Bug 468645 - SELinux is preventing login (local_login_t) "create" system_chkpwd_t. (and KDM ...)
Summary: SELinux is preventing login (local_login_t) "create" system_chkpwd_t. (and KD...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-27 02:34 UTC by Jerry Amundson
Modified: 2008-10-28 23:55 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-10-28 23:55:20 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jerry Amundson 2008-10-27 02:34:56 UTC 
Description of problem:
SELinux is preventing login (local_login_t) "create" system_chkpwd_t.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-7.fc10.noarch
selinux-policy-3.5.13-7.fc10.noarch

How reproducible:
Once.

Steps to Reproduce:
1. Set Enforcing in s-c-selinux
2. Allow reboot, relabel, reboot
3. No login is possible
  
Actual results:
No login via tty or kdm

Expected results:
Successful login.

Additional info:
I booted in rescue, start sshd.
My root ssh login gives me
"Unable to get valid context for root"
but gives me a shell anyway. [thats good!]
SElinux startup in dmesg and boot.log are normal.
****
Snippets from /var/log/secure:

Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_selinux(kdm:session):
Error!  Unable to set jerry key creation context
system_u:system_r:system_chkpwd_t:s0.
Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
session opened for user jerry by (uid=0)
Oct 26 19:56:13 JerryA-D600 kdm: :0[2223]: pam_unix(kdm:session):
session closed for user jerry

Oct 26 19:57:28 JerryA-D600 login: pam_selinux(login:session): Error!
Unable to set root key creation context
system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023.
Oct 26 19:57:28 JerryA-D600 login: pam_unix(login:session): session
opened for user root by LOGIN(uid=0)
Oct 26 19:57:29 JerryA-D600 login: Authentication failure

****
Snippets from /var/log/messages:

Oct 26 19:56:14 JerryA-D600 setroubleshoot: SELinux is preventing kdm
(xdm_t) "create" system_chkpwd_t. For complete SELinux messages. run
sealert -l 06841090-2a80-4302-85fa-32121e402c57

Oct 26 19:57:29 JerryA-D600 setroubleshoot: SELinux is preventing
login (local_login_t) "create" system_chkpwd_t. For complete SELinux
messages. run sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831

****
Upon starting setroubleshootd, I was able to get this:

[root@localhost log]# sealert -l 06841090-2a80-4302-85fa-32121e402c57

Summary:

SELinux is preventing kdm (xdm_t) "create" system_chkpwd_t.

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:system_chkpwd_t:s0
Target Objects                None [ key ]
Source                        kdm
Source Path                   /usr/bin/kdm
Port                          <Unknown>
Host                          JerryA-D600
Source RPM Packages           kdebase-workspace-4.1.2-7.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-7.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     JerryA-D600
Platform                      Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
                             Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count                   4
First Seen                    Sun Oct 26 19:56:13 2008
Last Seen                     Sun Oct 26 19:59:53 2008
Local ID                      06841090-2a80-4302-85fa-32121e402c57
Line Numbers

Raw Audit Messages

node=JerryA-D600 type=AVC msg=audit(1225069193.250:10): avc:  denied
{ create } for  pid=2227 comm="kdm"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_chkpwd_t:s0 tclass=key

node=JerryA-D600 type=SYSCALL msg=audit(1225069193.250:10):
arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=8ab6d50 a2=25
a3=8ab6d50 items=0 ppid=2173 pid=2227 auid=500 uid=0 gid=500 euid=0
suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm"
exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)

****
and this:
[root@localhost log]# sealert -l fcadfe5d-c3f9-41ef-86a7-107480d77831

Summary:

SELinux is preventing login (local_login_t) "create" system_chkpwd_t.

Detailed Description:

SELinux denied access requested by login. It is not expected that this access is
required by login and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context                system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
Target Objects                None [ key ]
Source                        login
Source Path                   /bin/login
Port                          <Unknown>
Host                          JerryA-D600
Source RPM Packages           util-linux-ng-2.14.1-3.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-7.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     JerryA-D600
Platform                      Linux JerryA-D600 2.6.27.3-39.fc10.i686 #1 SMP Wed
                             Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count                   3
First Seen                    Sun Oct 26 19:57:28 2008
Last Seen                     Sun Oct 26 20:00:06 2008
Local ID                      fcadfe5d-c3f9-41ef-86a7-107480d77831
Line Numbers

Raw Audit Messages

node=JerryA-D600 type=AVC msg=audit(1225069206.632:18): avc:  denied
{ create } for  pid=2178 comm="login"
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tclass=key

node=JerryA-D600 type=SYSCALL msg=audit(1225069206.632:18):
arch=40000003 syscall=4 success=no exit=-13 a0=3 a1=8586d68 a2=31
a3=8586d68 items=0 ppid=1 pid=2178 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="login"
exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
key=(null)
Comment 1 Daniel Walsh 2008-10-27 13:47:51 UTC 
semodule login -l
semodule user -l
Comment 2 Jean-Eudes ONFRAY 2008-10-28 09:22:34 UTC 
I had the same problem on my laptop:
 # semanage login -l
 Login Name                SELinux User              MLS/MCS Range
 __default__               system_u                  s0
 root                      root                      -s0:c0.c255
 system_u                  system_u                  SystemLow-SystemHigh

You can notice there's not my regular username here, only root. So I ran:
 # semanage login -a -s user_u jeo

"jeo" is my regular username. Now everything looks fine:
 # semanage login -l
 Login Name                SELinux User              MLS/MCS Range
 __default__               system_u                  s0
 jeo                       user_u                    s0
 root                      root                      -s0:c0.c255
 system_u                  system_u                  SystemLow-SystemHigh

After rebooting, no more setroubleshoot message popping up on my desktop. Great!
Comment 3 Daniel Walsh 2008-10-28 12:52:49 UTC 
I think it would be better if you ran


semanage -S targeted -i - << __eof
user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 
user -a -P user -R guest_r guest_u
user -a -P user -R xguest_r xguest_u 
__eof
semanage -S targeted -i - << __eof
login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m  -s unconfined_u -r s0-s0:c0.c1023 root
__eof

This is supposed to run in the post install of the selinux-policy-targeted packagem, but if you initially installed with selinux disabled, the commands will blow up leaving you in this state.

I am looking into fixing the package to install properly on an disabled selinux system.
Comment 4 Daniel Walsh 2008-10-28 23:55:20 UTC 
Fixed in selinux-policy-3.5.13-9.fc10

This will setup the users correct even if SELinux is disabled.
Note You need to log in before you can comment on or make changes to this bug.