Pam updates break system (Was: pam changes require dovecot restart)
Jim Cornette
fct-cornette at insight.rr.com
Sat Dec 17 16:10:25 UTC 2005
n0dalus wrote:
> On 12/17/05, Jeff Spaleta <jspaleta at gmail.com> wrote:
>
>>And pam seems to update just fine for me. You'll have to do you best
>>to figure out why the libpam files didn't install.
>>
>>-jef
>>
>
>
> I have done some more looking into the problem, and while
> unfortunately I was unable to reproduce the same problem, I did find
> some things in the log files.
>
> At the time of the update, lots of scriptlets failed with the
> accompianing log message below:
> Dec 17 08:53:26 kernel: audit(1134771806.214:1322): avc: denied {
> transition } for pid=17748 comm="yum" name="bash" dev=hda7 ino=163054
> scontext=root:system_r:ldconfig_t tcontext=root:system_r:rpm_script_t
> tclass=process
I recently checked my system for duplicate rpms caused by scriptlet
failures and found quite a few ackages where the rpmdb was not cleaned
from the removed package on the post installation error due to SELinux
at the time of the problem. You might want to check your system for
duplicate entries in the database.
Another problem was preinstall scripts failing. The rpm would be
downloaded but not installed whenever yum was used or rpm directly to
install packages. Selinux-policy-targeted was one such package that
failed installation on the pre scripts.
Do you have the current version of selinux-policy-targeted? Or was it
locked at quite an earlier release?
I have selinux-policy-targeted-2.1.6-4 which exhibited the pam problem
with login denials. I was able to log into a terminal for both root and
user. The other errors with pam seemed to clear with a relabeling of the
system and booting into runlevel 5 with autologin in gdm.
>
> I am pretty new to SELinux, but to me it seems that the scontext and
> the tcontext are around the wrong way. I don't know how this could
> happen. In policy.20, source rpm_script_t is allowed to run the
> ldconfig_t process. What's happening here seems to be that ldconfig_t
> is trying to run rpm_script_t (as far as SELinux is concerned), which
> would not be what's really happening. I could be completely wrong
> though, so hopefully someone more experienced in these matters can
> comment.
> I can reproduce this error message consistently when doing certain updates.
Check your entries in rpmdb for duplicates, remove just the db entry for
the old packages, reboot with selinux=0. Try to update your system via
yum or using cached packages in /var/cache/yum/development/packages.
Relabel your system for SELinux by using either touch /.autorelabel or
autorelabel via grub appending the entry during boot.
I have no idea personally about SELinux or the chicken or the egg
factors like scontext ...
Jim
>
> n0dalus.
>
--
"In the fight between you and the world, back the world."
--Frank Zappa
More information about the fedora-test-list
mailing list