Bug 202721 - can't log in on console.
can't log in on console.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-15 19:16 EDT by Dave Jones
Modified: 2015-01-04 17:28 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-18 15:13:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2006-08-15 19:16:10 EDT
trying to log in on the console gets me a flash of AVC msgs, and then an instant
respawn of the getty.  Logging in in gdm works fine.
There's a bunch of other unrelated AVCs during boot too. all below.
This was after I did a fixfiles relabel and reboot.

audit(1155683967.998:5): avc:  denied  { audit_write } for  pid=443
comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0
tcontext=system_u:system_r:hwclock_t:s0 tclass=capability
audit(1155683973.038:6): avc:  denied  { getattr } for  pid=1708
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1155683976.614:7): avc:  denied  { getattr } for  pid=2055
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318
scontext=system_u:system_r:pam_console_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1155683982.282:13): avc:  denied  { sys_resource } for  pid=2550
comm="mcstransd" capability=24 scontext=system_u:system_r:setrans_t:s0
tcontext=system_u:system_r:setrans_t:s0 tclass=capability
audit(1155683982.290:14): avc:  denied  { setcap } for  pid=2550
comm="mcstransd" scontext=system_u:system_r:setrans_t:s0
tcontext=system_u:system_r:setrans_t:s0 tclass=process
audit(1155684001.078:15): avc:  denied  { search } for  pid=2737 comm="ntpd"
name="net" dev=proc ino=4026531864 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1155684032.301:20): avc:  denied  { getattr } for  pid=3053
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7318
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1155684049.349:28): avc:  denied  { write } for  pid=3145 comm="bluez-pin"
name="[13413]" dev=pipefs ino=13413
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
audit(1155684049.349:28): avc:  denied  { write } for  pid=3145 comm="bluez-pin"
name="[13413]" dev=pipefs ino=13413
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
audit(1155684049.905:29): avc:  denied  { read } for  pid=3145 comm="bluez-pin"
name=".gdmLN19DT" dev=dm-0 ino=17432580
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file

/var/log/messages also had this:

Aug 14 03:40:43 nwo kernel: audit(1155541243.281:26): user pid=2857 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident
acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=pts/0 res=failed)'
Aug 15 19:10:29 nwo kernel: audit(1155683428.952:26): user pid=2839 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident
acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=pts/0 res=failed)'
Aug 15 19:10:47 nwo kernel: audit(1155683446.987:31): user pid=2828 uid=0
auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session
open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)'
Aug 15 19:20:12 nwo kernel: audit(1155684012.617:16): user pid=2974 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c255 msg='PAM: bad_ident
acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=console
res=failed)'
Aug 15 19:20:32 nwo kernel: audit(1155684032.397:21): user pid=2907 uid=0
auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session
open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)'
Aug 15 19:23:29 nwo kernel: audit(1155684209.070:33): user pid=3054 uid=0
auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c255 msg='PAM: session
open acct=davej : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)'
Comment 1 Daniel Walsh 2006-08-18 06:49:48 EDT
All of these look like they are fixes in the latest policy.  Which version of
policy are you running?

Comment 2 Dave Jones 2006-08-25 07:13:01 EDT
I did a fresh reinstall of test2, and its now running
selinux-policy-targeted-2.3.7-1
It lets me log in now, but I see a splurge of AVCs on each login..

audit(1155860785.709:4): avc:  denied  { getattr } for  pid=1713
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7173
scontext=system_u:system_r:pam_consol
e_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1155860788.985:5): avc:  denied  { getattr } for  pid=1940
comm="pam_console_app" name="adsp1" dev=tmpfs ino=7173
scontext=system_u:system_r:pam_consol
e_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Given I'm currently 3000 miles away from that box which hosts my email, I'm
reluctant to update it remotely right now.
I'll update and take a look again when I get back from vacation.
Comment 3 Daniel Walsh 2006-08-25 09:57:10 EDT
This looks like a bug in policy.

You can fix this by executing

semanage fcontext -a  -f-c -t sound_device_t "/dev/adsp.*"

I will update the next policy with this fix.
Comment 4 Daniel Walsh 2006-09-18 15:13:17 EDT
Fixed in selinux-policy-2.3.14-3

Note You need to log in before you can comment on or make changes to this bug.