Bug 237703
| Summary: | LSPP: login as ealuser fails from s390 console | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Trevor Highland <tshighla> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | benl, ebenes, iboverma, krisw, linda.knippers, ltcgcw, poelstra, sgrubb |
| Target Milestone: | --- | Keywords: | OtherQA |
| Target Release: | --- | ||
| Hardware: | s390x | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RHBA-2007-0544 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-11-07 16:39:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 224041 | ||
Raising severity to high. Fixed in selinux-policy-2_4_6-65_el5 what device is this? I'm curious if there is a device file that is mislabeled. The device is /dev/console. I have verified that the issue is fixed in selinux-policy-2_4_6-66_el5. Taking off the LSPP list. A fix for this issue has been included in the packages contained in the beta (RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1. Please verify that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED. A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot4 on partners.redhat.com. Requested action: Please verify that your issue is fixed *as soon as possible* to ensure that it is included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot6 on partners.redhat.com. Requested action: Please verify that your issue is fixed ASAP to confirm that it will be included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot7 on partners.redhat.com. Requested action: Please verify that your issue is fixed ASAP to confirm that it will be included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. A fix for this issue should be included in the packages contained in RHEL5.1-Snapshot8--available now on partners.redhat.com. IMPORTANT: This is the last opportunity to confirm that your issue is fixed in the RHEL5.1 update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager. I am attempting to verify this one. However, my victim z partition configuration is damaged. I will verify this bug as soon as I can get my partition into a usable state. This bug is still present in RHEL 5.1 Snap 8. I performed the install with a modified LSPP kickstart to simulate the evaluated configuration installation procedure. Login to the console as ealuser fails as described above: login: ealuser Password: Default Security Context staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh Would you like to enter a different role or level? Ãn¨ n n Red Hat Enterprise Linux Server release 5.1 Beta (Tikanga) Kernel 2.6.18-48.el5 on an s390x testpart login: Is the allow_console_login boolean turned on? Any avc messages? It's amazing what I can forget in a couple of months. No, I didn't have it turned on. When I turn it on the login succeeds. Thanks, Dan. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) Thank you. Any updates to this? Have you had a chance to re-test this after setting the allow_console_login boolean? Yes, that was what I was attempting to communicate in Comment #22. I'll change the status and keyword. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html |
Description of problem: I am trying to login from a console on an s390 (/dev/console). I can successfully login as root. When I login as ealuser I am asked if I would like to change roles as expected, but once I say no I am immediately returned to a login prompt. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Login from the console as ealuser Actual results: After being asked if you want to change roles, I am returned to a login prompt. Expected results: Additional info: Adding the following rules fixes the login issues for ealuser. These rules are specific to ealuser. allow local_login_t console_device_t:chr_file { relabelfrom relabelto setattr }; allow staff_t console_device_t:chr_file { getattr ioctl read write };