Description of problem: Trying to select a specific role at login time in RHEL5 Beta2 12/18 refresh fails. After selecting the desired role the system goes back to the role selection dialog with the error "Not a valid security context." Logging-in with default role and then newrole'ing to the desired role works fine which means the security context is valid indeed. The MLS level selection is working fine. System info: Tested in RHEL5 Beta2 Server 12/18 refresh installed with the LSPP kickstart version 0.16-1. Version-Release number of selected component (if applicable): pam-0.99.6.2-3.8.el5 pam-devel-0.99.6.2-3.8.el5 selinux-policy-targeted-2.4.6-15.el5 selinux-policy-mls-2.4.6-15.el5 selinux-policy-2.4.6-15.el5 Linux ct.ltc.ic.unicamp.br 2.6.18-1.2840.2.1.el5.lspp.57 #1 SMP Fri Dec 8 17:28:15 EST 2006 i686 i686 i386 GNU/Linux How reproducible: Always Steps to Reproduce: In a local console do the following: 1. login: root 2. password: ********* 3. Would you like to enter a role/level [y]? y 4. role: secadm_r 5. level: SystemLow-SystemHigh Actual results: "Not a valid security context." error message is shown and system goes back to the prompt seen in line 3. Expected results: Should login with specified role/level. Additional info: Pressing carriage return at "role" prompt and changing only the MLS level works fine. I can login as sysadm_r:sysadm_t:Secret-SystemHigh for instance.
Fixed in pam-0.99.6.2-3.9.el5 Available on http://people.redhat.com/dwalsh/RHEL5
It seems that now the role selection works better but not 100%. Now I can select a role but if I say "N" to the dialog in step 3 (Would you like to enter...) I get an authentication failure message and then I get back to the prompt. I also got some "random" messages of this kind when trying to enter a role, I say "random" because doing the same procedure again worked, then after some tries it didn't. As I have updated an existing system with the new packages rather then installing a new one from scratch I'm not sure if the results could have been masked by some other issue. I'm going to setup a new system and do that tests again and update this bug. Thanks!
Pushing this back to Assigned to get some clarification on comment 5.
I've updated the test machine I mentioned in comment #5 with the even newer pam-0.99.6.2-3.10.el5. I've also reinstalled another test machine from scratch and asked the kickstart to install the new pam packages itself during the post-install phase. In both cases I could confirm that the roles (and levels) selection is working as expected. Thanks!
Moving to Verified.
Created attachment 144867 [details] The latest version of the select_context patch
Does the patch in comment 9 need to be incorporated into the RHEL5 builds?
The patch is already there.
pam-0.99.6.2-3.13.el5 included in 20070111.1 and 20070112.3 trees.