Bug 787838

Summary: no login for liveuser
Product: [Fedora] Fedora Reporter: nucleo <alekcejk>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bruno, dominick.grift, dwalsh, kevin, maxamillion, mgrepl, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-09 22:52:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/messages
none
/var/log/audit/audit.log none

Description nucleo 2012-02-06 21:56:27 UTC 
Description of problem:
liveuser can't login on LiveCD.
There is "liveuser:!!:15376:0:99999:7:::" in /etc/shadow.
For root there is no "!!" in "root::15376:0:99999:7:::", so root login is possible but for liveuser asking password.
Comment 1 nucleo 2012-02-06 22:10:57 UTC 
Running "passwd -d liveuser" from root makes liveuser login working.
Comment 2 Kevin Fenzi 2012-02-09 21:15:07 UTC 
If you leave the login at the gdm screen, does the timed login work and log you in?

If you boot with 'enforcing=0' does it let you login?
Comment 3 nucleo 2012-02-09 21:55:40 UTC 
Can't tell anything about gdm because -desktop cd not starts So I tested only KDE live image.
Adding 'enforcing=0' makes liveuser login working both in kdm and in console.
If 'enforcing=0' added than no "!!" in "liveuser::15379:0:99999:7:::" in /etc/shadow.
If 'enforcing=0' omitted than "!!" appears in "liveuser:!!:15379:0:99999:7::: and no login possible.
Comment 4 Kevin Fenzi 2012-02-09 22:11:25 UTC 
Moving over to selinux policy. 

Is something preventing root from doing 'passwd -d liveuser' ?

Can you check for any avcs in the case where it doesn't work and attach them?
Comment 5 nucleo 2012-02-09 22:27:58 UTC 
Created attachment 560723 [details]
/var/log/messages
Comment 6 nucleo 2012-02-09 22:29:58 UTC 
Created attachment 560724 [details]
/var/log/audit/audit.log

There are a lot of avc messages but I don't know which is related to "passwd -d liveuser".
When I run "passwd -d liveuser" it just removes password as it should.
Comment 7 Kevin Fenzi 2012-02-09 22:33:43 UTC 
These look likely: 

type=AVC msg=audit(1328833300.266:52): avc:  denied  { create } for  pid=535 comm="passwd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1328833300.281:53): avc:  denied  { bind } for  pid=535 comm="passwd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1328833300.304:54): avc:  denied  { compute_av } for  pid=535 comm="passwd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
type=USER_AVC msg=audit(1328833300.314:55): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='avc:  denied  { passwd } for  scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=passwd : exe="/usr/bin/passwd" sauid=0 hostname=? addr=? terminal=?'
type=USER_CHAUTHTOK msg=audit(1328833300.328:56): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=change password id=1000 exe="/usr/bin/passwd" hostname=? addr=? terminal=? res=failed
Comment 8 Daniel Walsh 2012-02-09 22:52:34 UTC 
We need to remove the unconfined_permissive patch before we go to alpha, which is what I believe is breaking this.   

One question I have though is what is this not happening in the post install of the kick start rather then every boot?

Fixed in selinux-policy-3.10.0-86.fc17