202721 – can't log in on console.

Bug 202721 - can't log in on console.

Summary: can't log in on console.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-08-15 23:16 UTC by Dave Jones
Modified:	2015-01-04 22:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-09-18 19:13:17 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dave Jones 2006-08-15 23:16:10 UTC

trying to log in on the console gets me a flash of AVC msgs, and then an instant
respawn of the getty.  Logging in in gdm works fine.
There's a bunch of other unrelated AVCs during boot too. all below.
This was after I did a fixfiles relabel and reboot.

audit(1155683967.998:5): avc:  denied  { audit_write } for  pid=443
comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0
tcontext=system_u:system_r:hwclock_t:s0 tclass=capability
audit(1155683973.038:6): avc:  denied  { getattr } for  pid=1708
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1155683976.614:7): avc:  denied  { getattr } for  pid=2055
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318
scontext=system_u:system_r:pam_console_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1155683982.282:13): avc:  denied  { sys_resource } for  pid=2550
comm="mcstransd" capability=24 scontext=system_u:system_r:setrans_t:s0
tcontext=system_u:system_r:setrans_t:s0 tclass=capability
audit(1155683982.290:14): avc:  denied  { setcap } for  pid=2550
comm="mcstransd" scontext=system_u:system_r:setrans_t:s0
tcontext=system_u:system_r:setrans_t:s0 tclass=process
audit(1155684001.078:15): avc:  denied  { search } for  pid=2737 comm="ntpd"
name="net" dev=proc ino=4026531864 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1155684032.301:20): avc:  denied  { getattr } for  pid=3053
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1155684049.349:28): avc:  denied  { write } for  pid=3145 comm="bluez-pin"
name="[13413]" dev=pipefs ino=13413
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
audit(1155684049.349:28): avc:  denied  { write } for  pid=3145 comm="bluez-pin"
name="[13413]" dev=pipefs ino=13413
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
audit(1155684049.905:29): avc:  denied  { read } for  pid=3145 comm="bluez-pin"
name=".gdmLN19DT" dev=dm-0 ino=17432580
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file

/var/log/messages also had this:

Aug 14 03:40:43 nwo kernel: audit(1155541243.281:26): user pid=2857 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident
acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=pts/0 res=failed)'
Aug 15 19:10:29 nwo kernel: audit(1155683428.952:26): user pid=2839 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident
acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=pts/0 res=failed)'
Aug 15 19:10:47 nwo kernel: audit(1155683446.987:31): user pid=2828 uid=0
auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session
open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)'
Aug 15 19:20:12 nwo kernel: audit(1155684012.617:16): user pid=2974 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident
acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=console
res=failed)'
Aug 15 19:20:32 nwo kernel: audit(1155684032.397:21): user pid=2907 uid=0
auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session
open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)'
Aug 15 19:23:29 nwo kernel: audit(1155684209.070:33): user pid=3054 uid=0
auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session
open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)'

Comment 1 Daniel Walsh 2006-08-18 10:49:48 UTC

All of these look like they are fixes in the latest policy.  Which version of
policy are you running?

Comment 2 Dave Jones 2006-08-25 11:13:01 UTC

I did a fresh reinstall of test2, and its now running
selinux-policy-targeted-2.3.7-1
It lets me log in now, but I see a splurge of AVCs on each login..

audit(1155860785.709:4): avc:  denied  { getattr } for  pid=1713
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7173
scontext=system_u:system_r:pam_consol
e_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1155860788.985:5): avc:  denied  { getattr } for  pid=1940
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7173
scontext=system_u:system_r:pam_consol
e_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Given I'm currently 3000 miles away from that box which hosts my email, I'm
reluctant to update it remotely right now.
I'll update and take a look again when I get back from vacation.

Comment 3 Daniel Walsh 2006-08-25 13:57:10 UTC

This looks like a bug in policy.

You can fix this by executing

semanage fcontext -a  -f-c -t sound_device_t "/dev/adsp.*"

I will update the next policy with this fix.

Comment 4 Daniel Walsh 2006-09-18 19:13:17 UTC

Fixed in selinux-policy-2.3.14-3

Note You need to log in before you can comment on or make changes to this bug.