Description of problem: When login is configured to use pam_selinux and a user attempts to log in with a level that's not valid for the user, the audit record shows that the login failed but doesn't give the right context information. Version-Release number of selected component (if applicable): pam-0.99.6.2-3.18.el5 from Steve's repo How reproducible: very Steps to Reproduce: 1. Configure a system for lspp with login configured to use pam_selinux 2. Attempt to log in with a different context, choosing a level that isn't allowed 3. compare the audit record with the information in /var/log/secure (debug) The selected-context is the same as the default context, rather than what the user actually selected. Actual results: type=USER_ROLE_CHANGE msg=audit(1175466155.732:3890): user pid=3671 uid=0 auid=508 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 msg='pam: default-context=staff_u:sysadm_r:sysadm_t:s0 selected-context=staff_u:sysadm_r:sysadm_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=pts/1 res=failed)' Expected results: In my test case, the selected context should have been s15 instead of s0. Additional info: Here's the information from /var/log/secure that shows the selected context. Apr 1 18:22:35 scrod login: pam_selinux(login:session): Username= testuser SELinux User = staff_u Level= s0 Apr 1 18:22:35 scrod login: pam_selinux(login:session): Would you like to enter a different role or level? Y Apr 1 18:22:35 scrod login: pam_selinux(login:session): role: Apr 1 18:22:35 scrod login: pam_selinux(login:session): level: SystemHigh Apr 1 18:22:35 scrod login: pam_selinux(login:session): Selected Security Context staff_u:sysadm_r:sysadm_t:SystemHigh Apr 1 18:22:35 scrod login: pam_selinux(login:session): Checking if staff_u:sysadm_r:sysadm_t:SystemHigh mls range valid for staff_u:sysadm_r:sysadm_t:SystemLow Apr 1 18:22:35 scrod login: pam_selinux(login:session): Security context staff_u:sysadm_r:sysadm_t:SystemLow is not allowed for staff_u:sysadm_r:sysadm_t:SystemHigh Apr 1 18:22:35 scrod login: pam_selinux(login:session): Unable to get valid context for testuser Apr 1 18:22:35 scrod login: pam_namespace(login:session): open_session - start
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
According to our LSPP evaluator, this bug does not block the evaluation. It would be nice if it was fixed though.
Not necessary for LSPP but good to fix.
pam-0.99.6.2-19.el5 should improve this.
I retested with pam-0.99.6.2-19.el5 and it seems to solve the problem. Thanks.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0555.html