rawhide:selinux relabeled fs, now cannot login

Tom London selinux at gmail.com
Mon Oct 27 02:45:40 UTC 2008 

On Sun, Oct 26, 2008 at 7:36 PM, Jerry Amundson <jamundso at gmail.com> wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=468645
>
> On Sun, Oct 26, 2008 at 9:03 PM, Jerry Amundson <jamundso at gmail.com> wrote:
>> I'm not kidding. I didn't create this problem to prove a point.. I'm
>> serious, I didn't! :-)
>> Really though, I took a laptop running rawhide, just updated this morning.
>> In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes
>> time" warning like I did in f8]
>> Rebooted.
>> Relabel started. I went to fridge, folded some clothes, whatever...
>> I see it rebooting, seems to come to level 5 normally. But users,
>> root, nobody can login, graphical, tty, nothing.
>> I booted in rescue, start sshd.
>> My root ssh login gives me
>> "Unable to get valid context for root"
>> but gives me a shell anyway. [thats good!]
>> SElinux startup in dmesg and boot.log are normal.
>> ****
>> Snippets from /var/log/secure:
>>
>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session):
>> Error!  Unable to set jerry key creation context
>> system_u:system_r:system_chkpwd_t:s0.
>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
>> session opened for user jerry by (uid=0)
>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
>> session closed for user jerry
>>
>> Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error!
>> Unable to set root key creation context
>> system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023.
>> Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session
>> opened for user root by LOGIN(uid=0)
>> Oct 26 19:57:29 JerryA-D600 login: Authentication failure
>>
>> ****
>> Snippets from /var/log/messages:
>>
>> Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm
>> (xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run
>> sealert -l 06841090-2a80-4302-85fa-32121e402c57
>>
>> Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing
>> login (local_login_t) "create" system_chkpwd_t. For complete SELinux
>> messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
>>
>> ****
>> Upon starting setroubleshootd, I was able to get this:
>>
>> [root at localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57
>>
>> Summary:
>>
>> SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by kdm. It is not expected that this access is
>> required by kdm and this access may signal an intrusion attempt. It is also
>> possible that the specific version or configuration of the application is
>> causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>> SELinux protection altogether. Disabling SELinux protection is not recommended.
>> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>>
>> Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
>> Target Context                system_u:system_r:system_chkpwd_t:s0
>> Target Objects                None [ key ]
>> Source                        kdm
>> Source Path                   /usr/bin/kdm
>> Port                          <Unknown>
>> Host                          JerryA-D600
>> Source RPM Packages           kdebase-workspace-4.1.2-7.fc10
>> Target RPM Packages
>> Policy RPM                    selinux-policy-3.5.13-7.fc10
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Enforcing
>> Plugin Name                   catchall
>> Host Name                     JerryA-D600
>> Platform                      Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
>>                              Oct 22 21:35:19 EDT 2008 i686 i686
>> Alert Count                   4
>> First Seen                    Sun Oct 26 19:56:13 2008
>> Last Seen                     Sun Oct 26 19:59:53 2008
>> Local ID                      06841090-2a80-4302-85fa-32121e402c57
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc:  denied
>> { create } for  pid=2227 comm="kdm"
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key
>>
>> node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10):
>> arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25
>> a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0
>> suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm"
>> exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> key=(null)
>>
>> ****
>> and this:
>> [root at localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
>>
>> Summary:
>>
>> SELinux is preventing login (local_login_t) "create" system_chkpwd_t.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by login. It is not expected that this access is
>> required by login and this access may signal an intrusion attempt. It is also
>> possible that the specific version or configuration of the application is
>> causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>> SELinux protection altogether. Disabling SELinux protection is not recommended.
>> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>>
>> Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
>> Target Context                system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
>> Target Objects                None [ key ]
>> Source                        login
>> Source Path                   /bin/login
>> Port                          <Unknown>
>> Host                          JerryA-D600
>> Source RPM Packages           util-linux-ng-2.14.1-3.fc10
>> Target RPM Packages
>> Policy RPM                    selinux-policy-3.5.13-7.fc10
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Enforcing
>> Plugin Name                   catchall
>> Host Name                     JerryA-D600
>> Platform                      Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
>>                              Oct 22 21:35:19 EDT 2008 i686 i686
>> Alert Count                   3
>> First Seen                    Sun Oct 26 19:57:28 2008
>> Last Seen                     Sun Oct 26 20:00:06 2008
>> Local ID                      fcadfe5d-c3f9-41ef-86a7-107480d77831
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc:  denied
>> { create } for  pid=2178 comm="login"
>> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key
>>
>> node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18):
>> arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31
>> a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0
>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login"
>> exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>> key=(null)
>>
>> Thanks,
>> jerry
>>
Booting in permissive mode (via kernel boot option of "enforcing=0")
may allow you to boot/login in such circumstances, also providing
access to any AVCs that may be causing problems.

If that allows you to boot (either to runlevel 3 or 5), "audit2allow
-l" may provide some tell-tale clues....

Can't recall the last time I needed to resort to a rescue CD......

tom
-- 
Tom London

More information about the fedora-test-list mailing list