Pam updates break system (Was: pam changes require dovecot restart)

Jim Cornette fct-cornette at insight.rr.com
Sat Dec 17 16:10:25 UTC 2005


n0dalus wrote:
> On 12/17/05, Jeff Spaleta <jspaleta at gmail.com> wrote:
> 
>>And pam seems to update just fine for me.  You'll have to do you best
>>to figure out why the libpam files didn't install.
>>
>>-jef
>>
> 
> 
> I have done some more looking into the problem, and while
> unfortunately I was unable to reproduce the same problem, I did find
> some things in the log files.
> 
> At the time of the update, lots of scriptlets failed with the
> accompianing log message below:
> Dec 17 08:53:26 kernel: audit(1134771806.214:1322): avc:  denied  {
> transition } for  pid=17748 comm="yum" name="bash" dev=hda7 ino=163054
> scontext=root:system_r:ldconfig_t tcontext=root:system_r:rpm_script_t
> tclass=process

I recently checked my system for duplicate rpms caused by scriptlet 
failures and found quite a few ackages where the rpmdb was not cleaned 
from the removed package on the post installation error due to SELinux 
at the time of the problem. You might want to check your system for 
duplicate entries in the database.

Another problem was preinstall scripts failing. The rpm would be 
downloaded but not installed whenever yum was used or rpm directly to 
install packages. Selinux-policy-targeted was one such package that 
failed installation on the pre scripts.

Do you have the current version of selinux-policy-targeted? Or was it 
locked at quite an earlier release?

I have selinux-policy-targeted-2.1.6-4 which exhibited the pam problem 
with login denials. I was able to log into a terminal for both root and 
user. The other errors with pam seemed to clear with a relabeling of the 
system and booting into runlevel 5 with autologin in gdm.


> 
> I am pretty new to SELinux, but to me it seems that the scontext and
> the tcontext are around the wrong way. I don't know how this could
> happen. In policy.20, source rpm_script_t is allowed to run the
> ldconfig_t process. What's happening here seems to be that ldconfig_t
> is trying to run rpm_script_t (as far as SELinux is concerned), which
> would not be what's really happening. I could be completely wrong
> though, so hopefully someone more experienced in these matters can
> comment.
> I can reproduce this error message consistently when doing certain updates.

Check your entries in rpmdb for duplicates, remove just the db entry for 
the old packages, reboot with selinux=0. Try to update your system via 
yum or using cached packages in /var/cache/yum/development/packages. 
Relabel your system for SELinux by using either touch /.autorelabel or 
autorelabel via grub appending the entry during boot.

I have no idea personally about SELinux or the chicken or the egg 
factors like scontext ...

Jim

> 
> n0dalus.
> 


-- 
"In the fight between you and the world, back the world."
  --Frank Zappa




More information about the fedora-test-list mailing list