Bug 220652

Summary: LSPP - Role selection at login fails w/ "not a valid security context"
Product: Red Hat Enterprise Linux 5 Reporter: Eduardo M. Fleury <efleury>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh, jturner, linda.knippers, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-15 16:28:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
The latest version of the select_context patch none

Description Eduardo M. Fleury 2006-12-22 19:14:26 UTC
Description of problem:
Trying to select a specific role at login time in RHEL5 Beta2 12/18 refresh
fails. After selecting the desired role the system goes back to the role
selection dialog with the error "Not a valid security context."

Logging-in with default role and then newrole'ing to the desired role works fine
which means the security context is valid indeed.

The MLS level selection is working fine.

System info:
Tested in RHEL5 Beta2 Server 12/18 refresh installed with the LSPP kickstart
version 0.16-1.

Version-Release number of selected component (if applicable):
pam-0.99.6.2-3.8.el5
pam-devel-0.99.6.2-3.8.el5

selinux-policy-targeted-2.4.6-15.el5
selinux-policy-mls-2.4.6-15.el5
selinux-policy-2.4.6-15.el5

Linux ct.ltc.ic.unicamp.br 2.6.18-1.2840.2.1.el5.lspp.57 #1 SMP Fri Dec 8
17:28:15 EST 2006 i686 i686 i386 GNU/Linux

How reproducible:
Always

Steps to Reproduce:
In a local console do the following:

1. login: root
2. password: *********
3. Would you like to enter a role/level [y]? y
4. role: secadm_r
5. level: SystemLow-SystemHigh

Actual results:
"Not a valid security context." error message is shown and system goes back to
the prompt seen in line 3.

Expected results:
Should login with specified role/level.

Additional info:
Pressing carriage return at "role" prompt and changing only the MLS level works
fine. I can login as sysadm_r:sysadm_t:Secret-SystemHigh for instance.

Comment 3 Daniel Walsh 2006-12-29 16:20:19 UTC
Fixed in pam-0.99.6.2-3.9.el5

Available on http://people.redhat.com/dwalsh/RHEL5



Comment 5 Eduardo M. Fleury 2007-01-02 21:50:27 UTC
It seems that now the role selection works better but not 100%. 

Now I can select a role but if I say "N" to the dialog in step 3 (Would you like
to enter...) I get an authentication failure message and then I get back to the
prompt. I also got some "random" messages of this kind when trying to enter a
role, I say "random" because doing the same procedure again worked, then after
some tries it didn't.

As I have updated an existing system with the new packages rather then
installing a new one from scratch I'm not sure if the results could have been
masked by some other issue. I'm going to setup a new system and do that tests
again and update this bug.

Thanks!

Comment 6 Jay Turner 2007-01-03 12:55:35 UTC
Pushing this back to Assigned to get some clarification on comment 5.

Comment 7 Eduardo M. Fleury 2007-01-04 13:03:55 UTC
I've updated the test machine I mentioned in comment #5 with the even newer
pam-0.99.6.2-3.10.el5. I've also reinstalled another test machine from scratch
and asked the kickstart to install the new pam packages itself during the
post-install phase.

In both cases I could confirm that the roles (and levels) selection is working
as expected. Thanks!

Comment 8 Jay Turner 2007-01-04 14:03:15 UTC
Moving to Verified.

Comment 9 Tomas Mraz 2007-01-04 23:52:16 UTC
Created attachment 144867 [details]
The latest version of the select_context patch

Comment 10 Jay Turner 2007-01-15 14:33:07 UTC
Does the patch in comment 9 need to be incorporated into the RHEL5 builds?

Comment 11 Tomas Mraz 2007-01-15 15:20:31 UTC
The patch is already there.

Comment 12 Jay Turner 2007-01-15 16:28:10 UTC
pam-0.99.6.2-3.13.el5 included in 20070111.1 and 20070112.3 trees.