Bug 220652 - LSPP - Role selection at login fails w/ "not a valid security context"
LSPP - Role selection at login fails w/ "not a valid security context"
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2006-12-22 14:14 EST by Eduardo M. Fleury
Modified: 2009-06-19 06:52 EDT (History)
4 users (show)

See Also:
Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-01-15 11:28:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
The latest version of the select_context patch (13.71 KB, patch)
2007-01-04 18:52 EST, Tomas Mraz
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 30572 None None None Never

  None (edit)
Description Eduardo M. Fleury 2006-12-22 14:14:26 EST
Description of problem:
Trying to select a specific role at login time in RHEL5 Beta2 12/18 refresh
fails. After selecting the desired role the system goes back to the role
selection dialog with the error "Not a valid security context."

Logging-in with default role and then newrole'ing to the desired role works fine
which means the security context is valid indeed.

The MLS level selection is working fine.

System info:
Tested in RHEL5 Beta2 Server 12/18 refresh installed with the LSPP kickstart
version 0.16-1.

Version-Release number of selected component (if applicable):


Linux ct.ltc.ic.unicamp.br 2.6.18-1.2840.2.1.el5.lspp.57 #1 SMP Fri Dec 8
17:28:15 EST 2006 i686 i686 i386 GNU/Linux

How reproducible:

Steps to Reproduce:
In a local console do the following:

1. login: root
2. password: *********
3. Would you like to enter a role/level [y]? y
4. role: secadm_r
5. level: SystemLow-SystemHigh

Actual results:
"Not a valid security context." error message is shown and system goes back to
the prompt seen in line 3.

Expected results:
Should login with specified role/level.

Additional info:
Pressing carriage return at "role" prompt and changing only the MLS level works
fine. I can login as sysadm_r:sysadm_t:Secret-SystemHigh for instance.
Comment 3 Daniel Walsh 2006-12-29 11:20:19 EST
Fixed in pam-

Available on http://people.redhat.com/dwalsh/RHEL5

Comment 5 Eduardo M. Fleury 2007-01-02 16:50:27 EST
It seems that now the role selection works better but not 100%. 

Now I can select a role but if I say "N" to the dialog in step 3 (Would you like
to enter...) I get an authentication failure message and then I get back to the
prompt. I also got some "random" messages of this kind when trying to enter a
role, I say "random" because doing the same procedure again worked, then after
some tries it didn't.

As I have updated an existing system with the new packages rather then
installing a new one from scratch I'm not sure if the results could have been
masked by some other issue. I'm going to setup a new system and do that tests
again and update this bug.

Comment 6 Jay Turner 2007-01-03 07:55:35 EST
Pushing this back to Assigned to get some clarification on comment 5.
Comment 7 Eduardo M. Fleury 2007-01-04 08:03:55 EST
I've updated the test machine I mentioned in comment #5 with the even newer
pam- I've also reinstalled another test machine from scratch
and asked the kickstart to install the new pam packages itself during the
post-install phase.

In both cases I could confirm that the roles (and levels) selection is working
as expected. Thanks!
Comment 8 Jay Turner 2007-01-04 09:03:15 EST
Moving to Verified.
Comment 9 Tomas Mraz 2007-01-04 18:52:16 EST
Created attachment 144867 [details]
The latest version of the select_context patch
Comment 10 Jay Turner 2007-01-15 09:33:07 EST
Does the patch in comment 9 need to be incorporated into the RHEL5 builds?
Comment 11 Tomas Mraz 2007-01-15 10:20:31 EST
The patch is already there.
Comment 12 Jay Turner 2007-01-15 11:28:10 EST
pam- included in 20070111.1 and 20070112.3 trees.

Note You need to log in before you can comment on or make changes to this bug.