https://bugzilla.redhat.com/show_bug.cgi?id=468645 On Sun, Oct 26, 2008 at 9:03 PM, Jerry Amundson <jamundso@xxxxxxxxx> wrote: > I'm not kidding. I didn't create this problem to prove a point.. I'm > serious, I didn't! :-) > Really though, I took a laptop running rawhide, just updated this morning. > In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes > time" warning like I did in f8] > Rebooted. > Relabel started. I went to fridge, folded some clothes, whatever... > I see it rebooting, seems to come to level 5 normally. But users, > root, nobody can login, graphical, tty, nothing. > I booted in rescue, start sshd. > My root ssh login gives me > "Unable to get valid context for root" > but gives me a shell anyway. [thats good!] > SElinux startup in dmesg and boot.log are normal. > **** > Snippets from /var/log/secure: > > Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session): > Error! Unable to set jerry key creation context > system_u:system_r:system_chkpwd_t:s0. > Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): > session opened for user jerry by (uid=0) > Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): > session closed for user jerry > > Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error! > Unable to set root key creation context > system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023. > Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session > opened for user root by LOGIN(uid=0) > Oct 26 19:57:29 JerryA-D600 login: Authentication failure > > **** > Snippets from /var/log/messages: > > Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm > (xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run > sealert -l 06841090-2a80-4302-85fa-32121e402c57 > > Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing > login (local_login_t) "create" system_chkpwd_t. For complete SELinux > messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 > > **** > Upon starting setroubleshootd, I was able to get this: > > [root@localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57 > > Summary: > > SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t. > > Detailed Description: > > SELinux denied access requested by kdm. It is not expected that this access is > required by kdm and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:system_r:system_chkpwd_t:s0 > Target Objects None [ key ] > Source kdm > Source Path /usr/bin/kdm > Port <Unknown> > Host JerryA-D600 > Source RPM Packages kdebase-workspace-4.1.2-7.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-7.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name JerryA-D600 > Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed > Oct 22 21:35:19 EDT 2008 i686 i686 > Alert Count 4 > First Seen Sun Oct 26 19:56:13 2008 > Last Seen Sun Oct 26 19:59:53 2008 > Local ID 06841090-2a80-4302-85fa-32121e402c57 > Line Numbers > > Raw Audit Messages > > node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc: denied > { create } for pid=2227 comm="kdm" > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key > > node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10): > arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25 > a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0 > suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm" > exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 > key=(null) > > **** > and this: > [root@localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 > > Summary: > > SELinux is preventing login (local_login_t) "create" system_chkpwd_t. > > Detailed Description: > > SELinux denied access requested by login. It is not expected that this access is > required by login and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 > Target Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 > Target Objects None [ key ] > Source login > Source Path /bin/login > Port <Unknown> > Host JerryA-D600 > Source RPM Packages util-linux-ng-2.14.1-3.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-7.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name JerryA-D600 > Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed > Oct 22 21:35:19 EDT 2008 i686 i686 > Alert Count 3 > First Seen Sun Oct 26 19:57:28 2008 > Last Seen Sun Oct 26 20:00:06 2008 > Local ID fcadfe5d-c3f9-41ef-86a7-107480d77831 > Line Numbers > > Raw Audit Messages > > node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc: denied > { create } for pid=2178 comm="login" > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key > > node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18): > arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31 > a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login" > exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 > key=(null) > > Thanks, > jerry > > -- > There's plenty of youth in America - it's time we find the "fountain of smart". > -- There's plenty of youth in America - it's time we find the "fountain of smart". -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
