Bug 619238

Summary:	can't login to normal F14 install - avc: denied { entrypoint } for comm="login" path="/bin/bash"
Product:	[Fedora] Fedora	Reporter:	Jens Petersen <petersen>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	urgent	Docs Contact:
Priority:	medium
Version:	14	CC:	bruno, dcantrell, drjohnson1, dwalsh, fdc, mgrepl, robatino
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:	AcceptedBlocker
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-08-04 14:53:50 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	611990

Description Jens Petersen 2010-07-29 01:01:40 UTC

Description of problem:
When I installed rawhide yesterday I couldn't login as root or a user
neither at VC or gdm.  Not really any more data-points yet.
I am pretty sure this is still with upstart.

Steps to Reproduce:
1. install rawhide directly: eg via F13 boot.iso pointed at rawhide mirror
   or 

2. boot install
3. try to login
  
Actual results:
3. can't login - get thrown out of shell/gdm session immediately.

Expected results:
3. able to login

Additional info:
Live and upgrades from F13 seem unaffected.

Comment 1 Jens Petersen 2010-07-29 01:03:16 UTC

Jesse suggested I make this a F14Alpha blocker for now.

Comment 2 Jens Petersen 2010-07-29 01:05:15 UTC

Tried both minimal install and standard desktop.

Comment 3 Jens Petersen 2010-07-29 01:09:22 UTC

(In reply to comment #0)
> Steps to Reproduce:
> 1. install rawhide directly: eg via F13 boot.iso pointed at rawhide mirror
>    or 

from http://alt.fedoraproject.org/pub/alt/stage/rawhide-20100722/x86_64/os/

Comment 4 Bill Nottingham 2010-07-29 15:40:27 UTC

If you boot with init=/bin/bash (or single user mode);

$ rpm -qa | grep (upstart|systemd)

Also, any AVC errors logged?

Comment 5 Jens Petersen 2010-07-30 07:28:02 UTC

Ah, I just managed to fix an install with a rescue disk
which then lead to selinux relabelling when I rebooted.
So yeah may be a selinux issue.  (This was latest rawhide tree here today.)

Will update with more details after next install attempt.

Comment 6 Jens Petersen 2010-07-30 07:38:30 UTC

It is running upstart-0.6.5-7.fc14 FWIW.

Comment 7 Jens Petersen 2010-07-30 09:13:43 UTC

I did a new install and see /var/log/messages has

localhost kernel: type=1400 audit(...): avc: denied { entrypoint } for  pid=1234 comm="login" path="/bin/bash" dev=dm-0 ino=41 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Comment 8 François Cami 2010-07-30 19:03:22 UTC

Reproduced with installer from http://alt.fedoraproject.org/pub/alt/stage/rawhide-20100722/x86_64/os/ and rawhide tree from local mirror.
Setting as F14 Alpha blocker.

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 9 François Cami 2010-07-30 20:08:45 UTC

I can confirm that forcing a relabel fixes the issue.
* switching component to selinux-policy as decided in blocker review meeting. 
* setting severity as urgent since an installed system can't be used.

Gentle reminder: we need a workaround or a fix by Tuesday in order to be able to start spinning Alpha RCs. Thanks!

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 10 Andre Robatino 2010-08-01 17:21:31 UTC

After a minimal F13 install, updating fedora-release to 14-0.7, and updating, I have the same problem, but an selinux relabel does NOT fix it.  I can still boot up either in rescue mode or single-user mode, start the network, and update/install packages that way.  I tried resetting my password in the event it wasn't set properly, but that doesn't help.  (It's a little hard to tell since the system won't shut down cleanly, so I have to force it off, and can't be sure if all settings are saved.)

Comment 11 Andre Robatino 2010-08-01 17:33:03 UTC

Booting up in single-user mode, then running "systemctl default", seems to be a workaround, giving me the ability to log in normally either as root or an ordinary user.

Comment 12 François Cami 2010-08-01 17:40:57 UTC

Andre, please confirm that by "same problem", you mean AVCs matching the ones in comment 7.

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 13 Andre Robatino 2010-08-01 17:50:06 UTC

"grep avc /var/log/messages" returns no output, so it's not the same in that sense.  (BTW, either the Subject should be changed to refer to F14, or the Version should be changed back to rawhide.)

Comment 14 François Cami 2010-08-01 17:53:34 UTC

Thanks for the suggestion, I've changed the subject.
Please file a bug with the issue you're experiencing.

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 15 Jens Petersen 2010-08-04 01:52:41 UTC

I don't see this any more with F14 alpha TC2.