Bug 325921 - pam_selinux logs warning for xen PV guest console (xvc0)
pam_selinux logs warning for xen PV guest console (xvc0)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-10 04:04 EDT by Joe Orton
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: pam-0.99.6.2-3.26.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-10 08:14:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe Orton 2007-10-10 04:04:34 EDT
Description of problem:
pam_selinux is logging a warning for each login to the Xen guest console. 

Version-Release number of selected component (if applicable):
pam-0.99.6.2-3.14.el5

How reproducible:
always

Steps to Reproduce:
1. install xen guest using virt-install
2. login to console as root using "xm console $N"
  
Actual results:
/var/log/secure in the guest gets:

Oct 10 09:01:38 dhcp-0-239 login: pam_unix(login:session): session opened for us
er root by LOGIN(uid=0)
Oct 10 09:01:38 dhcp-0-239 login: pam_selinux(login:session): Warning!  Could no
t get new context for /dev/xvc0, not relabeling: Invalid argument
Oct 10 09:01:38 dhcp-0-239 login: pam_selinux(login:session): usercon=(null), pr
ev_context=system_u:object_r:tty_device_t
Oct 10 09:01:38 dhcp-0-239 login: ROOT LOGIN ON xvc0

Expected results:
no warnings in /var/log/secure

Additional info:
Comment 1 Tomas Mraz 2007-10-10 04:18:45 EDT
Can you please add debug option to pam_selinux and retry? What is reported in
the /var/log/secure?
Comment 2 Joe Orton 2007-10-10 04:23:20 EDT
Changed /etc/pam.d/login as follows:

[root@dhcp-0-239 ~]# grep selinux /etc/pam.d/login 
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so debug close
# pam_selinux.so open should only be followed by sessions to be executed in the
user context
session    required     pam_selinux.so open debug

new output to /var/log/secure:


Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): Open Session
Oct 10 09:22:22 dhcp-0-239 login: pam_unix(login:session): session opened for
user root by LOGIN(uid=0)
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): Open Session
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): Username= root
SELinux User = root Level= s0-s0:c0.c1023
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): Warning!  Could
not get new context for /dev/xvc0, not relabeling: Invalid argument
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): usercon=(null),
prev_context=system_u:object_r:tty_device_t
Oct 10 09:22:22 dhcp-0-239 login: pam_selinux(login:session): set root security
context to (null)
Oct 10 09:22:22 dhcp-0-239 login: ROOT LOGIN ON xvc0
Comment 3 Tomas Mraz 2007-10-10 04:40:18 EDT
Can you try pam-0.99.6.2-3.26.el5 from RHEL-5.1 beta if that helps?
Comment 4 Joe Orton 2007-10-10 07:55:34 EDT
Works a treat, thanks a lot.
Comment 5 Tomas Mraz 2007-10-10 08:14:41 EDT
Will be fixed in the upcoming PAM errata.

Note You need to log in before you can comment on or make changes to this bug.