Bug 510230

Summary: Booting system in enforcing mode stops graphical or tty console login
Product: [Fedora] Fedora Reporter: Quentin Armitage <quentin>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, mgrepl, quentin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-21 14:08:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Quentin Armitage 2009-07-08 12:47:06 UTC 
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)

If I boot the system with selinux in enforcing mode, attempting to login fails with no error message given, and the login prompt is re-presented. This applies to both the graphical and character based (tty) console login options.

Adding kernel parameter enforcing=0, or setting SELINUX=permissive in /etc/selinux.config allows logins to work.

Reproducible: Always

Steps to Reproduce:
1. Boot system in enforcing mode
2. Attempt to login
3.
Actual Results:  
No login occurs, and login prompt represented

Expected Results:  
Login successful

selinux-policy version 3.6.20-2. Using selinux-policy-targeted
Comment 1 Daniel Walsh 2009-07-09 12:52:53 UTC 
What AVC's are you seeing in /var/log/audit/audit.log or /var/log/messages?
Comment 2 Quentin Armitage 2009-07-20 22:01:29 UTC 
If I execute setenforce enforcing, it causes all login sessions and the GUI to terminate, and I then cannot login. The following message appeared in /var/log/messages when I attempted to login following the above actions:

Jul 20 22:51:05 samson kernel: type=1400 audit(1248126665.035:28446): avc:  denied  { entrypoint } for  pid=2444 comm="login" path="/bin/bash" dev=dm-0 ino=15278 scontext=unconfined_u:system_r:hotplug_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Comment 3 Daniel Walsh 2009-07-21 01:15:29 UTC 
Please relable you machine and see if this fixes the problem.

touch /.autorelabel; reboot

I think all your problems are caused by bad labeling.
Comment 4 Quentin Armitage 2009-07-21 07:02:38 UTC 
This has resolved the problem. Many thanks for your help.