Hi Stephen & Dan,
From the /var/log/ files, I am not sure what pam module is having problems ?!? All I get, is a "System error" in the /var/log/secure file !
So I reset the card, when I try to login the first time on the console as root, I get "Login incorrect", and the second time, the login is successful. This is 100% reproducible. Selinux is running in "Permissive" mode.
unknown_host login: root
Password:
Login incorrect
Unknown_host login: root
Password:
Last login: Mon Mar 17 21:45:52 GMT 2008 on ttyS0
root@hapWibbSc3:/root>
Here are excerpts from the necessary files:
/var/log/secure
----------------------
Mar 17 21:45:45 unknown sshd[1087]: Server listening on 0.0.0.0 port 22.
Mar 17 21:45:49 unknown login[2103]: FAILED LOGIN (1) on 'ttyS0' FOR `root', System error
Mar 17 21:45:52 unknown login[2103]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Mar 17 21:45:52 unknown login[2951]: ROOT LOGIN on 'ttyS0'
/var/log/messages/
----------------------------
Mar 17 21:45:49 unknown kernel: SELinux: initialized (dev dm-5, type ext3), uses xattr
Mar 17 21:45:49 unknown kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Mar 17 21:45:49 unknown kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Mar 17 21:45:49 unknown kernel: audit(1205790341.507:8): avc: denied { read } for pid=743 comm="pam_console_app" name="mnt" dev=dm-3 ino=47105 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
/var/log/dmesg
----------------------
audit(1205790341.507:8): avc: denied { read } for pid=743 comm="pam_console_app" name="mnt" dev=dm-3 ino=47105 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
-----Original Message-----
From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx]
Sent: Monday, March 17, 2008 7:22 AM
To: Hasan Rezaul-CHR010
Cc: SE Linux
Subject: Re: First Attempt at root login on console always FAILS ??
On Fri, 2008-03-14 at 18:15 -0400, Hasan Rezaul-CHR010 wrote:
> Hi All,
>
> I am getting an irritating problem on my Linux card (running selinux
> in permissive mode), that I didn’t use to see before, and am not sure
> whats causing it :
>
> When I reset my Linux Card, once it boots up, and I get the login
> prompt, my first attempt at logging in as root on the console, ALWAYS
> fails ! My second attempt and afterwards ALWAYS succeeds !
>
> unknown host login: root
> password: root
> Login Failure
> unknown host login: root
> Password: root
> root@unknown host#
>
>
>
> This didn’t used to happen before, and I am not sure what's causing
> it. I do know that if I disable selinux, the problem goes away ! I am
> guessing the problem is somewhere in between PAM and SELinux. Any
> suggestions on what may be causing it ? I have versions:
>
> checkpolicy 1.34.1
> libselinux 1.34.7
> libsemanage 1.10.3
> libsepol 1.16.1
> policycoreutils 1.34.6
>
>
> Contents of /etc/pam.d/login file
> ------------------------------------------------
>
> # Begin /etc/pam.d/login
> auth required pam_tally.so deny=3
> unlock_time=300
> auth requisite pam_securetty.so
> auth requisite pam_nologin.so
> auth required pam_env.so
> auth required pam_unix.so
> account required pam_tally.so
> account required pam_access.so
> account required pam_unix.so
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session required pam_loginuid.so
> session required pam_motd.so
> session required pam_limits.so
> session optional pam_mail.so dir=/var/mail standard
> session optional pam_lastlog.so
> session required pam_unix.so
> # pam_selinux.so open should only be followed by sessions to be
> executed in the user context
> session required pam_selinux.so open
> # End /etc/pam.d/login
The pam_selinux entries look ok, assuming the version of pam_selinux you are using actually supports the close/open arguments. The rest of your pam config though is rather different from the stock Fedora one.
Do you get any output in /var/log/secure or elsewhere that identifies what pam module is encountering an error?
If not, can you comment out or make optional some of the pam modules to help identify where the failure is occurring, e.g. pam_tally and pam_access?
--
Stephen Smalley
National Security Agency
