Bug 1008577
Summary: | login: pam_selinux(login:session): Unable to get valid context for root | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dominick Grift <dominick.grift> |
Component: | pam | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | dwalsh, jonathan, kzak, mluscon, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | libselinux-2.1.13-19.fc20 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-20 11:13:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dominick Grift
2013-09-16 16:00:14 UTC
Dominick What is the label of the login program? This usually means that the app can not figure out proper login shell for the user. You need to make sure your policy, context files are written properly for the selinux login programs to work. getdefaultcon and getconlist should help. base_u:base_r:base_t And there is a /etc/selinux/dummy/contexts/users/base_u file with: base_r:base_t base_r:base_t there is also a seuser: base_u and root it mapped to it The exact same configuration works fine on debian (In reply to Daniel Walsh from comment #2) > You need to make sure your policy, context files are written properly for > the selinux login programs to work. > > getdefaultcon and getconlist should help. I know that and i wouldnt make an issue out of it if i wasnt pretty confident that this is a case of misuse of libselinux functions You see the exact same configuration works fine on debian With that said, i am still only human, but i triple checked everything and i think my config is fine and if you want you can come have a look yourself What does selinuxdefcon dgrift base_u:base_r:base_t Say? If this is a bug it is in pam_selinux This was fixed in: libselinux-2.1.13-19.fc20.x86_64 libselinux-utils-2.1.13-19.fc20.x86_64 libselinux-python-2.1.13-19.fc20.x86_64 Although you might want to get rid of the verbose output: Security Context base_u:base_r:base_t Assigned Key Creation Context base_u:base_r:base_t Assigned (In reply to Dominick Grift from comment #8) > Although you might want to get rid of the verbose output: > > Security Context base_u:base_r:base_t Assigned > Key Creation Context base_u:base_r:base_t Assigned Forget the above my pam_selinux was still configured with verbose debug I will mark this as fixed, as libselinux-2.1.13-19.fc20.x86_64 fixed it libselinux-2.1.13-19.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/libselinux-2.1.13-19.fc20 libselinux-2.1.13-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |