Bug 635530
Summary: | unable to login as non-root user with selinux enabled | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lakshmipathi <lakshmipathi.g> |
Component: | libselinux | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | carlg, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-12-03 12:25:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lakshmipathi
2010-09-20 05:36:29 UTC
here is my /var/log/messages - Sep 21 11:17:40 localhost kernel: login[2196]: segfault at 10 ip 0000003c00a13f29 sp 00007fff38783490 error 4 in libselinux.so.1[3c00a00000+1c000] Sep 21 11:17:41 localhost abrtd: Directory 'ccpp-1285048061-2196' creation detected Sep 21 11:17:41 localhost abrt: saved core dump of pid 2196 to /var/cache/abrt/ccpp-1285048061-2196/coredump (1081344 bytes) Sep 21 11:17:41 localhost init: tty3 main process (2196) terminated with status 11 Sep 21 11:17:41 localhost init: tty3 main process ended, respawning Sep 21 11:17:43 localhost abrtd: Getting local universal unique identification... Sep 21 11:17:44 localhost abrtd: Crash is in database already Sep 21 11:17:44 localhost abrtd: Already saved crash, just sending dbus signal it says something crashed. Could you update to the latest selinux-policy # yum update selinux-policy-targeted and then try to edit /etc/selinux/config and change the field SELINUX=enforcing to SELINUX=permissive After that try to login and run ausearch -m avc -ts recent no.that didn't work. I upgraded and rebooted the machine in permissive mode. It didn't allow me to login as normal-user. ausearch output ---- time->Tue Sep 21 16:28:15 2010 type=SYSCALL msg=audit(1285066695.839:7): arch=c000003e syscall=59 success=yes exit=0 a0=fd8088 a1=fd6130 a2=7fffe84da618 a3=7fffe84d8dc0 items=0 ppid=2169 pid=2175 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables-multi" subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(1285066695.839:7): avc: denied { read write } for pid=2175 comm="iptables" path="socket:[18593]" dev=sockfs ino=18593 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_route_socket but in audit.log i find something like above type=USER_AUTH msg=audit(1285066703.141:8): user pid=2259 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="laks" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' type=USER_ACCT msg=audit(1285066703.143:9): user pid=2259 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="laks" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' type=LOGIN msg=audit(1285066703.144:10): login pid=2259 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=1 --->type=ANOM_ABEND msg=audit(1285066703.190:11): auid=500 uid=0 gid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 pid=2259 comm="login" sig=11 but for root users type=USER_AUTH msg=audit(1285066708.094:12): user pid=2299 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' type=USER_ACCT msg=audit(1285066708.096:13): user pid=2299 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' type=LOGIN msg=audit(1285066708.096:14): login pid=2299 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2 type=USER_ROLE_CHANGE msg=audit(1285066708.209:15): user pid=2299 uid=0 auid=0 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' type=USER_START msg=audit(1285066708.321:16): user pid=2299 uid=0 auid=0 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' type=CRED_ACQ msg=audit(1285066708.322:17): user pid=2299 uid=0 auid=0 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' type=USER_LOGIN msg=audit(1285066708.322:18): user pid=2299 uid=0 auid=0 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/bin/login" hostname=? addr=? terminal=tty1 res=success' type=USER_ACCT msg=audit(1285066801.588:19): user pid=2381 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_ACCT msg=audit(1285066801.588:20): user pid=2382 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1285066801.589:21): user pid=2382 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1285066801.590:22): login pid=2382 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=3 type=CRED_ACQ msg=audit(1285066801.590:23): user pid=2381 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1285066801.590:24): login pid=2381 uid=0 old auid=4294967295 new auid=491 old ses=4294967295 new ses=4 type=USER_START msg=audit(1285066801.591:25): user pid=2381 uid=0 auid=491 ses=4 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_START msg=audit(1285066801.592:26): user pid=2382 uid=0 auid=0 ses=3 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' -------- i suspect this is the error part type=ANOM_ABEND msg=audit(1285066703.190:11): auid=500 uid=0 gid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 pid=2259 comm="login" sig=11 If you are not allowed to login as a normal user in permissive mode then it probably is not an SELinux issue. Take a look in /var/log/secure to see if it is reporting any problems. I think you might have a pam issue. (In reply to comment #4) > If you are not allowed to login as a normal user in permissive mode then it > probably is not an SELinux issue. Take a look in /var/log/secure to see if it > is reporting any problems. I think you might have a pam issue. Ok.i edited /etc/selinux/config as permissive and reboot the machine. #>/var/log/secure #>/var/log/messages #>/var/log/audit/audit.log tried to login as normal user - and checked above files - #cat /var/log/secure --> its empty ============= #cat /var/log/messages Sep 23 10:46:37 localhost kernel: login[2445]: segfault at 10 ip 0000003c00a13f29 sp 00007fff9874efa0 error 4 in libselinux.so.1[3c00a00000+1c000] Sep 23 10:46:37 localhost abrtd: Directory 'ccpp-1285218997-2445' creation detected Sep 23 10:46:37 localhost init: tty3 main process (2445) terminated with status 11 Sep 23 10:46:37 localhost init: tty3 main process ended, respawning Sep 23 10:46:37 localhost abrt: saved core dump of pid 2445 to /var/cache/abrt/ccpp-1285218997-2445/coredump (1081344 bytes) Sep 23 10:46:37 localhost abrtd: Getting local universal unique identification... Sep 23 10:46:37 localhost abrtd: Crash is in database already Sep 23 10:46:37 localhost abrtd: Already saved crash, just sending dbus signal ============= # cat audit.log type=USER_AUTH msg=audit(1285218997.402:55): user pid=2445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="laks" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success' type=USER_ACCT msg=audit(1285218997.405:56): user pid=2445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="laks" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success' type=LOGIN msg=audit(1285218997.405:57): login pid=2445 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=6 type=ANOM_ABEND msg=audit(1285218997.405:58): auid=500 uid=0 gid=0 ses=6 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 pid=2445 comm="login" sig=11 ============= I can login with selinux disabled.here is pam config file - # cat /etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so #auth required pam_deny.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth -session optional pam_ck_connector.so auth optional pam_mount.so try_first_pass #session optional pam_mount.so try_first_pass session required pam_limits.so auth required pam_tally2.so deny=4 even_deny_root unlock_time=120 So you can not login in permissive mode, but can log in in disabled mode? No AVC messages when logging in and login program segfaults in permissive mode. (In reply to comment #6) > So you can not login in permissive mode, but can log in in disabled mode? > No AVC messages when logging in and login program segfaults in permissive mode. Yes,thats my issue. Can you login via sshd? Can you get onto the machine via some other mechanism to look at the label of the login program? ps -eZ | grep login Out of curiosity can you run yum reinstall selinux-policy-targeted And see if it generates any errors? (In reply to comment #8) > Can you login via sshd? No , It says "Connection closed by <ipaddress>" > Out of curiosity can you run > > yum reinstall selinux-policy-targeted > > And see if it generates any errors? Yes- I can see few errors - ----- selinux-policy-targeted-3.6.32-121.fc12.noarch.rpm | 2.1 MB 00:09 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : selinux-policy-targeted-3.6.32-121.fc12.noarch 1/1 libsemanage.get_users: user mi2 not in password file libsemanage.get_users: user mi4 not in password file ****************** Installed: selinux-policy-targeted.noarch 0:3.6.32-121.fc12 Complete! ----- I have deleted these two users after assigning selinux context - is that creating issue? Here is my semanage -l output # semanage login -l Login Name SELinux User MLS/MCS Range %mi2 guest_u s0 %mi4 guest_u s0 __default__ unconfined_u s0-s0:c0.c1023 mi2 guest_u s0 mi4 user_u s0 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 useruuser user_u s0 Maybe. This might be confusing the login programs. Can you just edit the seusers file by hand. and remove all mi2 and mi4 references and see if you can login? If yes then the bug is in either pam_selinux or libselinux. (In reply to comment #11) > Can you just edit the seusers file by hand. and remove all mi2 and mi4 > references and see if you can login? > > If yes then the bug is in either pam_selinux or libselinux. I edited /etc/selinux/targeted/seusers and removed those login lines and set selinux to permissive mode. reboot but still semanage login -l shows those login names(mi2 .mi4) - did i edit the wrong file? during reboot selinux (changed from disabled to permissive mode) after logged in i checked the file those entries still alive ! I deleted them again. Now I tried to login to tty - it works !!! Ok I am going to assign this to libselinux for now, You setup to groups on your machine mi2 and mi4, and then want to set the users in those groups to login with guest_t correct? As far as editing those files, you edited the correct files, but the real way to remove those entries is by using semanage. Removing them from the file only effects the login programs. (In reply to comment #14) > Ok I am going to assign this to libselinux for now, You setup to groups on > your machine mi2 and mi4, and then want to set the users in those groups to > login with guest_t correct? that's correct,I wanted to setup all members from group mi2/mi4 should have guest_t context. (In reply to comment #15) > As far as editing those files, you edited the correct files, but the real way > to remove those entries is by using semanage. Removing them from the file only > effects the login programs. thanks for the clarification. I just tried this on F14 and it worked fine. semanage login -l Login Name SELinux User MLS/MCS Range %guest guest_u s0 __default__ unconfined_u s0-s0:c0.c1023 dwalsh staff_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 xguest xguest_u s0 > grep guest /etc/group guest:x:3268:pwalsh > ssh localhost -l pwalsh pwalsh@localhost's password: Last login: Sat Sep 25 06:42:32 2010 Unknown HZ value! (35) Assume 1024. -bash-4.1$ id -Z guest_u:guest_r:guest_t:s0 (In reply to comment #18) > I just tried this on F14 and it worked fine. > > semanage login -l > > Login Name SELinux User MLS/MCS Range > > %guest guest_u s0 > __default__ unconfined_u s0-s0:c0.c1023 > dwalsh staff_u s0-s0:c0.c1023 > root unconfined_u s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 > xguest xguest_u s0 > > > grep guest /etc/group > guest:x:3268:pwalsh > > > ssh localhost -l pwalsh > pwalsh@localhost's password: > Last login: Sat Sep 25 06:42:32 2010 > Unknown HZ value! (35) Assume 1024. > -bash-4.1$ id -Z > guest_u:guest_r:guest_t:s0 I think what you have done is 1.created a context for group and logged in. but following steps might reproduce the issue 1.create a "user1" and by default he will be assigned to "user1" 2.now create context for this group "user1" 3.delete the user "user1" using simple userdel command. "userdel user1" 4.now semanage still lists the "user1" and i'm unable to login. I'll try and see if i can reproduce that later. This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |