-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > On Sun, Oct 26, 2008 at 7:36 PM, Jerry Amundson <jamundso@xxxxxxxxx> wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=468645 >> >> On Sun, Oct 26, 2008 at 9:03 PM, Jerry Amundson <jamundso@xxxxxxxxx> wrote: >>> I'm not kidding. I didn't create this problem to prove a point.. I'm >>> serious, I didn't! :-) >>> Really though, I took a laptop running rawhide, just updated this morning. >>> In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes >>> time" warning like I did in f8] >>> Rebooted. >>> Relabel started. I went to fridge, folded some clothes, whatever... >>> I see it rebooting, seems to come to level 5 normally. But users, >>> root, nobody can login, graphical, tty, nothing. >>> I booted in rescue, start sshd. >>> My root ssh login gives me >>> "Unable to get valid context for root" >>> but gives me a shell anyway. [thats good!] >>> SElinux startup in dmesg and boot.log are normal. >>> **** >>> Snippets from /var/log/secure: >>> >>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session): >>> Error! Unable to set jerry key creation context >>> system_u:system_r:system_chkpwd_t:s0. >>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): >>> session opened for user jerry by (uid=0) >>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): >>> session closed for user jerry >>> >>> Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error! >>> Unable to set root key creation context >>> system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023. >>> Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session >>> opened for user root by LOGIN(uid=0) >>> Oct 26 19:57:29 JerryA-D600 login: Authentication failure >>> >>> **** >>> Snippets from /var/log/messages: >>> >>> Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm >>> (xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run >>> sealert -l 06841090-2a80-4302-85fa-32121e402c57 >>> >>> Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing >>> login (local_login_t) "create" system_chkpwd_t. For complete SELinux >>> messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 >>> >>> **** >>> Upon starting setroubleshootd, I was able to get this: >>> >>> [root@localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57 >>> >>> Summary: >>> >>> SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t. >>> >>> Detailed Description: >>> >>> SELinux denied access requested by kdm. It is not expected that this access is >>> required by kdm and this access may signal an intrusion attempt. It is also >>> possible that the specific version or configuration of the application is >>> causing it to require additional access. >>> >>> Allowing Access: >>> >>> You can generate a local policy module to allow this access - see FAQ >>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable >>> SELinux protection altogether. Disabling SELinux protection is not recommended. >>> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >>> against this package. >>> >>> Additional Information: >>> >>> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 >>> Target Context system_u:system_r:system_chkpwd_t:s0 >>> Target Objects None [ key ] >>> Source kdm >>> Source Path /usr/bin/kdm >>> Port <Unknown> >>> Host JerryA-D600 >>> Source RPM Packages kdebase-workspace-4.1.2-7.fc10 >>> Target RPM Packages >>> Policy RPM selinux-policy-3.5.13-7.fc10 >>> Selinux Enabled True >>> Policy Type targeted >>> MLS Enabled True >>> Enforcing Mode Enforcing >>> Plugin Name catchall >>> Host Name JerryA-D600 >>> Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed >>> Oct 22 21:35:19 EDT 2008 i686 i686 >>> Alert Count 4 >>> First Seen Sun Oct 26 19:56:13 2008 >>> Last Seen Sun Oct 26 19:59:53 2008 >>> Local ID 06841090-2a80-4302-85fa-32121e402c57 >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc: denied >>> { create } for pid=2227 comm="kdm" >>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >>> tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key >>> >>> node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10): >>> arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25 >>> a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0 >>> suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm" >>> exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 >>> key=(null) >>> >>> **** >>> and this: >>> [root@localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 >>> >>> Summary: >>> >>> SELinux is preventing login (local_login_t) "create" system_chkpwd_t. >>> >>> Detailed Description: >>> >>> SELinux denied access requested by login. It is not expected that this access is >>> required by login and this access may signal an intrusion attempt. It is also >>> possible that the specific version or configuration of the application is >>> causing it to require additional access. >>> >>> Allowing Access: >>> >>> You can generate a local policy module to allow this access - see FAQ >>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable >>> SELinux protection altogether. Disabling SELinux protection is not recommended. >>> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >>> against this package. >>> >>> Additional Information: >>> >>> Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 >>> Target Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 >>> Target Objects None [ key ] >>> Source login >>> Source Path /bin/login >>> Port <Unknown> >>> Host JerryA-D600 >>> Source RPM Packages util-linux-ng-2.14.1-3.fc10 >>> Target RPM Packages >>> Policy RPM selinux-policy-3.5.13-7.fc10 >>> Selinux Enabled True >>> Policy Type targeted >>> MLS Enabled True >>> Enforcing Mode Enforcing >>> Plugin Name catchall >>> Host Name JerryA-D600 >>> Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed >>> Oct 22 21:35:19 EDT 2008 i686 i686 >>> Alert Count 3 >>> First Seen Sun Oct 26 19:57:28 2008 >>> Last Seen Sun Oct 26 20:00:06 2008 >>> Local ID fcadfe5d-c3f9-41ef-86a7-107480d77831 >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc: denied >>> { create } for pid=2178 comm="login" >>> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 >>> tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key >>> >>> node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18): >>> arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31 >>> a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0 >>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login" >>> exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 >>> key=(null) >>> >>> Thanks, >>> jerry >>> > Booting in permissive mode (via kernel boot option of "enforcing=0") > may allow you to boot/login in such circumstances, also providing > access to any AVCs that may be causing problems. > > If that allows you to boot (either to runlevel 3 or 5), "audit2allow > -l" may provide some tell-tale clues.... > > Can't recall the last time I needed to resort to a rescue CD...... > > tom This looks like your user database is screwed up. # semanage login -l # semanage user -l -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkGEfkACgkQrlYvE4MpobNdqwCeI8ie743e2mOI5rhTPhnqUxi4 tPsAn0tQIM3027nWSS1kkIzhyGqOujH7 =Wa0u -----END PGP SIGNATURE----- -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
