Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1469624 Details for
Bug 1606923
SELinux blocks smart card login at console on installation with DISA STIG security profile
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
SELinux Alert details for attemped smart card login discussed above.
selinux_ocsp.txt (text/plain), 4.84 KB, created by
kimball58
on 2018-07-20 23:35:52 UTC
(
hide
)
Description:
SELinux Alert details for attemped smart card login discussed above.
Filename:
MIME Type:
Creator:
kimball58
Created:
2018-07-20 23:35:52 UTC
Size:
4.84 KB
patch
obsolete
>SELinux is preventing /usr/bin/login from using the signull access on a process. > >***** Plugin catchall (100. confidence) suggests ************************** > >If you believe that login should be allowed signull access on processes labeled unconfined_t by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'login' --raw | audit2allow -M my-login ># semodule -i my-login.pp > >Additional Information: >Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 >Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 >Target Objects Unknown [ process ] >Source login >Source Path /usr/bin/login >Port <Unknown> >Host gx96ln1 >Source RPM Packages util-linux-2.23.2-52.el7.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gx96ln1 >Platform Linux gx96ln1 3.10.0-862.9.1.el7.x86_64 #1 SMP Mon > Jul 16 16:29:36 UTC 2018 x86_64 x86_64 >Alert Count 2 >First Seen 2018-07-19 07:53:57 EDT >Last Seen 2018-07-19 07:53:57 EDT >Local ID 78de329e-39a7-409b-bb89-11944b8a035f > >Raw Audit Messages >type=AVC msg=audit(1532001237.129:62695): avc: denied { signull } for pid=30292 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > > >type=SYSCALL msg=audit(1532001237.129:62695): arch=x86_64 syscall=kill success=no exit=EACCES a0=719d a1=0 a2=8 a3=6 items=0 ppid=1 pid=30292 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=221 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) > >Hash: login,local_login_t,unconfined_t,process,signull > > >***************************************************************************** > > >SELinux is preventing /usr/bin/login from name_connect access on the tcp_socket port 80. > >***** Plugin catchall_boolean (47.5 confidence) suggests ****************** > >If you want to allow authlogin to yubikey >Then you must tell SELinux about this by enabling the 'authlogin_yubikey' boolean. > >Do >setsebool -P authlogin_yubikey 1 > >***** Plugin catchall_boolean (47.5 confidence) suggests ****************** > >If you want to allow nis to enabled >Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. > >Do >setsebool -P nis_enabled 1 > >***** Plugin catchall (6.38 confidence) suggests ************************** > >If you believe that login should be allowed name_connect access on the port 80 tcp_socket by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># ausearch -c 'login' --raw | audit2allow -M my-login ># semodule -i my-login.pp > >Additional Information: >Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 >Target Context system_u:object_r:http_port_t:s0 >Target Objects port 80 [ tcp_socket ] >Source login >Source Path /usr/bin/login >Port 80 >Host gx96ln1 >Source RPM Packages util-linux-2.23.2-52.el7.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name gx96ln1 >Platform Linux gx96ln1 3.10.0-862.9.1.el7.x86_64 #1 SMP Mon > Jul 16 16:29:36 UTC 2018 x86_64 x86_64 >Alert Count 12 >First Seen 2018-07-19 07:55:55 EDT >Last Seen 2018-07-19 08:05:04 EDT >Local ID bbb93870-a418-4896-8e6a-d9097afee13f > >Raw Audit Messages >type=AVC msg=audit(1532001904.456:63279): avc: denied { name_connect } for pid=31534 comm="login" dest=80 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket > > >type=SYSCALL msg=audit(1532001904.456:63279): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7ffcf44430d0 a2=10 a3=b items=0 ppid=1 pid=31534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) > >Hash: login,local_login_t,http_port_t,tcp_socket,name_connect
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1469624">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 1606923
: 1469624 |
1470699