On Sun, Oct 26, 2008 at 7:36 PM, Jerry Amundson <jamundso@xxxxxxxxx> wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=468645 > > On Sun, Oct 26, 2008 at 9:03 PM, Jerry Amundson <jamundso@xxxxxxxxx> wrote: >> I'm not kidding. I didn't create this problem to prove a point.. I'm >> serious, I didn't! :-) >> Really though, I took a laptop running rawhide, just updated this morning. >> In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes >> time" warning like I did in f8] >> Rebooted. >> Relabel started. I went to fridge, folded some clothes, whatever... >> I see it rebooting, seems to come to level 5 normally. But users, >> root, nobody can login, graphical, tty, nothing. >> I booted in rescue, start sshd. >> My root ssh login gives me >> "Unable to get valid context for root" >> but gives me a shell anyway. [thats good!] >> SElinux startup in dmesg and boot.log are normal. >> **** >> Snippets from /var/log/secure: >> >> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session): >> Error! Unable to set jerry key creation context >> system_u:system_r:system_chkpwd_t:s0. >> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): >> session opened for user jerry by (uid=0) >> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): >> session closed for user jerry >> >> Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error! >> Unable to set root key creation context >> system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023. >> Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session >> opened for user root by LOGIN(uid=0) >> Oct 26 19:57:29 JerryA-D600 login: Authentication failure >> >> **** >> Snippets from /var/log/messages: >> >> Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm >> (xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run >> sealert -l 06841090-2a80-4302-85fa-32121e402c57 >> >> Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing >> login (local_login_t) "create" system_chkpwd_t. For complete SELinux >> messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 >> >> **** >> Upon starting setroubleshootd, I was able to get this: >> >> [root@localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57 >> >> Summary: >> >> SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t. >> >> Detailed Description: >> >> SELinux denied access requested by kdm. It is not expected that this access is >> required by kdm and this access may signal an intrusion attempt. It is also >> possible that the specific version or configuration of the application is >> causing it to require additional access. >> >> Allowing Access: >> >> You can generate a local policy module to allow this access - see FAQ >> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable >> SELinux protection altogether. Disabling SELinux protection is not recommended. >> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> against this package. >> >> Additional Information: >> >> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 >> Target Context system_u:system_r:system_chkpwd_t:s0 >> Target Objects None [ key ] >> Source kdm >> Source Path /usr/bin/kdm >> Port <Unknown> >> Host JerryA-D600 >> Source RPM Packages kdebase-workspace-4.1.2-7.fc10 >> Target RPM Packages >> Policy RPM selinux-policy-3.5.13-7.fc10 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name catchall >> Host Name JerryA-D600 >> Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed >> Oct 22 21:35:19 EDT 2008 i686 i686 >> Alert Count 4 >> First Seen Sun Oct 26 19:56:13 2008 >> Last Seen Sun Oct 26 19:59:53 2008 >> Local ID 06841090-2a80-4302-85fa-32121e402c57 >> Line Numbers >> >> Raw Audit Messages >> >> node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc: denied >> { create } for pid=2227 comm="kdm" >> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >> tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key >> >> node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10): >> arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25 >> a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0 >> suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm" >> exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 >> key=(null) >> >> **** >> and this: >> [root@localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 >> >> Summary: >> >> SELinux is preventing login (local_login_t) "create" system_chkpwd_t. >> >> Detailed Description: >> >> SELinux denied access requested by login. It is not expected that this access is >> required by login and this access may signal an intrusion attempt. It is also >> possible that the specific version or configuration of the application is >> causing it to require additional access. >> >> Allowing Access: >> >> You can generate a local policy module to allow this access - see FAQ >> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable >> SELinux protection altogether. Disabling SELinux protection is not recommended. >> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> against this package. >> >> Additional Information: >> >> Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 >> Target Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 >> Target Objects None [ key ] >> Source login >> Source Path /bin/login >> Port <Unknown> >> Host JerryA-D600 >> Source RPM Packages util-linux-ng-2.14.1-3.fc10 >> Target RPM Packages >> Policy RPM selinux-policy-3.5.13-7.fc10 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name catchall >> Host Name JerryA-D600 >> Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed >> Oct 22 21:35:19 EDT 2008 i686 i686 >> Alert Count 3 >> First Seen Sun Oct 26 19:57:28 2008 >> Last Seen Sun Oct 26 20:00:06 2008 >> Local ID fcadfe5d-c3f9-41ef-86a7-107480d77831 >> Line Numbers >> >> Raw Audit Messages >> >> node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc: denied >> { create } for pid=2178 comm="login" >> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 >> tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key >> >> node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18): >> arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31 >> a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login" >> exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 >> key=(null) >> >> Thanks, >> jerry >> Booting in permissive mode (via kernel boot option of "enforcing=0") may allow you to boot/login in such circumstances, also providing access to any AVCs that may be causing problems. If that allows you to boot (either to runlevel 3 or 5), "audit2allow -l" may provide some tell-tale clues.... Can't recall the last time I needed to resort to a rescue CD...... tom -- Tom London -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
