Bug 1118192 - can not login with selinux enabled - files are installed with incorrect selinux context
Summary: can not login with selinux enabled - files are installed with incorrect selin...
Keywords:
Status: CLOSED DUPLICATE of bug 1116450
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-10 07:46 UTC by Marian Csontos
Modified: 2014-07-10 20:51 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-10 20:51:40 UTC


Attachments (Terms of Use)

Description Marian Csontos 2014-07-10 07:46:57 UTC
Description of problem:

After minimal installation of Rawhide (2014-07-08) I can not log in to the machine while selinux is enabled/enforcing - login can not start shell:

time->Thu Jul 10 02:12:19 2014
type=PROCTITLE msg=audit(1404972739.558:337): proctitle=6C6F67696E202D2D20726F6F74
type=SYSCALL msg=audit(1404972739.558:337): arch=c000003e syscall=59 success=no exit=-13 a0=1c7ac46 a1=7fffbd7d0558 a2=1c83520 a3=5a7 items=0 ppid=455 pid=848 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/login" subj=system_u:system_r:kernel_t:s0 key=(null)
type=AVC msg=audit(1404972739.558:337): avc:  denied  { transition } for  pid=848 comm="login" path="/usr/bin/bash" dev="dm-0" ino=5330 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

After booting with selinux=0, I got the above AVC message.
I rebooted without selinux=0, relabelling was performed, machine rebooted itself(?) and now I can log in. Not sure if this is anaconda, yum or selinux problem.

On second installation I ran `restorecon -nvR /` in chroot and it tried to relabel 23000+ files. So I booted in permissive mode and these are some labels in FS:

dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root
drwxr-xr-x. root root system_u:object_r:root_t:s0      /usr
dr-xr-xr-x. root root system_u:object_r:root_t:s0      /usr/bin
-rwxr-xr-x. root root system_u:object_r:etc_runtime_t:s0 /usr/bin/bash

Majority of files are labelled as `system_u:object_r:etc_runtime_t:s0`, lot of them having `system_u:object_r:root_t:s0` and other labels.

It is possible some of the transitions are wrong but when installing packages they got labelled correctly so I assume the issue is in anaconda.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-63.fc21.noarch
selinux-policy-3.13.1-63.fc21.noarch
anaconda-21.46-1

How reproducible:
100% (2/2)

Comment 1 David Shea 2014-07-10 14:10:20 UTC
Anaconda does not contain any selinux policy rules.

Comment 2 David Shea 2014-07-10 20:51:40 UTC

*** This bug has been marked as a duplicate of bug 1116450 ***


Note You need to log in before you can comment on or make changes to this bug.