selinux adventures/troubles

[Michal Jaegermann]

I got hit by something somewhat similar this morning on another
machine.  It was also recently updated from F8 to F10 and it had
selinux turned on and in an enforcing mode.  Up to now everything
looked like it should but this morning the system got updates to

selinux-policy-3.5.13-38.fc10.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch

After that every attempt to login was producing
"Unable to get valid context for <whomever>" on every account this
was tried (root only locally).

There are no log traces from failed attempts to log in locally but
for similar tries over ssh one can find in /var/log/secure:

sshd[9945]: Accepted password for .... port 24443 ssh2
sshd[9945]: pam_unix(sshd:session): session opened for user ....  by (uid=0)
sshd[9945]: pam_selinux(sshd:session): Security context unconfined_u:system_r:logrotate_t:s0-s0:c0.c1023 is not allowed for unconfined_u:system_r:logrotate_t:s0-s0:c0.c1023
sshd[9945]: pam_selinux(sshd:session): Unable to get valid context for ....
sshd[9945]: error: PAM: pam_open_session(): Authentication failure
sshd[9945]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

Looks familiar?

As this was in an enforcing mode then you just cannot login on a console
or over a network.

Luckily just a reboot via a power switch "fixed" the situation and so far the
whole setup seems to be in a working order.  The only "sealert" message
I can find in logs between selinux-policy updates and reboot is of that
sort:

SELinux is preventing rpcbind (rpcbind_t) "search" to ./bin (bin_t).
....
Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                ./bin [ dir ]
Source                        rpcbind
Source Path                   /sbin/rpcbind
....

and this was "cured" by a reboot too.

   Michal