rawhide:selinux relabeled fs, now cannot login
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 27 19:09:45 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
> On Sun, Oct 26, 2008 at 7:36 PM, Jerry Amundson <jamundso at gmail.com> wrote:
>> https://bugzilla.redhat.com/show_bug.cgi?id=468645
>>
>> On Sun, Oct 26, 2008 at 9:03 PM, Jerry Amundson <jamundso at gmail.com> wrote:
>>> I'm not kidding. I didn't create this problem to prove a point.. I'm
>>> serious, I didn't! :-)
>>> Really though, I took a laptop running rawhide, just updated this morning.
>>> In s-c-selinux I set Enforcing. [I did *not* see a "relabeling takes
>>> time" warning like I did in f8]
>>> Rebooted.
>>> Relabel started. I went to fridge, folded some clothes, whatever...
>>> I see it rebooting, seems to come to level 5 normally. But users,
>>> root, nobody can login, graphical, tty, nothing.
>>> I booted in rescue, start sshd.
>>> My root ssh login gives me
>>> "Unable to get valid context for root"
>>> but gives me a shell anyway. [thats good!]
>>> SElinux startup in dmesg and boot.log are normal.
>>> ****
>>> Snippets from /var/log/secure:
>>>
>>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session):
>>> Error! Unable to set jerry key creation context
>>> system_u:system_r:system_chkpwd_t:s0.
>>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
>>> session opened for user jerry by (uid=0)
>>> Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
>>> session closed for user jerry
>>>
>>> Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error!
>>> Unable to set root key creation context
>>> system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023.
>>> Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session
>>> opened for user root by LOGIN(uid=0)
>>> Oct 26 19:57:29 JerryA-D600 login: Authentication failure
>>>
>>> ****
>>> Snippets from /var/log/messages:
>>>
>>> Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm
>>> (xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run
>>> sealert -l 06841090-2a80-4302-85fa-32121e402c57
>>>
>>> Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing
>>> login (local_login_t) "create" system_chkpwd_t. For complete SELinux
>>> messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
>>>
>>> ****
>>> Upon starting setroubleshootd, I was able to get this:
>>>
>>> [root at localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57
>>>
>>> Summary:
>>>
>>> SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t.
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by kdm. It is not expected that this access is
>>> required by kdm and this access may signal an intrusion attempt. It is also
>>> possible that the specific version or configuration of the application is
>>> causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>>> SELinux protection altogether. Disabling SELinux protection is not recommended.
>>> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>> against this package.
>>>
>>> Additional Information:
>>>
>>> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
>>> Target Context system_u:system_r:system_chkpwd_t:s0
>>> Target Objects None [ key ]
>>> Source kdm
>>> Source Path /usr/bin/kdm
>>> Port <Unknown>
>>> Host JerryA-D600
>>> Source RPM Packages kdebase-workspace-4.1.2-7.fc10
>>> Target RPM Packages
>>> Policy RPM selinux-policy-3.5.13-7.fc10
>>> Selinux Enabled True
>>> Policy Type targeted
>>> MLS Enabled True
>>> Enforcing Mode Enforcing
>>> Plugin Name catchall
>>> Host Name JerryA-D600
>>> Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
>>> Oct 22 21:35:19 EDT 2008 i686 i686
>>> Alert Count 4
>>> First Seen Sun Oct 26 19:56:13 2008
>>> Last Seen Sun Oct 26 19:59:53 2008
>>> Local ID 06841090-2a80-4302-85fa-32121e402c57
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc: denied
>>> { create } for pid=2227 comm="kdm"
>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>> tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key
>>>
>>> node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10):
>>> arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25
>>> a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0
>>> suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm"
>>> exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>> key=(null)
>>>
>>> ****
>>> and this:
>>> [root at localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831
>>>
>>> Summary:
>>>
>>> SELinux is preventing login (local_login_t) "create" system_chkpwd_t.
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by login. It is not expected that this access is
>>> required by login and this access may signal an intrusion attempt. It is also
>>> possible that the specific version or configuration of the application is
>>> causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>>> SELinux protection altogether. Disabling SELinux protection is not recommended.
>>> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>> against this package.
>>>
>>> Additional Information:
>>>
>>> Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023
>>> Target Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
>>> Target Objects None [ key ]
>>> Source login
>>> Source Path /bin/login
>>> Port <Unknown>
>>> Host JerryA-D600
>>> Source RPM Packages util-linux-ng-2.14.1-3.fc10
>>> Target RPM Packages
>>> Policy RPM selinux-policy-3.5.13-7.fc10
>>> Selinux Enabled True
>>> Policy Type targeted
>>> MLS Enabled True
>>> Enforcing Mode Enforcing
>>> Plugin Name catchall
>>> Host Name JerryA-D600
>>> Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
>>> Oct 22 21:35:19 EDT 2008 i686 i686
>>> Alert Count 3
>>> First Seen Sun Oct 26 19:57:28 2008
>>> Last Seen Sun Oct 26 20:00:06 2008
>>> Local ID fcadfe5d-c3f9-41ef-86a7-107480d77831
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc: denied
>>> { create } for pid=2178 comm="login"
>>> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
>>> tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key
>>>
>>> node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18):
>>> arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31
>>> a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login"
>>> exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>>> key=(null)
>>>
>>> Thanks,
>>> jerry
>>>
> Booting in permissive mode (via kernel boot option of "enforcing=0")
> may allow you to boot/login in such circumstances, also providing
> access to any AVCs that may be causing problems.
>
> If that allows you to boot (either to runlevel 3 or 5), "audit2allow
> -l" may provide some tell-tale clues....
>
> Can't recall the last time I needed to resort to a rescue CD......
>
> tom
This looks like your user database is screwed up.
# semanage login -l
# semanage user -l
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkGEfkACgkQrlYvE4MpobNdqwCeI8ie743e2mOI5rhTPhnqUxi4
tPsAn0tQIM3027nWSS1kkIzhyGqOujH7
=Wa0u
-----END PGP SIGNATURE-----
More information about the fedora-test-list
mailing list