Bug 465604 - Can't execute su due to user confinement
Can't execute su due to user confinement
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-04 08:14 EDT by Mathieu Bridon
Modified: 2008-10-20 10:00 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-20 10:00:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Installation log: /root/install.log (48.52 KB, text/plain)
2008-10-06 14:36 EDT, Mathieu Bridon
no flags Details
Installation log: /root/install.log.syslog (4.22 KB, text/plain)
2008-10-06 14:36 EDT, Mathieu Bridon
no flags Details

  None (edit)
Description Mathieu Bridon 2008-10-04 08:14:53 EDT
Description of problem:
I just installed Fedora 10 beta with the x86_64 DVD.

I ran into the problem that Dan Walsh mentions here: http://danwalsh.livejournal.com/21067.html, except it was a fresh new install, not an upgrade.

Running "semanage login -l" showed exactly what he said was shown on a system prior to Fedora 9:

#semanage login -l
Login Name                SELinux User              MLS/MCS Range           
__default__               user_u              s0-s0:c0.c1023        
root                      root             s0-s0:c0.c1023          
system_u                  system_u                  s0-s0:c0.c1023

Of course, Rawhide is not prior to Fedora 9 :)

After running the 3 commands that are mentioned, and relogin, everything was fixed:
# semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
# semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 __default__
# semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023 root
(I needed the first one as my system didn't know about unconfined_u, as semanage told me).

So I ran into the exact same issue, but as it happened on a fresh new install of Rawhide, I thought it might be worth reporting it.

Before running those semanage commands, I tried to fully update my system and reboot, which didn't fix anything.
Comment 1 Mathieu Bridon 2008-10-04 08:36:22 EDT
Forgot to mention the versions I have.

Right after the install, those were the versions on the F10beta x86_64 DVD (sorry, didn't check before updating)

Now I have versions:
selinux-policy-3.5.9-4.fc10.noarch
libselinux-python-2.0.73-1.fc10.x86_64
selinux-policy-targeted-3.5.9-4.fc10.noarch
libselinux-utils-2.0.73-1.fc10.x86_64
libselinux-2.0.73-1.fc10.x86_64

As I said, problem was not fixed only by updating the system.
Comment 2 Daniel Walsh 2008-10-06 12:47:22 EDT
Did you see any error messages during the install?  Any errors in the log files in /root?
Comment 3 Mathieu Bridon 2008-10-06 14:36:02 EDT
Created attachment 319588 [details]
Installation log: /root/install.log

Interesting part is around line 733
Comment 4 Mathieu Bridon 2008-10-06 14:36:44 EDT
Created attachment 319589 [details]
Installation log: /root/install.log.syslog

Seems like there's nothing here.
Comment 5 Mathieu Bridon 2008-10-06 14:37:22 EDT
I didn't see any error during installation.

I can see the following in the file install.log:
<long list of "installing xxx.rpm>
...
Installation de selinux-policy-targeted-3.5.7-1.fc10.noarch
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.23:  Invalid argument
/usr/sbin/load_policy:  Can't load policy:  Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/semanage: Could not commit semanage transaction
libsemanage.validate_handler: selinux user unconfined_u does not exist
libsemanage.validate_handler: seuser mapping [__default__ -> (unconfined_u, s0-s0:c0.c1023)] is invalid
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not commit semanage transaction
Installation de system-config-rootpassword-1.99.4-1.fc9.noarch
...
<continuing the long list of yyy.rpm>


There doesn't seem to be anything of interest in install.log.syslog, however, both are attached so that you can review them more thouroughly if needed.
Comment 6 Mathieu Bridon 2008-10-06 14:52:26 EDT
By the way, when I followed the steps on your blog, I did:
# semanage login -m -S targeted  -s "unconfined_u" -r s0-s0:c0.c1023
__default__

This returned me the same error as above: "selinux user unconfined_u does not exist" (not sure about the exact phrasing).

So I then ran the 3 commands in the order specified in the first comment of this report to first create the unconfined_u user and then fix the issue with login.
Comment 7 Daniel Walsh 2008-10-14 11:26:53 EDT
I checked a couple of fresh installs of F10 and have not seen this problem,  also this is the only bug report I have seen. So I think this is fixed in the latest F10 releases.  If you can recreate it on with current f10 please reopen.
Comment 8 Daniel Walsh 2008-10-15 13:05:52 EDT
Any "security:" messages from the kernel in /var/log/messages upon the attempted policy load?
Comment 9 Mathieu Bridon 2008-10-15 15:54:24 EDT
I'm not sure what you mean by "upon the attempted policy load"... Do you mean when I ran the 3 "semanage" commands ?

If that's it, I can't find any occurence of the string "secur" in the /var/log/messages from this day.

I looked in the other /var/log/messages (more recent one) and there is no occurence of this string as well (I searched with grep -i in both cases).

I'll try to reinstall it this week end to see if I can reproduce this issue. Before that, are there other logs you want me to look at ?
Comment 10 Daniel Walsh 2008-10-15 16:28:01 EDT
Take a look for secur in /root/anaco*

Or any install log.
Comment 11 Mathieu Bridon 2008-10-15 17:07:02 EDT
Ok, here's what I have in /root:
# ls
anaconda-ks.cfg  install.log  install.log.syslog

And here's what I get when searching for 'secur':
# grep -ri secur /root/*
#

Yeap, nothing :-/

By the way, what I said in my previous comment was wrong: I did have some occurences of the 'secur' string in /var/log/messages:
# grep -ri 'secur' -A 1 /var/log/messages*
/var/log/messages:Oct  6 20:22:18 rawhide kernel: Security Framework initialized
/var/log/messages-Oct  6 20:22:18 rawhide kernel: SELinux:  Initializing.
--
/var/log/messages:Oct  6 20:22:18 rawhide kernel: sdhci: Secure Digital Host Controller Interface driver
/var/log/messages-Oct  6 20:22:18 rawhide kernel: sdhci: Copyright(c) Pierre Ossman
(those two repeat several times, both in the latest log and in the one from the install day).

Not sure it matters however :/

Are all the install logs in /root/ or are there somewhere else ?
Comment 12 Daniel Walsh 2008-10-15 17:37:07 EDT
I think they are just in root.
Comment 13 Mathieu Bridon 2008-10-18 09:45:50 EDT
Just tried to reinstall on the same computer with the same DVD, I couldn't reproduce it. Looks like a random bug :-/

I'll reinstall again with each Rawhide snapshots (from snap2) on the same computer until the Fedora 10 Preview to see if I can reproduce it.
Comment 14 Daniel Walsh 2008-10-20 10:00:01 EDT
Ok Closing for now.

Note You need to log in before you can comment on or make changes to this bug.