I built and fully updated a F7/MLS system today and was unable to
login in MLS enforcing from the console or ssh (no X, init level 2 or
3). I rebooted with a clean audit.log in permissive mode, logged in
and found two login related denials
type=AVC msg=audit(1187740851.272:22): avc: denied
{ audit_control } for pid=2299 comm="login" capability=30
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tclass=capability
and a second dbus related one that I was unable to replicate for this
email
I created a quick policy to see if I could log in in enforcing mode.
policy_module(f7fix,1.0.0)
gen_require(`
type local_login_t, initrc_t;
class dbus send_msg;
')
allow local_login_t initrc_t:dbus send_msg;
allow local_login_t self:capability audit_control;
and got this nasty result
Aug 21 18:19:12 f7 kernel: ds: 007b es: 007b fs: 00d8 gs: 0000
ss: 0068
Aug 21 18:19:12 f7 kernel: Process login (pid: 2310, ti=f7f98000
task=f70de2b0 task.ti=f7f98000)
Aug 21 18:19:12 f7 kernel: Stack: c06ab7d9 fffffff3 00000000 c06f27ac
fffffff3 fffffff3 00000000 c04ad93d
Aug 21 18:19:12 f7 kernel: c06f27a0 f77b8878 c04ad987 f77b8800
f77b8800 f77b8878 c0555fae f7c8df00
Aug 21 18:19:12 f7 kernel: c05509ee f77b8800 f773e938 00000000
00000000 c0550a20 f70aa800 c053660d
Aug 21 18:19:12 f7 kernel: Call Trace:
Aug 21 18:19:12 f7 kernel: [<c04ad93d>] remove_files+0x15/0x1e
Aug 21 18:19:12 f7 kernel: [<c04ad987>] sysfs_remove_group+0x41/0x57
Aug 21 18:19:12 f7 kernel: [<c0555fae>] device_pm_remove+0x32/0x70
Aug 21 18:19:12 f7 kernel: [<c05509ee>] device_del+0x183/0x1ad
Aug 21 18:19:12 f7 kernel: [<c0550a20>] device_unregister+0x8/0x10
Aug 21 18:19:12 f7 kernel: [<c053660d>] vcs_remove_sysfs+0x17/0x31
Aug 21 18:19:12 f7 kernel: [<c053b24a>] con_close+0x49/0x5b
Aug 21 18:19:12 f7 kernel: [<c052fec7>] release_dev+0x1df/0x5e3
Aug 21 18:19:12 f7 kernel: [<c045d35e>] free_pages_bulk+0x100/0x16e
Aug 21 18:19:12 f7 kernel: [<c045d585>] __pagevec_free+0x14/0x1a
Aug 21 18:19:12 f7 kernel: [<c045f7a5>] release_pages+0x10a/0x112
Aug 21 18:19:12 f7 kernel: [<c05302da>] tty_release+0xf/0x18
Aug 21 18:19:12 f7 kernel: [<c04765eb>] __fput+0xb4/0x16a
Aug 21 18:19:12 f7 kernel: [<c04740f9>] filp_close+0x51/0x58
Aug 21 18:19:12 f7 kernel: [<c0428683>] put_files_struct+0x5f/0xa7
Aug 21 18:19:12 f7 kernel: [<c04296be>] do_exit+0x21f/0x6d3
Aug 21 18:19:12 f7 kernel: [<c0429bdf>] sys_exit_group+0x0/0xd
Aug 21 18:19:12 f7 kernel: [<c0404f70>] syscall_call+0x7/0xb
Aug 21 18:19:12 f7 kernel: [<c0600000>] __sched_text_start+0x6e8/0x89e
Aug 21 18:19:12 f7 kernel: =======================
Aug 21 18:19:12 f7 kernel: Code: 8b 40 24 8b 40 24 c3 8b 40 14 8b 00
c3 8b 40 14 8b 00 c3 55 57 56 53 83 ec 0c 85 c0 89 44 24 04 89 14 24
0f 84 ed 00 00 00 89 c2 <8b> 40 0c 85 c0 0f 84 e0 00 00 00 8b 52 54
83 c0 74 89 54 24 08
Aug 21 18:19:12 f7 kernel: EIP: [<c04ab620>] sysfs_hash_and_remove
+0x18/0x110 SS:ESP 0068:f7f98e04
Aug 21 18:19:12 f7 kernel: Fixing recursive fault but reboot is needed!
potentially relevant rpm versions
kernel-2.6.21-1.3194.fc7
audit-1.5.3-1.fc7
util-linux-2.13-0.52.fc7
checkpolicy-2.0.3-1.fc7
policycoreutils-2.0.16-11.fc7
policycoreutils-gui-2.0.16-11.fc7
policycoreutils-newrole-2.0.16-11.fc7
seedit-policy-2.1.1-2.fc7.2
selinux-policy-2.6.4-33.fc7
selinux-policy-devel-2.6.4-33.fc7
selinux-policy-mls-2.6.4-33.fc7
selinux-policy-targeted-2.6.4-33.fc7
joe
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
