Bug 230386 - something gone horribly wrong in SELinux or PAM
something gone horribly wrong in SELinux or PAM
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-28 13:24 EST by Bill Nottingham
Modified: 2014-03-16 23:05 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-02 11:56:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Nottingham 2007-02-28 13:24:03 EST
I upgraded to today's rawhide. On reboot:

- networking did not start right
- login died with authentication failures
- gdm failed to start

and various other bits of brokenness

Even with enforcing=0, sshd does not work.

Some logs from a enforcing=0 boot:

AVCs (from dmesg/audit):
audit(1172685709.287:3): avc:  denied  { getattr } for  pid=419 comm="mount"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703719.048:4): avc:  denied  { getattr } for  pid=1256 comm="ifconfig"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703725.247:5): avc:  denied  { getattr } for  pid=1374 comm="fsck"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703725.371:6): avc:  denied  { getattr } for  pid=1379 comm="mount"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703726.173:7): avc:  denied  { getattr } for  pid=1439 comm="swapon"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703728.327:8): avc:  denied  { getattr } for  pid=1603
comm="ip6tables-resto" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703729.249:9): avc:  denied  { getattr } for  pid=1646
comm="iptables-restor" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703731.203:10): avc:  denied  { getattr } for  pid=1828
comm="ifconfig" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703731.393:11): avc:  denied  { search } for  pid=1895 comm="arping"
name="/" dev=sysfs ino=1 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
audit(1172703731.393:12): avc:  denied  { getattr } for  pid=1895 comm="arping"
name="eth0" dev=sysfs ino=5443 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
audit(1172703731.393:13): avc:  denied  { getattr } for  pid=1895 comm="arping"
name="broadcast" dev=sysfs ino=8214 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
audit(1172703731.393:14): avc:  denied  { read } for  pid=1895 comm="arping"
name="broadcast" dev=sysfs ino=8214 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
audit(1172703736.036:15): audit_pid=2028 old=0 by auid=4294967295
subj=system_u:system_r:auditd_t:s0
audit(1172703736.896:20): avc:  denied  { getattr } for  pid=2089
comm="mcstransd" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703737.651:21): avc:  denied  { getattr } for  pid=2131
comm="setroubleshootd" name="/" dev=selinuxfs ino=525
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703738.261:22): avc:  denied  { getattr } for  pid=2196 comm="mount"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1172703749.705:23): avc:  denied  { execute_no_trans } for  pid=2300
comm="hcid" name="bluetoothd-service-input" dev=dm-0 ino=10118669
scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
audit(1172703749.733:24): avc:  denied  { getattr } for  pid=2311 comm="mount"
name="/" dev=selinuxfs ino=525 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem

/var/log/secure:

Feb 28 18:02:45 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:11 apone last message repeated 209 times
Feb 28 18:03:11 apone sshd[6750]: Accepted password for root from 172.16.56.99
port 53401 ssh2
Feb 28 18:03:11 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:11 apone sshd[6750]: error: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root
Feb 28 18:03:11 apone sshd[6750]: fatal: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root (in enforcing mode)
Feb 28 18:03:11 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:18 apone last message repeated 54 times
Feb 28 18:03:18 apone login: pam_unix(login:auth): authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=root
Feb 28 18:03:18 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:20 apone last message repeated 16 times
Feb 28 18:03:20 apone login: FAILED LOGIN 1 FROM (null) FOR root, Authentication
failure
Feb 28 18:03:20 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:23 apone last message repeated 18 times
Feb 28 18:03:23 apone login: pam_unix(login:session): session opened for user
root by LOGIN(uid=0)
Feb 28 18:03:23 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:23 apone login: pam_selinux(login:session): Warning!  Could not get
new context for /dev/tty1, not relabeling: Invalid argument
Feb 28 18:03:23 apone login: pam_selinux(login:session):
usercon=root:system_r:unconfined_t::SystemLow-SystemHigh,
prev_context=system_u:object_r:tty_device_t
Feb 28 18:03:23 apone login: pam_selinux(login:session): Error!  Unable to set
root executable context root:system_r:unconfined_t::SystemLow-SystemHigh.
Feb 28 18:03:23 apone login: ROOT LOGIN ON tty1
Feb 28 18:03:23 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:03:54 apone last message repeated 256 times
Feb 28 18:04:16 apone last message repeated 181 times
Feb 28 18:04:16 apone sshd[17422]: Accepted password for root from 172.16.56.99
port 53404 ssh2
Feb 28 18:04:16 apone sshd[17422]: error: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root
Feb 28 18:04:16 apone sshd[17422]: fatal: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root (in enforcing mode)
Feb 28 18:04:16 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:04:37 apone last message repeated 179 times
Feb 28 18:04:37 apone sshd[20438]: Accepted password for root from 172.16.56.99
port 53407 ssh2
Feb 28 18:04:37 apone sshd[20438]: error: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root
Feb 28 18:04:37 apone sshd[20438]: fatal: ssh_selinux_setup_exec_context: Failed
to set SELinux execution context for root (in enforcing mode)
Feb 28 18:04:37 apone gdm[2871]: pam_succeed_if(gdm:auth): error retrieving user
name: Conversation error
Feb 28 18:05:08 apone last message repeated 210 times

In /var/log/messages:
Feb 28 18:02:41 apone gdm[2827]: (null): cannot open shared object file: No such
file or directory

Version-Release number of selected component (if applicable):

gdm-2.17.7-5.fc7
libselinux-2.0.5-1.fc7
mcstrans-0.2.4-1.fc7
pam-0.99.7.1-3.fc7
policycoreutils-2.0.6-3.fc7
policycoreutils-gui-2.0.6-3.fc7
selinux-policy-2.5.5-2.fc7
selinux-policy-targeted-2.5.5-2.fc7
setroubleshoot-1.9.2-1.fc7
setroubleshoot-server-1.9.2-1.fc7

All this is after a full relabel.
Comment 1 Tomas Mraz 2007-03-01 10:02:20 EST
The gdm messages must be caused by some recent erroneous change in how GDM calls
PAM.
Comment 2 Daniel Walsh 2007-03-02 10:06:59 EST
The login problem was caused by mcstrans not translating root login accounts
correctly should be fixed by mcstrans-0.2.5-1
Comment 3 Bill Nottingham 2007-03-02 11:56:51 EST
Yeah, with mcstrans and the newer policy, things seem generally sane for me.

Note You need to log in before you can comment on or make changes to this bug.