Bug 230386

Summary: something gone horribly wrong in SELinux or PAM
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: markmc, rstrode, rvokal, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-02 16:56:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Nottingham 2007-02-28 18:24:03 UTC 
I upgraded to today's rawhide. On reboot:

- networking did not start right
- login died with authentication failures
- gdm failed to start

and various other bits of brokenness

Even with enforcing=0, sshd does not work.

Some logs from a enforcing=0 boot:

AVCs (from dmesg/audit):
audit(1172685709.287:3): avc:  denied  { getattr } for  pid=419 comm="mount"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703719.048:4): avc:  denied  { getattr } for  pid=1256 comm="ifconfig"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703725.247:5): avc:  denied  { getattr } for  pid=1374 comm="fsck"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703725.371:6): avc:  denied  { getattr } for  pid=1379 comm="mount"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703726.173:7): avc:  denied  { getattr } for  pid=1439 comm="swapon"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703728.327:8): avc:  denied  { getattr } for  pid=1603
comm="ip6tables-resto" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703729.249:9): avc:  denied  { getattr } for  pid=1646
comm="iptables-restor" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703731.203:10): avc:  denied  { getattr } for  pid=1828
comm="ifconfig" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703731.393:11): avc:  denied  { search } for  pid=1895 comm="arping"
name="/" dev=sysfs ino=1 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
audit(1172703731.393:12): avc:  denied  { getattr } for  pid=1895 comm="arping"
name="eth0" dev=sysfs ino=5443 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
audit(1172703731.393:13): avc:  denied  { getattr } for  pid=1895 comm="arping"
name="broadcast" dev=sysfs ino=8214 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
audit(1172703731.393:14): avc:  denied  { read } for  pid=1895 comm="arping"
name="broadcast" dev=sysfs ino=8214 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
audit(1172703736.036:15): audit_pid=2028 old=0 by auid=4294967295
subj=system_u:system_r:auditd_t:s0
audit(1172703736.896:20): avc:  denied  { getattr } for  pid=2089
comm="mcstransd" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703737.651:21): avc:  denied  { getattr } for  pid=2131
comm="setroubleshootd" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703738.261:22): avc:  denied  { getattr } for  pid=2196 comm="mount"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703749.705:23): avc:  denied  { execute_no_trans } for  pid=2300
comm="hcid" name="bluetoothd-service-input" dev=dm-0 ino=10118669
scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
audit(1172703749.733:24): avc:  denied  { getattr } for  pid=2311 comm="mount"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem

/var/log/secure:

Feb 28 18:02:45 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:11 apone last message repeated 209 times
Feb 28 18:03:11 apone sshd[6750]: Accepted password for root from 172.16.56.99
port 53401 ssh2
Feb 28 18:03:11 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:11 apone sshd[6750]: error: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root
Feb 28 18:03:11 apone sshd[6750]: fatal: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root (in enforcing mode)
Feb 28 18:03:11 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:18 apone last message repeated 54 times
Feb 28 18:03:18 apone login: pam_unix(login:auth): authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=root
Feb 28 18:03:18 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:20 apone last message repeated 16 times
Feb 28 18:03:20 apone login: FAILED LOGIN 1 FROM (null) FOR root, Authentication
failure
Feb 28 18:03:20 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:23 apone last message repeated 18 times
Feb 28 18:03:23 apone login: pam_unix(login:session): session opened for user
root by LOGIN(uid=0)
Feb 28 18:03:23 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:23 apone login: pam_selinux(login:session): Warning!  Could not get
new context for /dev/tty1, not relabeling: Invalid argument
Feb 28 18:03:23 apone login: pam_selinux(login:session):
usercon=root:system_r:unconfined_t::SystemLow-SystemHigh,
prev_context=system_u:object_r:tty_device_t
Feb 28 18:03:23 apone login: pam_selinux(login:session): Error!  Unable to set
root executable context root:system_r:unconfined_t::SystemLow-SystemHigh.
Feb 28 18:03:23 apone login: ROOT LOGIN ON tty1
Feb 28 18:03:23 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:54 apone last message repeated 256 times
Feb 28 18:04:16 apone last message repeated 181 times
Feb 28 18:04:16 apone sshd[17422]: Accepted password for root from 172.16.56.99
port 53404 ssh2
Feb 28 18:04:16 apone sshd[17422]: error: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root
Feb 28 18:04:16 apone sshd[17422]: fatal: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root (in enforcing mode)
Feb 28 18:04:16 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:04:37 apone last message repeated 179 times
Feb 28 18:04:37 apone sshd[20438]: Accepted password for root from 172.16.56.99
port 53407 ssh2
Feb 28 18:04:37 apone sshd[20438]: error: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root
Feb 28 18:04:37 apone sshd[20438]: fatal: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root (in enforcing mode)
Feb 28 18:04:37 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:05:08 apone last message repeated 210 times

In /var/log/messages:
Feb 28 18:02:41 apone gdm[2827]: (null): cannot open shared object file: No such
file or directory

Version-Release number of selected component (if applicable):

gdm-2.17.7-5.fc7
libselinux-2.0.5-1.fc7
mcstrans-0.2.4-1.fc7
pam-0.99.7.1-3.fc7
policycoreutils-2.0.6-3.fc7
policycoreutils-gui-2.0.6-3.fc7
selinux-policy-2.5.5-2.fc7
selinux-policy-targeted-2.5.5-2.fc7
setroubleshoot-1.9.2-1.fc7
setroubleshoot-server-1.9.2-1.fc7

All this is after a full relabel.
Comment 1 Tomas Mraz 2007-03-01 15:02:20 UTC 
The gdm messages must be caused by some recent erroneous change in how GDM calls
PAM.
Comment 2 Daniel Walsh 2007-03-02 15:06:59 UTC 
The login problem was caused by mcstrans not translating root login accounts
correctly should be fixed by mcstrans-0.2.5-1
Comment 3 Bill Nottingham 2007-03-02 16:56:51 UTC 
Yeah, with mcstrans and the newer policy, things seem generally sane for me.