rawhide:selinux relabeled fs, now cannot login
Jerry Amundson
jamundso at gmail.com
Mon Oct 27 02:03:56 UTC 2008
I'm not kidding. I didn't create this problem to prove a point.. I'm
serious, I didn't! :-)
Really though, I took a laptop running rawhide, just updated this morning.
In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes
time" warning like I did in f8]
Rebooted.
Relabel started. I went to fridge, folded some clothes, whatever...
I see it rebooting, seems to come to level 5 normally. But users,
root, nobody can login, graphical, tty, nothing.
I booted in rescue, start sshd.
My root ssh login gives me
"Unable to get valid context for root"
but gives me a shell anyway. [thats good!]
SElinux startup in dmesg and boot.log are normal.
****
Snippets from /var/log/secure:
Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session):
Error! Unable to set jerry key creation context
system_u:system_r:system_chkpwd_t:s0.
Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
session opened for user jerry by (uid=0)
Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
session closed for user jerry
Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error!
Unable to set root key creation context
system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023.
Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session
opened for user root by LOGIN(uid=0)
Oct 26 19:57:29 JerryA-D600 login: Authentication failure
****
Snippets from /var/log/messages:
Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm
(xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run
sealert -l 06841090-2a80-4302-85fa-32121e402c57
Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing
login (local_login_t) "create" system_chkpwd_t. For complete SELinux
messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
****
Upon starting setroubleshootd, I was able to get this:
[root at localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57
Summary:
SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t.
Detailed Description:
SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:system_r:system_chkpwd_t:s0
Target Objects None [ key ]
Source kdm
Source Path /usr/bin/kdm
Port <Unknown>
Host JerryA-D600
Source RPM Packages kdebase-workspace-4.1.2-7.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-7.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name JerryA-D600
Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count 4
First Seen Sun Oct 26 19:56:13 2008
Last Seen Sun Oct 26 19:59:53 2008
Local ID 06841090-2a80-4302-85fa-32121e402c57
Line Numbers
Raw Audit Messages
node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc: denied
{ create } for pid=2227 comm="kdm"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key
node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10):
arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25
a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0
suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm"
exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
****
and this:
[root at localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
Summary:
SELinux is preventing login (local_login_t) "create" system_chkpwd_t.
Detailed Description:
SELinux denied access requested by login. It is not expected that this access is
required by login and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
Target Objects None [ key ]
Source login
Source Path /bin/login
Port <Unknown>
Host JerryA-D600
Source RPM Packages util-linux-ng-2.14.1-3.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-7.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name JerryA-D600
Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count 3
First Seen Sun Oct 26 19:57:28 2008
Last Seen Sun Oct 26 20:00:06 2008
Local ID fcadfe5d-c3f9-41ef-86a7-107480d77831
Line Numbers
Raw Audit Messages
node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc: denied
{ create } for pid=2178 comm="login"
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key
node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18):
arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31
a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login"
exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
key=(null)
Thanks,
jerry
--
There's plenty of youth in America - it's time we find the "fountain of smart".
More information about the fedora-test-list
mailing list