rawhide:selinux relabeled fs, now cannot login

Jerry Amundson jamundso at gmail.com
Mon Oct 27 02:36:35 UTC 2008 

https://bugzilla.redhat.com/show_bug.cgi?id=468645

On Sun, Oct 26, 2008 at 9:03 PM, Jerry Amundson <jamundso at gmail.com> wrote:
> I'm not kidding. I didn't create this problem to prove a point.. I'm
> serious, I didn't! :-)
> Really though, I took a laptop running rawhide, just updated this morning.
> In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes
> time" warning like I did in f8]
> Rebooted.
> Relabel started. I went to fridge, folded some clothes, whatever...
> I see it rebooting, seems to come to level 5 normally. But users,
> root, nobody can login, graphical, tty, nothing.
> I booted in rescue, start sshd.
> My root ssh login gives me
> "Unable to get valid context for root"
> but gives me a shell anyway. [thats good!]
> SElinux startup in dmesg and boot.log are normal.
> ****
> Snippets from /var/log/secure:
>
> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session):
> Error!  Unable to set jerry key creation context
> system_u:system_r:system_chkpwd_t:s0.
> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
> session opened for user jerry by (uid=0)
> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
> session closed for user jerry
>
> Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error!
> Unable to set root key creation context
> system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023.
> Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session
> opened for user root by LOGIN(uid=0)
> Oct 26 19:57:29 JerryA-D600 login: Authentication failure
>
> ****
> Snippets from /var/log/messages:
>
> Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm
> (xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run
> sealert -l 06841090-2a80-4302-85fa-32121e402c57
>
> Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing
> login (local_login_t) "create" system_chkpwd_t. For complete SELinux
> messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
>
> ****
> Upon starting setroubleshootd, I was able to get this:
>
> [root at localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57
>
> Summary:
>
> SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t.
>
> Detailed Description:
>
> SELinux denied access requested by kdm. It is not expected that this access is
> required by kdm and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context                system_u:system_r:system_chkpwd_t:s0
> Target Objects                None [ key ]
> Source                        kdm
> Source Path                   /usr/bin/kdm
> Port                          <Unknown>
> Host                          JerryA-D600
> Source RPM Packages           kdebase-workspace-4.1.2-7.fc10
> Target RPM Packages
> Policy RPM                    selinux-policy-3.5.13-7.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     JerryA-D600
> Platform                      Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
>                              Oct 22 21:35:19 EDT 2008 i686 i686
> Alert Count                   4
> First Seen                    Sun Oct 26 19:56:13 2008
> Last Seen                     Sun Oct 26 19:59:53 2008
> Local ID                      06841090-2a80-4302-85fa-32121e402c57
> Line Numbers
>
> Raw Audit Messages
>
> node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc:  denied
> { create } for  pid=2227 comm="kdm"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key
>
> node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10):
> arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25
> a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0
> suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm"
> exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
> key=(null)
>
> ****
> and this:
> [root at localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
>
> Summary:
>
> SELinux is preventing login (local_login_t) "create" system_chkpwd_t.
>
> Detailed Description:
>
> SELinux denied access requested by login. It is not expected that this access is
> required by login and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
> Target Context                system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
> Target Objects                None [ key ]
> Source                        login
> Source Path                   /bin/login
> Port                          <Unknown>
> Host                          JerryA-D600
> Source RPM Packages           util-linux-ng-2.14.1-3.fc10
> Target RPM Packages
> Policy RPM                    selinux-policy-3.5.13-7.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     JerryA-D600
> Platform                      Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
>                              Oct 22 21:35:19 EDT 2008 i686 i686
> Alert Count                   3
> First Seen                    Sun Oct 26 19:57:28 2008
> Last Seen                     Sun Oct 26 20:00:06 2008
> Local ID                      fcadfe5d-c3f9-41ef-86a7-107480d77831
> Line Numbers
>
> Raw Audit Messages
>
> node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc:  denied
> { create } for  pid=2178 comm="login"
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key
>
> node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18):
> arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31
> a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login"
> exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> key=(null)
>
> Thanks,
> jerry
>
> --
> There's plenty of youth in America - it's time we find the "fountain of smart".
>



-- 
There's plenty of youth in America - it's time we find the "fountain of smart".

More information about the fedora-test-list mailing list