Bug 220652 - LSPP - Role selection at login fails w/ "not a valid security context"
Summary: LSPP - Role selection at login fails w/ "not a valid security context"
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam   
(Show other bugs)
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2006-12-22 19:14 UTC by Eduardo M. Fleury
Modified: 2009-06-19 10:52 UTC (History)
4 users (show)

Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-01-15 16:28:10 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
The latest version of the select_context patch (13.71 KB, patch)
2007-01-04 23:52 UTC, Tomas Mraz
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 30572 None None None Never

Description Eduardo M. Fleury 2006-12-22 19:14:26 UTC
Description of problem:
Trying to select a specific role at login time in RHEL5 Beta2 12/18 refresh
fails. After selecting the desired role the system goes back to the role
selection dialog with the error "Not a valid security context."

Logging-in with default role and then newrole'ing to the desired role works fine
which means the security context is valid indeed.

The MLS level selection is working fine.

System info:
Tested in RHEL5 Beta2 Server 12/18 refresh installed with the LSPP kickstart
version 0.16-1.

Version-Release number of selected component (if applicable):


Linux ct.ltc.ic.unicamp.br 2.6.18-1.2840.2.1.el5.lspp.57 #1 SMP Fri Dec 8
17:28:15 EST 2006 i686 i686 i386 GNU/Linux

How reproducible:

Steps to Reproduce:
In a local console do the following:

1. login: root
2. password: *********
3. Would you like to enter a role/level [y]? y
4. role: secadm_r
5. level: SystemLow-SystemHigh

Actual results:
"Not a valid security context." error message is shown and system goes back to
the prompt seen in line 3.

Expected results:
Should login with specified role/level.

Additional info:
Pressing carriage return at "role" prompt and changing only the MLS level works
fine. I can login as sysadm_r:sysadm_t:Secret-SystemHigh for instance.

Comment 3 Daniel Walsh 2006-12-29 16:20:19 UTC
Fixed in pam-

Available on http://people.redhat.com/dwalsh/RHEL5

Comment 5 Eduardo M. Fleury 2007-01-02 21:50:27 UTC
It seems that now the role selection works better but not 100%. 

Now I can select a role but if I say "N" to the dialog in step 3 (Would you like
to enter...) I get an authentication failure message and then I get back to the
prompt. I also got some "random" messages of this kind when trying to enter a
role, I say "random" because doing the same procedure again worked, then after
some tries it didn't.

As I have updated an existing system with the new packages rather then
installing a new one from scratch I'm not sure if the results could have been
masked by some other issue. I'm going to setup a new system and do that tests
again and update this bug.


Comment 6 Jay Turner 2007-01-03 12:55:35 UTC
Pushing this back to Assigned to get some clarification on comment 5.

Comment 7 Eduardo M. Fleury 2007-01-04 13:03:55 UTC
I've updated the test machine I mentioned in comment #5 with the even newer
pam- I've also reinstalled another test machine from scratch
and asked the kickstart to install the new pam packages itself during the
post-install phase.

In both cases I could confirm that the roles (and levels) selection is working
as expected. Thanks!

Comment 8 Jay Turner 2007-01-04 14:03:15 UTC
Moving to Verified.

Comment 9 Tomas Mraz 2007-01-04 23:52:16 UTC
Created attachment 144867 [details]
The latest version of the select_context patch

Comment 10 Jay Turner 2007-01-15 14:33:07 UTC
Does the patch in comment 9 need to be incorporated into the RHEL5 builds?

Comment 11 Tomas Mraz 2007-01-15 15:20:31 UTC
The patch is already there.

Comment 12 Jay Turner 2007-01-15 16:28:10 UTC
pam- included in 20070111.1 and 20070112.3 trees.

Note You need to log in before you can comment on or make changes to this bug.