog; I am not sure what he means by the Boolean group or the samba filter but perhaps it will be evident once I get there. If I do this correctly will this stop SELinux from complaining about each access that I make from my other machines?


Finally, when I go out to the terminal now via Ctrl-Alt-F1 I always see error messages that seem to be generating at a pretty slow rate... I regret that I am not at home and don't have them written down but I will get them. I press enter and it breaks out of that and prompts me for my login; that is a new thing it did not used to do that. Is this likely connected to the inconsistent file context issue? Probably hard to answer until I give you the exact error message but I seems to think that the error had something to do with that. I will get it a post it as soon as I get home tonight.

I can't thank you all enough for your help in this!

Gary :-)

Here is what I see on the terminal screen:

unterminated entity reference █
unterminated entity reference █
unterminated entity reference █ (xdm_tmp_t).

unterminated entity reference █
unterminated entity reference █
unterminated entity reference █ (xdm_tmp_t).

unterminated entity reference █
unterminated entity reference █
unterminated entity reference █).

There is actually quite a bit of space between the word "reference" and the black rectangle at the end of the line but it is not showing up right on here... I doubt that matters much, though.

Any ideas?

I issued the touch /.autorelabel; reboot command and am waiting for it to finish right now. Perhaps that will take care of this? That would be nice!

Gary

touch /.autorelabel

creates an empty hidden file in '/' called .autorelabel. When you reboot (sic) the box, SELinux will relabel all files to the settings in the policy file.
If you want to do 2 cmds on one line, without them getting confused, separate with ';'. Hence,

touch /.autorelabel ; /sbin/reboot

You could have just done

touch /.autorelabel
/sbin/reboot

for the same effect. If you are not familiar with the cmd line, now would be a good time to start:
http://rute.2038bug.com/index.html.gz
http://tldp.org/LDP/Bash-Beginners-G...tml/index.html

See also http://www.linuxtopia.org/online_boo...ion/index.html for SELinux.

Chris,

I can always use help with the command line, I am an old DOS guy and am very interested in learning the Linux command line so I will check out the link you supplied.


Where is this policy file? I looked at the contexts of the / directory and they seem awfully odd, for instance the root directory is a samba share. I compared them last night to my laptop, which is a dual-boot Vista/FC9, one that I have not made many changes to at all and runs pretty well and the contexts are very different.

Thank you for your help,
Gary

On Redhat, the targeted policy file is located at /etc/selinux/targeted/policy
For example the default targeted policy file for RHEL5.4 initial release is policy.21

Ok, so

1. the touch, reboot will fix the permissions according to the policy file, as above

2. setting selinux to permissive means it will warn about file accesses that are 'wrong' (ie ought to be addressed), but will not prevent anything from proceeding. 'enforcing' enforces the rules (sic).

3. check selinx file attributes with -Z switch ie

ls -Z somefile (or dir)

so to get all ownerships, perms & selinux attributes

ls -lZ

(lower case L there)

4. Have a good read of the link of mine for SELinux, it's pretty clear, just takes a while to digest.