Bug 772411

Summary: Login is impossible on freshly installed F16 with / on reiserfs
Product: [Fedora] Fedora Reporter: Roberto Ragusa <bugzillaredhat-56f0>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dennis, eparis, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-04 15:10:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Roberto Ragusa 2012-01-07 21:10:50 UTC 
1. Boot the F16 DVD on a brand new machine, adding reiserfs to the kernel command line and install a minimal system, selecting reiserfs for the / filesystem.
2. Boot your freshly installed system.
3. Try to login. Login is denied: the password is accepted but a message "root - no shell - permission denied" appears for an instant and then the screen goes back to a login prompt.

Tried to add selinux=off to grub. No difference.
Tried to switch selinux off in /etc/sysconfig/selinux. No difference.
Tried to specify user_xattr,acl as mount options for / in /etc/fstab. Next boot got a dracut prompt blaming mounting problems.

This scenario works on F14. (I don't know about 15)
Comment 1 Roberto Ragusa 2012-01-07 21:40:30 UTC 
Discovered that selinux=0 actually makes logging in possible.
Modified /etc/default/grub, run grub2-mkconfig -o /boot/grub/grub.cfg and the system now lets me login.
Comment 2 Bill Nottingham 2012-01-09 21:53:40 UTC 
Moving to kernel, as the intersection of selinux & reiserfs likely lies there.
Comment 3 Josh Boyer 2012-01-09 22:10:57 UTC 
Eric, is this something that should be sent upstream?
Comment 4 Eric Paris 2012-01-09 22:51:16 UTC 
Not sure.  Roberto, can you add enforcing=0 selinux=1 and try to login?  Hopefully it will work and you will be able to attach the selinux denials (most likely /var/log/audit/audit.log) and the output of dmesg so we can get a better idea what is wrong?
Comment 5 Roberto Ragusa 2012-01-10 22:01:31 UTC 
This the failed login, it looks like /bin/bash was denied execution:

type=USER_AUTH msg=audit(1325968839.075:25): user pid=717 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:authentication acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=USER_ACCT msg=audit(1325968839.083:26): user pid=717 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:accounting acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=LOGIN msg=audit(1325968839.084:27): login pid=717 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
type=USER_ROLE_CHANGE msg=audit(1325968839.333:28): user pid=717 uid=0 auid=0 ses=1 subj=system_u:system_r:kernel_t:s0 msg='pam: default-context=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 selected-context=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023: exe="
/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=USER_START msg=audit(1325968839.353:29): user pid=717 uid=0 auid=0 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_open acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=CRED_ACQ msg=audit(1325968839.354:30): user pid=717 uid=0 auid=0 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=USER_LOGIN msg=audit(1325968839.354:31): user pid=717 uid=0 auid=0 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=login id=0 exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=AVC msg=audit(1325968839.355:32): avc:  denied  { entrypoint } for  pid=772 comm="login" path="/bin/bash" dev=sda4 ino=4738 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1325968839.355:32): arch=40000003 syscall=11 success=no exit=-13 a0=915c350 a1=bf9b7f0c a2=916a210 a3=916a210 items=0 ppid=717 pid=772 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="login" exe="/bin/login" subj
=system_u:system_r:kernel_t:s0 key=(null)
type=CRED_DISP msg=audit(1325968839.357:33): user pid=717 uid=0 auid=0 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=USER_END msg=audit(1325968839.357:34): user pid=717 uid=0 auid=0 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_close acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=SERVICE_STOP msg=audit(1325968839.402:35): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg=': comm="getty@tty1" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1325968839.430:36): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg=': comm="getty@tty1" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'

this is instead a complete boot with a successful login (enforcing=0) on tty1 followed by another login on tty2:

type=DAEMON_START msg=audit(1326231482.408:1629): auditd start, ver=2.1.3 format=raw kernel=3.1.6-1.fc16.i686 auid=4294967295 pid=627 res=success
type=SERVICE_START msg=audit(1326231482.649:3): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="sshd-keygen" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1326231482.651:4): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="sshd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=NETFILTER_CFG msg=audit(1326231482.853:5): table=filter family=2 entries=4
type=SYSCALL msg=audit(1326231482.853:5): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfefc860 a2=7f9868 a3=88d6170 items=0 ppid=625 pid=685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor" exe="/sbin/xtables-multi" key=(null)
type=SERVICE_START msg=audit(1326231482.917:6): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="iptables" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=NETFILTER_CFG msg=audit(1326231482.932:7): table=filter family=10 entries=0
type=SYSCALL msg=audit(1326231482.932:7): arch=40000003 syscall=128 success=yes exit=0 a0=8b06898 a1=1090 a2=8b06820 a3=0 items=0 ppid=698 pid=700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" key=(null)
type=SERVICE_START msg=audit(1326231482.956:8): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="sendmail" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=NETFILTER_CFG msg=audit(1326231482.939:9): table=filter family=10 entries=4
type=SYSCALL msg=audit(1326231482.939:9): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bffe9ef0 a2=471bec a3=903f170 items=0 ppid=624 pid=691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables-resto" exe="/sbin/xtables-multi" key=(null)
type=SERVICE_START msg=audit(1326231482.987:10): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="netfs" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1326231483.013:11): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="ip6tables" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1326231483.016:12): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="systemd-user-sessions" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1326231483.018:13): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="getty@tty1" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SYSTEM_BOOT msg=audit(1326231483.050:14): user pid=713 uid=0 auid=4294967295 ses=4294967295 msg='init: exe="/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'
type=SYSTEM_RUNLEVEL msg=audit(1326231483.061:15): user pid=713 uid=0 auid=4294967295 ses=4294967295 msg='old-level=N new-level=3: exe="/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1326231483.066:16): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="systemd-update-utmp-runlevel" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1326231483.066:17): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="systemd-update-utmp-runlevel" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1326231483.120:18): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="sm-client" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1326231493.004:19): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="systemd-readahead-done" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1326231493.004:20): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="systemd-readahead-done" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1326231495.723:21): user pid=717 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=USER_ACCT msg=audit(1326231495.723:22): user pid=717 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=LOGIN msg=audit(1326231495.724:23): login pid=717 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
type=USER_START msg=audit(1326231495.741:24): user pid=717 uid=0 auid=0 ses=1 msg='op=PAM:session_open acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=CRED_ACQ msg=audit(1326231495.742:25): user pid=717 uid=0 auid=0 ses=1 msg='op=PAM:setcred acct="root" exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=USER_LOGIN msg=audit(1326231495.742:26): user pid=717 uid=0 auid=0 ses=1 msg='op=login id=0 exe="/bin/login" hostname=? addr=? terminal=tty1 res=success'
type=SERVICE_START msg=audit(1326231983.551:27): user pid=1 uid=0 auid=4294967295 ses=4294967295 msg=': comm="getty@tty2" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1326231986.670:28): user pid=749 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="root" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=USER_ACCT msg=audit(1326231986.671:29): user pid=749 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=LOGIN msg=audit(1326231986.671:30): login pid=749 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2
type=USER_START msg=audit(1326231986.687:31): user pid=749 uid=0 auid=0 ses=2 msg='op=PAM:session_open acct="root" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=CRED_ACQ msg=audit(1326231986.687:32): user pid=749 uid=0 auid=0 ses=2 msg='op=PAM:setcred acct="root" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=USER_LOGIN msg=audit(1326231986.688:33): user pid=749 uid=0 auid=0 ses=2 msg='op=login id=0 exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
Comment 6 Dave Jones 2012-03-22 16:45:11 UTC 
[mass update]
kernel-3.3.0-4.fc16 has been pushed to the Fedora 16 stable repository.
Please retest with this update.
Comment 7 Dave Jones 2012-03-22 16:49:31 UTC 
[mass update]
kernel-3.3.0-4.fc16 has been pushed to the Fedora 16 stable repository.
Please retest with this update.
Comment 8 Dave Jones 2012-03-22 16:59:04 UTC 
[mass update]
kernel-3.3.0-4.fc16 has been pushed to the Fedora 16 stable repository.
Please retest with this update.