Bug 1008577 - login: pam_selinux(login:session): Unable to get valid context for root
Summary: login: pam_selinux(login:session): Unable to get valid context for root
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-16 16:00 UTC by Dominick Grift
Modified: 2013-09-30 00:49 UTC (History)
5 users (show)

Fixed In Version: libselinux-2.1.13-19.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-20 11:13:24 UTC


Attachments (Terms of Use)

Description Dominick Grift 2013-09-16 16:00:14 UTC
Description of problem:

login program not able to determine valid context, probably due to misuse of libselinux functions ( but do not shoot me if it isnt )

Sep 16 17:54:38 localhost login: pam_selinux(login:session): Open Session
Sep 16 17:54:38 localhost login: pam_selinux(login:session): Open Session
Sep 16 17:54:38 localhost login: pam_selinux(login:session): Username= root SELinux User= base_u Level= (null)
Sep 16 17:54:38 localhost login: pam_selinux(login:session): Unable to get valid context for root
Sep 16 17:54:38 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Sep 16 17:54:38 localhost login: ROOT LOGIN ON tty1

Version-Release number of selected component (if applicable):
util-linux-2.23.2-2.fc19.x86_64

How reproducible:
load a custom policy that uses custom identifiers

Comment 1 Daniel Walsh 2013-09-16 19:11:33 UTC
Dominick What is the label of the login program?  This usually means that the app can not figure out proper login shell for the user.

Comment 2 Daniel Walsh 2013-09-16 19:15:19 UTC
You need to make sure your policy, context files are written properly for the selinux login programs to work.

getdefaultcon and getconlist should help.

Comment 3 Dominick Grift 2013-09-16 19:15:54 UTC
base_u:base_r:base_t

And there is a /etc/selinux/dummy/contexts/users/base_u file

with:

base_r:base_t base_r:base_t

there is also a seuser: base_u and root it mapped to it

The exact same configuration works fine on debian

Comment 4 Dominick Grift 2013-09-16 19:17:43 UTC
(In reply to Daniel Walsh from comment #2)
> You need to make sure your policy, context files are written properly for
> the selinux login programs to work.
> 
> getdefaultcon and getconlist should help.

I know that and i wouldnt make an issue out of it if i wasnt pretty confident that this is a case of misuse of libselinux functions

You see the exact same configuration works fine on debian

Comment 5 Dominick Grift 2013-09-16 19:18:56 UTC
With that said, i am still only human, but i triple checked everything and i think my config is fine and if you want you can come have a look yourself

Comment 6 Daniel Walsh 2013-09-16 19:31:45 UTC
What does

selinuxdefcon dgrift base_u:base_r:base_t

Say?

Comment 7 Daniel Walsh 2013-09-16 19:32:56 UTC
If this is a bug it is in pam_selinux

Comment 8 Dominick Grift 2013-09-17 11:52:16 UTC
This was fixed in:

libselinux-2.1.13-19.fc20.x86_64
libselinux-utils-2.1.13-19.fc20.x86_64
libselinux-python-2.1.13-19.fc20.x86_64

Although you might want to get rid of the verbose output:

Security Context base_u:base_r:base_t Assigned
Key Creation Context base_u:base_r:base_t Assigned

Comment 9 Dominick Grift 2013-09-17 12:00:44 UTC
(In reply to Dominick Grift from comment #8)

> Although you might want to get rid of the verbose output:
> 
> Security Context base_u:base_r:base_t Assigned
> Key Creation Context base_u:base_r:base_t Assigned

Forget the above my pam_selinux was still configured with verbose debug

Comment 10 Dominick Grift 2013-09-20 11:13:24 UTC
I will mark this as fixed, as libselinux-2.1.13-19.fc20.x86_64 fixed it

Comment 11 Fedora Update System 2013-09-23 13:57:23 UTC
libselinux-2.1.13-19.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/libselinux-2.1.13-19.fc20

Comment 12 Fedora Update System 2013-09-30 00:49:49 UTC
libselinux-2.1.13-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.