Description of problem: SELinux is preventing login (local_login_t) "create" system_chkpwd_t. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.13-7.fc10.noarch selinux-policy-3.5.13-7.fc10.noarch How reproducible: Once. Steps to Reproduce: 1. Set Enforcing in s-c-selinux 2. Allow reboot, relabel, reboot 3. No login is possible Actual results: No login via tty or kdm Expected results: Successful login. Additional info: I booted in rescue, start sshd. My root ssh login gives me "Unable to get valid context for root" but gives me a shell anyway. [thats good!] SElinux startup in dmesg and boot.log are normal. **** Snippets from /var/log/secure: Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session): Error! Unable to set jerry key creation context system_u:system_r:system_chkpwd_t:s0. Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): session opened for user jerry by (uid=0) Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session): session closed for user jerry Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error! Unable to set root key creation context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023. Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Oct 26 19:57:29 JerryA-D600 login: Authentication failure **** Snippets from /var/log/messages: Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run sealert -l 06841090-2a80-4302-85fa-32121e402c57 Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing login (local_login_t) "create" system_chkpwd_t. For complete SELinux messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 **** Upon starting setroubleshootd, I was able to get this: [root@localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57 Summary: SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t. Detailed Description: SELinux denied access requested by kdm. It is not expected that this access is required by kdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_chkpwd_t:s0 Target Objects None [ key ] Source kdm Source Path /usr/bin/kdm Port <Unknown> Host JerryA-D600 Source RPM Packages kdebase-workspace-4.1.2-7.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-7.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name JerryA-D600 Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 Alert Count 4 First Seen Sun Oct 26 19:56:13 2008 Last Seen Sun Oct 26 19:59:53 2008 Local ID 06841090-2a80-4302-85fa-32121e402c57 Line Numbers Raw Audit Messages node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc: denied { create } for pid=2227 comm="kdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10): arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25 a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) **** and this: [root@localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831 Summary: SELinux is preventing login (local_login_t) "create" system_chkpwd_t. Detailed Description: SELinux denied access requested by login. It is not expected that this access is required by login and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 Target Objects None [ key ] Source login Source Path /bin/login Port <Unknown> Host JerryA-D600 Source RPM Packages util-linux-ng-2.14.1-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-7.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name JerryA-D600 Platform Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 Alert Count 3 First Seen Sun Oct 26 19:57:28 2008 Last Seen Sun Oct 26 20:00:06 2008 Local ID fcadfe5d-c3f9-41ef-86a7-107480d77831 Line Numbers Raw Audit Messages node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc: denied { create } for pid=2178 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18): arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31 a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
semodule login -l semodule user -l
I had the same problem on my laptop: # semanage login -l Login Name SELinux User MLS/MCS Range __default__ system_u s0 root root -s0:c0.c255 system_u system_u SystemLow-SystemHigh You can notice there's not my regular username here, only root. So I ran: # semanage login -a -s user_u jeo "jeo" is my regular username. Now everything looks fine: # semanage login -l Login Name SELinux User MLS/MCS Range __default__ system_u s0 jeo user_u s0 root root -s0:c0.c255 system_u system_u SystemLow-SystemHigh After rebooting, no more setroubleshoot message popping up on my desktop. Great!
I think it would be better if you ran semanage -S targeted -i - << __eof user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u user -a -P user -R guest_r guest_u user -a -P user -R xguest_r xguest_u __eof semanage -S targeted -i - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof This is supposed to run in the post install of the selinux-policy-targeted packagem, but if you initially installed with selinux disabled, the commands will blow up leaving you in this state. I am looking into fixing the package to install properly on an disabled selinux system.
Fixed in selinux-policy-3.5.13-9.fc10 This will setup the users correct even if SELinux is disabled.