This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1008577 - login: pam_selinux(login:session): Unable to get valid context for root
login: pam_selinux(login:session): Unable to get valid context for root
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-16 12:00 EDT by Dominick Grift
Modified: 2013-09-29 20:49 EDT (History)
5 users (show)

See Also:
Fixed In Version: libselinux-2.1.13-19.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-20 07:13:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominick Grift 2013-09-16 12:00:14 EDT
Description of problem:

login program not able to determine valid context, probably due to misuse of libselinux functions ( but do not shoot me if it isnt )

Sep 16 17:54:38 localhost login: pam_selinux(login:session): Open Session
Sep 16 17:54:38 localhost login: pam_selinux(login:session): Open Session
Sep 16 17:54:38 localhost login: pam_selinux(login:session): Username= root SELinux User= base_u Level= (null)
Sep 16 17:54:38 localhost login: pam_selinux(login:session): Unable to get valid context for root
Sep 16 17:54:38 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Sep 16 17:54:38 localhost login: ROOT LOGIN ON tty1

Version-Release number of selected component (if applicable):
util-linux-2.23.2-2.fc19.x86_64

How reproducible:
load a custom policy that uses custom identifiers
Comment 1 Daniel Walsh 2013-09-16 15:11:33 EDT
Dominick What is the label of the login program?  This usually means that the app can not figure out proper login shell for the user.
Comment 2 Daniel Walsh 2013-09-16 15:15:19 EDT
You need to make sure your policy, context files are written properly for the selinux login programs to work.

getdefaultcon and getconlist should help.
Comment 3 Dominick Grift 2013-09-16 15:15:54 EDT
base_u:base_r:base_t

And there is a /etc/selinux/dummy/contexts/users/base_u file

with:

base_r:base_t base_r:base_t

there is also a seuser: base_u and root it mapped to it

The exact same configuration works fine on debian
Comment 4 Dominick Grift 2013-09-16 15:17:43 EDT
(In reply to Daniel Walsh from comment #2)
> You need to make sure your policy, context files are written properly for
> the selinux login programs to work.
> 
> getdefaultcon and getconlist should help.

I know that and i wouldnt make an issue out of it if i wasnt pretty confident that this is a case of misuse of libselinux functions

You see the exact same configuration works fine on debian
Comment 5 Dominick Grift 2013-09-16 15:18:56 EDT
With that said, i am still only human, but i triple checked everything and i think my config is fine and if you want you can come have a look yourself
Comment 6 Daniel Walsh 2013-09-16 15:31:45 EDT
What does

selinuxdefcon dgrift base_u:base_r:base_t

Say?
Comment 7 Daniel Walsh 2013-09-16 15:32:56 EDT
If this is a bug it is in pam_selinux
Comment 8 Dominick Grift 2013-09-17 07:52:16 EDT
This was fixed in:

libselinux-2.1.13-19.fc20.x86_64
libselinux-utils-2.1.13-19.fc20.x86_64
libselinux-python-2.1.13-19.fc20.x86_64

Although you might want to get rid of the verbose output:

Security Context base_u:base_r:base_t Assigned
Key Creation Context base_u:base_r:base_t Assigned
Comment 9 Dominick Grift 2013-09-17 08:00:44 EDT
(In reply to Dominick Grift from comment #8)

> Although you might want to get rid of the verbose output:
> 
> Security Context base_u:base_r:base_t Assigned
> Key Creation Context base_u:base_r:base_t Assigned

Forget the above my pam_selinux was still configured with verbose debug
Comment 10 Dominick Grift 2013-09-20 07:13:24 EDT
I will mark this as fixed, as libselinux-2.1.13-19.fc20.x86_64 fixed it
Comment 11 Fedora Update System 2013-09-23 09:57:23 EDT
libselinux-2.1.13-19.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/libselinux-2.1.13-19.fc20
Comment 12 Fedora Update System 2013-09-29 20:49:49 EDT
libselinux-2.1.13-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.