Bug 885479

Just to clarify, what do you consider the problem.
That you can't log in as a normal user when this is installed?
Or that the error message isn't clear?
Or both?

What is the expected result when adding pam_openshift?

Both. In fact, i was rather surprised to not be able to log after installing for testing purpose the package. And I was surprised after reboot.

In fact, i am quite surprised since no config have been modified.

I could log as root, so i wonder if it doesn't interfer with pam_namespace :

Dec 10 20:03:52 liliana gdm-password][1875]: pam_namespace(gdm-password:session): Unknown user liveuser in configuration
Dec 10 20:03:52 liliana gdm-password][1875]: pam_namespace(gdm-password:session): Unknown user liveuser in configuration
Dec 10 20:03:52 liliana gdm-password][1875]: pam_namespace(gdm-password:session): Unable to unshare from parent namespace, Opération non permise
Dec 10 20:03:52 liliana gdm-password][1875]: pam_unix(gdm-password:session): session opened for user misc by (unknown)(uid=0)
Dec 10 20:04:03 liliana login: pam_namespace(login:session): Unknown user liveuser in configuration
Dec 10 20:04:03 liliana login: pam_namespace(login:session): Unknown user liveuser in configuration
Dec 10 20:04:03 liliana login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)

Once removed, i do not see such error.

Yesterday, I got a panicked call from our marketing intern who was unable to login. Upon closer inspection, he wanted to see what openshift, jboss etc was all about and installed it on his fedora laptop. It turn out that pam_openshift was preventing his login.

While I understand the need to have something secure out of the box, I think there is still room for improvement. 

So i looked at the default configuration, and the mention of "liveuser"is a first problem. So I removed it.

Then the issue is now :

févr. 01 11:30:21 liliana login[9194]: pam_namespace(login:session): Failed to mark / as a slave mount point, Permission denied

with a selinux error.

Adding myself to the list :
/var/tmp    $HOME/.tmp/   user:iscript=/usr/sbin/oo-namespace-init root,adm,apache,gdm,misc


make me login again.

So does pam_openshift requires a updated selinux policy ? Using setenforce 0 solve my issue, so I think the problem is that login and others are not able to do the needed mount.

Ok so the issue is that selinux requires to enable the boolean polyinstantiation_enabled 
( but my selinux setup seems broken, so I didn't test )

Could we fail more gracefully ? 

Either we enable the boolean on installation, or pam_openshift should be disabled by default.

I haven't ran into this problem despite making several machines.  Can you please give more details.

OS (F17, F18, ?)
pam_openshift version
selinux policy versions

Did you create these users before or after adding pam_openshift?

That's on F18 ( both update and fresh install ), with selinux enabled, on a regular laptop. 

I create some code to fix this :
https://github.com/openshift/origin-server/pull/1275

By default, polyinstantiation_enabled is on off. So if someone just install pam_openshift ( not running anything else ), tty login do not work.

Fix has been merged into upstream code.  I'll work on getting it into Fedora for a fix.

I hit this on an indirect update, and it locked me out.  

'yum remove pam_openshift' and I was running again.

This should be fixed in version 1.3.2 which is out now.
http://koji.fedoraproject.org/koji/buildinfo?buildID=396045
Can someone verify that this is fixed and we can close this bug.

I have verified that pam_openshift does not upset our machine just by installing.  I am closing this bug as fixed.