On Wed, 2006-02-01 at 10:12 +0200, G Jahchan wrote: > I have upgraded the kernel to 2.6.14-1.1656 and pam to 0.79.9 (from > 2.6.14-1.1653 & 0.79.8 respectively) and I am back to the drawing board. > > Authentication is no longer possible when in enforcing mode, but this time > there are NO reported 'avc: denied' messages in any of the logs. > > The problem may not lie strictly with selinux, as even when in permissive mode, > the first authentication attempt to a console always fails, but the second > works (with the exact same credentials). Ditto when sudoing a command that > requires authentication: never works the first time if in permissive mode, and > not at all if in enforcing mode. su on the other hand always works in > permissive mode, but never in enforcing mode. > > When in KDE, a locked station cannot be unlocked, regardless of the status of > selinux - permissive or enforcing, it makes no difference. Any other SELinux messages there? Look for SELINUX_ERR (or use /sbin/ausearch -m selinux_err). Turn on full auditing by SELinux: cd /etc/selinux/strict/src/policy make clean enableaudit load <re-test> make clean load <check /var/log/audit/audit.log again> That will yield a lot of noise in the logs, but you might find something useful. Other possibility is that you are running into an audit_write or audit_control capability denial from the kernel audit subsystem; those aren't audited presently by SELinux since they occur in receiver context. Need to make sure that login and friends have those capabilities. But it looks like they are there in the FC4 strict policy (indirectly via authentication_domain(auth_chkpwd)). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
