Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16
Stephen Smalley
sds at tycho.nsa.gov
Wed Feb 1 12:59:49 UTC 2006
On Wed, 2006-02-01 at 10:12 +0200, G Jahchan wrote:
> I have upgraded the kernel to 2.6.14-1.1656 and pam to 0.79.9 (from
> 2.6.14-1.1653 & 0.79.8 respectively) and I am back to the drawing board.
>
> Authentication is no longer possible when in enforcing mode, but this time
> there are NO reported 'avc: denied' messages in any of the logs.
>
> The problem may not lie strictly with selinux, as even when in permissive mode,
> the first authentication attempt to a console always fails, but the second
> works (with the exact same credentials). Ditto when sudoing a command that
> requires authentication: never works the first time if in permissive mode, and
> not at all if in enforcing mode. su on the other hand always works in
> permissive mode, but never in enforcing mode.
>
> When in KDE, a locked station cannot be unlocked, regardless of the status of
> selinux - permissive or enforcing, it makes no difference.
Any other SELinux messages there? Look for SELINUX_ERR (or
use /sbin/ausearch -m selinux_err).
Turn on full auditing by SELinux:
cd /etc/selinux/strict/src/policy
make clean enableaudit load
<re-test>
make clean load
<check /var/log/audit/audit.log again>
That will yield a lot of noise in the logs, but you might find something
useful.
Other possibility is that you are running into an audit_write or
audit_control capability denial from the kernel audit subsystem; those
aren't audited presently by SELinux since they occur in receiver
context. Need to make sure that login and friends have those
capabilities. But it looks like they are there in the FC4 strict policy
(indirectly via authentication_domain(auth_chkpwd)).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list