Bug 325921

Summary: pam_selinux logs warning for xen PV guest console (xvc0)
Product: Red Hat Enterprise Linux 5 Reporter: Joe Orton <jorton>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-0.99.6.2-3.26.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-10 12:14:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Orton 2007-10-10 08:04:34 UTC 
Description of problem:
pam_selinux is logging a warning for each login to the Xen guest console. 

Version-Release number of selected component (if applicable):
pam-0.99.6.2-3.14.el5

How reproducible:
always

Steps to Reproduce:
1. install xen guest using virt-install
2. login to console as root using "xm console $N"
  
Actual results:
/var/log/secure in the guest gets:

Oct 10 09:01:38 dhcp-0-239 login: pam_unix(login:session): session opened for us
er root by LOGIN(uid=0)
Oct 10 09:01:38 dhcp-0-239 login: pam_selinux(login:session): Warning!  Could no
t get new context for /dev/xvc0, not relabeling: Invalid argument
Oct 10 09:01:38 dhcp-0-239 login: pam_selinux(login:session): usercon=(null), pr
ev_context=system_u:object_r:tty_device_t
Oct 10 09:01:38 dhcp-0-239 login: ROOT LOGIN ON xvc0

Expected results:
no warnings in /var/log/secure

Additional info:
Comment 1 Tomas Mraz 2007-10-10 08:18:45 UTC 
Can you please add debug option to pam_selinux and retry? What is reported in
the /var/log/secure?
Comment 2 Joe Orton 2007-10-10 08:23:20 UTC 
Changed /etc/pam.d/login as follows:

[root@dhcp-0-239 ~]# grep selinux /etc/pam.d/login 
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so debug close
# pam_selinux.so open should only be followed by sessions to be executed in the
user context
session    required     pam_selinux.so open debug

new output to /var/log/secure:


Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): Open Session
Oct 10 09:22:22 dhcp-0-239 login: pam_unix(login:session): session opened for
user root by LOGIN(uid=0)
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): Open Session
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): Username= root
SELinux User = root Level= s0-s0:c0.c1023
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): Warning!  Could
not get new context for /dev/xvc0, not relabeling: Invalid argument
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): usercon=(null),
prev_context=system_u:object_r:tty_device_t
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): set root security
context to (null)
Oct 10 09:22:22 dhcp-0-239 login: ROOT LOGIN ON xvc0
Comment 3 Tomas Mraz 2007-10-10 08:40:18 UTC 
Can you try pam-0.99.6.2-3.26.el5 from RHEL-5.1 beta if that helps?
Comment 4 Joe Orton 2007-10-10 11:55:34 UTC 
Works a treat, thanks a lot.
Comment 5 Tomas Mraz 2007-10-10 12:14:41 UTC 
Will be fixed in the upcoming PAM errata.