I'm not kidding. I didn't create this problem to prove a point.. I'm serious, I didn't! :-) Really though, I took a laptop running rawhide, just updated this morning. In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes time" warning like I did in f8] Rebooted. Relabel started. I went to fridge, folded some clothes, whatever... I see it rebooting, seems to come to level 5 normally. But users, root, nobody can login, graphical, tty, nothing. I booted in rescue, start sshd. My root ssh login gives me "Unable to get valid context for root" but gives me a shell anyway. [thats good!] SElinux startup in dmesg and boot.log are normal. **** Snippets from /var/log/secure: Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session): Error! Unable to set jerry key creation context system_u:system_r:system_chkpwd_t:s0. Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): session opened for user jerry by (uid=0) Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): session closed for user jerry Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error! Unable to set root key creation context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023. Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Oct 26 19:57:29 JerryA-D600 login: Authentication failure **** Snippets from /var/log/messages: Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run sealert -l 06841090-2a80-4302-85fa-32121e402c57 Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing login (local_login_t) "create" system_chkpwd_t. For complete SELinux messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 **** Upon starting setroubleshootd, I was able to get this: [root@localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57 Summary: SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t. Detailed Description: SELinux denied access requested by kdm. It is not expected that this access is required by kdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_chkpwd_t:s0 Target Objects None [ key ] Source kdm Source Path /usr/bin/kdm Port <Unknown> Host JerryA-D600 Source RPM Packages kdebase-workspace-4.1.2-7.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-7.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name JerryA-D600 Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 Alert Count 4 First Seen Sun Oct 26 19:56:13 2008 Last Seen Sun Oct 26 19:59:53 2008 Local ID 06841090-2a80-4302-85fa-32121e402c57 Line Numbers Raw Audit Messages node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc: denied { create } for pid=2227 comm="kdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10): arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25 a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) **** and this: [root@localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 Summary: SELinux is preventing login (local_login_t) "create" system_chkpwd_t. Detailed Description: SELinux denied access requested by login. It is not expected that this access is required by login and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 Target Objects None [ key ] Source login Source Path /bin/login Port <Unknown> Host JerryA-D600 Source RPM Packages util-linux-ng-2.14.1-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-7.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name JerryA-D600 Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 Alert Count 3 First Seen Sun Oct 26 19:57:28 2008 Last Seen Sun Oct 26 20:00:06 2008 Local ID fcadfe5d-c3f9-41ef-86a7-107480d77831 Line Numbers Raw Audit Messages node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc: denied { create } for pid=2178 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18): arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31 a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) Thanks, jerry -- There's plenty of youth in America - it's time we find the "fountain of smart". -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
