Description of problem: login program not able to determine valid context, probably due to misuse of libselinux functions ( but do not shoot me if it isnt ) Sep 16 17:54:38 localhost login: pam_selinux(login:session): Open Session Sep 16 17:54:38 localhost login: pam_selinux(login:session): Open Session Sep 16 17:54:38 localhost login: pam_selinux(login:session): Username= root SELinux User= base_u Level= (null) Sep 16 17:54:38 localhost login: pam_selinux(login:session): Unable to get valid context for root Sep 16 17:54:38 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Sep 16 17:54:38 localhost login: ROOT LOGIN ON tty1 Version-Release number of selected component (if applicable): util-linux-2.23.2-2.fc19.x86_64 How reproducible: load a custom policy that uses custom identifiers
Dominick What is the label of the login program? This usually means that the app can not figure out proper login shell for the user.
You need to make sure your policy, context files are written properly for the selinux login programs to work. getdefaultcon and getconlist should help.
base_u:base_r:base_t And there is a /etc/selinux/dummy/contexts/users/base_u file with: base_r:base_t base_r:base_t there is also a seuser: base_u and root it mapped to it The exact same configuration works fine on debian
(In reply to Daniel Walsh from comment #2) > You need to make sure your policy, context files are written properly for > the selinux login programs to work. > > getdefaultcon and getconlist should help. I know that and i wouldnt make an issue out of it if i wasnt pretty confident that this is a case of misuse of libselinux functions You see the exact same configuration works fine on debian
With that said, i am still only human, but i triple checked everything and i think my config is fine and if you want you can come have a look yourself
What does selinuxdefcon dgrift base_u:base_r:base_t Say?
If this is a bug it is in pam_selinux
This was fixed in: libselinux-2.1.13-19.fc20.x86_64 libselinux-utils-2.1.13-19.fc20.x86_64 libselinux-python-2.1.13-19.fc20.x86_64 Although you might want to get rid of the verbose output: Security Context base_u:base_r:base_t Assigned Key Creation Context base_u:base_r:base_t Assigned
(In reply to Dominick Grift from comment #8) > Although you might want to get rid of the verbose output: > > Security Context base_u:base_r:base_t Assigned > Key Creation Context base_u:base_r:base_t Assigned Forget the above my pam_selinux was still configured with verbose debug
I will mark this as fixed, as libselinux-2.1.13-19.fc20.x86_64 fixed it
libselinux-2.1.13-19.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/libselinux-2.1.13-19.fc20
libselinux-2.1.13-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.