Bug 237703 - LSPP: login as ealuser fails from s390 console
LSPP: login as ealuser fails from s390 console
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
s390x Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
 
Reported: 2007-04-24 16:45 EDT by Trevor Highland
Modified: 2009-06-19 12:49 EDT (History)
8 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:39:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Trevor Highland 2007-04-24 16:45:11 EDT
Description of problem:

I am trying to login from a console on an s390 (/dev/console).  I can
successfully login as root.  When I login as ealuser I am asked if I would like
to change roles as expected, but once I say no I am immediately returned to a
login prompt.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Login from the console as ealuser
  
Actual results:
After being asked if you want to change roles, I am returned to a login prompt.

Expected results:

Additional info:

Adding the following rules fixes the login issues for ealuser.  These rules are
specific to ealuser.

allow local_login_t console_device_t:chr_file { relabelfrom relabelto setattr };
allow staff_t console_device_t:chr_file { getattr ioctl read write };
Comment 1 George C. Wilson 2007-04-24 17:39:22 EDT
Raising severity to high.
Comment 2 Daniel Walsh 2007-04-25 10:57:55 EDT
Fixed in selinux-policy-2_4_6-65_el5
Comment 4 Steve Grubb 2007-04-25 11:12:34 EDT
what device is this? I'm curious if there is a device file that is mislabeled.
Comment 5 Trevor Highland 2007-04-25 16:22:11 EDT
The device is /dev/console.

I have verified that the issue is fixed in selinux-policy-2_4_6-66_el5.
Comment 6 Irina Boverman 2007-04-25 16:23:41 EDT
Taking off the LSPP list.
Comment 9 Eduard Benes 2007-08-21 08:16:04 EDT
A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1.  Please
verify that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to 
ASSIGNED.
Comment 10 John Poelstra 2007-08-30 20:24:56 EDT
A fix for this issue should have been included in the packages contained in the
RHEL5.1-Snapshot4 on partners.redhat.com.  

Requested action: Please verify that your issue is fixed *as soon as possible*
to ensure that it is included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.  If you need assistance accessing
ftp://partners.redhat.com, please contact your Partner Manager.
Comment 11 John Poelstra 2007-09-11 15:20:18 EDT
A fix for this issue should have been included in the packages contained in the
RHEL5.1-Snapshot6 on partners.redhat.com.  

Requested action: Please verify that your issue is fixed ASAP to confirm that it
will be included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.  If you need assistance accessing
ftp://partners.redhat.com, please contact your Partner Manager.
Comment 12 John Poelstra 2007-09-20 00:46:15 EDT
A fix for this issue should have been included in the packages contained in the
RHEL5.1-Snapshot7 on partners.redhat.com.  

Requested action: Please verify that your issue is fixed ASAP to confirm that it
will be included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.  If you need assistance accessing
ftp://partners.redhat.com, please contact your Partner Manager.
Comment 13 John Poelstra 2007-09-26 19:43:47 EDT
A fix for this issue should be included in the packages contained in
RHEL5.1-Snapshot8--available now on partners.redhat.com.  

IMPORTANT: This is the last opportunity to confirm that your issue is fixed in
the RHEL5.1 update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.  If you need assistance accessing
ftp://partners.redhat.com, please contact your Partner Manager.
Comment 14 George C. Wilson 2007-09-27 19:21:14 EDT
I am attempting to verify this one. However, my victim z partition configuration
is damaged. I will verify this bug as soon as I can get my partition into a
usable state.
Comment 15 George C. Wilson 2007-10-02 21:03:46 EDT
This bug is still present in RHEL 5.1 Snap 8. I performed the install with a
modified LSPP kickstart to simulate the evaluated configuration installation
procedure. Login to the console as ealuser fails as described above:

login: ealuser 
Password: 
  
Default Security Context staff_u:staff_r:staff_t:SystemLow:SystemLow-SystemHigh
 
  
Would you like to enter a different role or level? Ýn¨ n
n  
  
Red Hat Enterprise Linux Server release 5.1 Beta (Tikanga)  
Kernel 2.6.18-48.el5 on an s390x  
  
testpart login: 
Comment 16 Daniel Walsh 2007-10-02 22:58:03 EDT
Is the allow_console_login boolean turned on?

Any avc messages?
Comment 22 George C. Wilson 2007-10-03 13:39:35 EDT
It's amazing what I can forget in a couple of months. No, I didn't have it
turned on. When I turn it on the login succeeds. Thanks, Dan.
Comment 24 Eduard Benes 2007-10-03 14:18:03 EDT
After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

Thank you.
Comment 25 Ben Levenson 2007-10-04 12:48:43 EDT
Any updates to this? Have you had a chance to re-test this after setting
the allow_console_login boolean?
Comment 26 George C. Wilson 2007-10-04 15:59:26 EDT
Yes, that was what I was attempting to communicate in Comment #22. I'll change
the status and keyword.
Comment 28 errata-xmlrpc 2007-11-07 11:39:19 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.