Bug 492300 - unable to lgin when selinux=enforcing
Summary: unable to lgin when selinux=enforcing
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-26 11:45 UTC by Eddie Lania
Modified: 2009-03-27 00:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-27 00:49:02 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Eddie Lania 2009-03-26 11:45:44 UTC 
Description of problem:
Unable to login when SELINUX=enforcing. Not on console, ssh or whatever.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-49.fc10.noarch
selinux-policy-3.5.13-49.fc10.noarch
libselinux-2.0.78-1.fc10.i386
libselinux-utils-2.0.78-1.fc10.i386
libselinux-python-2.0.78-1.fc10.i386


How reproducible:
Change SELINUX=disabled to enforcing.


Steps to Reproduce:
1. Change SELINUX=disabled to enforcing (policy targeted).

2. Restart

3. Try to login - NO WAY!

Messages in /var/log/messages:

kernel: type=1400 audit(1238064645.911:4): avc:  denied  { read } for  pid=1424 comm="ip" name="ld.so.cache" dev=sda2 ino=67
249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file
kernel: type=1400 audit(1238064645.942:5): avc:  denied  { read } for  pid=1438 comm="ip" name="ld.so.cache" dev=sda2 ino=67
249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file
kernel: type=1400 audit(1238064645.949:6): avc:  denied  { read } for  pid=1446 comm="iwconfig" name="ld.so.cache" dev=sda2
ino=67249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file
kernel: type=1400 audit(1238064647.406:7): avc:  denied  { read } for  pid=1468 comm="ip" name="ld.so.cache" dev=sda2 ino=67
249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file
kernel: type=1400 audit(1238064647.512:8): avc:  denied  { read } for  pid=1532 comm="ifconfig" name="ld.so.cache" dev=sda2
ino=67249 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file
Mar 26 11:50:57 ls2ka kernel: type=1400 audit(1238064647.512:9): avc:  denied  { read } for  pid=1532 comm="ifconfig" name="libselinux.so.1" dev=s
da2 ino=858682 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file
setroubleshoot: SELinux is preventing login (hotplug_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messa
ges. run sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7
Mar 26 11:51:39 ls2ka init: tty2 main process ended, respawning
Mar 26 11:51:39 ls2ka setroubleshoot: SELinux is preventing login (hotplug_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messa
ges. run sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7
Mar 26 11:51:50 ls2ka init: tty2 main process ended, respawning
Mar 26 11:51:50 ls2ka setroubleshoot: SELinux is preventing login (hotplug_t) "entrypoint" to /bin/bash (shell_exec_t). For complete SELinux messa
ges. run sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7
Mar 26 11:51:51 ls2ka acpid: client connected from 2991[0:0]
Mar 26 11:51:51 ls2ka acpid: client connected from 2991[0:0]
Mar 26 11:51:59 ls2ka setroubleshoot: SELinux is preventing access to files with the label, file_t. For complete SELinux messages. run sealert -l
9da225d5-acdd-4a40-bbe7-1049e9ddc0a0
Mar 26 11:51:59 ls2ka setroubleshoot: SELinux is preventing gdm-session-wor (hotplug_t) "entrypoint" to /etc/X11/xinit/Xsession (bin_t). For compl
ete SELinux messages. run sealert -l f4bec33c-7158-4836-ad3b-3a15cc0d41c3
Mar 26 11:51:59 ls2ka acpid: client connected from 3459[0:0]
Mar 26 11:52:00 ls2ka acpid: client connected from 3459[0:0]
Mar 26 11:52:15 ls2ka setroubleshoot: SELinux is preventing access to files with the label, file_t. For complete SELinux messages. run sealert -l
9da225d5-acdd-4a40-bbe7-1049e9ddc0a0
Mar 26 11:52:15 ls2ka setroubleshoot: SELinux is preventing gdm-session-wor (hotplug_t) "entrypoint" to /etc/X11/xinit/Xsession (bin_t). For compl
ete SELinux messages. run sealert -l f4bec33c-7158-4836-ad3b-3a15cc0d41c3

Trying to look up the errors is even worse:

sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7
Traceback (most recent call last):
  File "/usr/bin/sealert", line 108, in <module>
    from setroubleshoot.analyze import *
  File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 43, in <module>
    from setroubleshoot.avc_audit import *
  File "/usr/lib/python2.5/site-packages/setroubleshoot/avc_audit.py", line 54, in <module>
    my_context = AvcContext(selinux.getcon()[1])
OSError: [Errno 22] Invalid argument
[root@ls2ka ~]# sealert -l
Traceback (most recent call last):
  File "/usr/bin/sealert", line 108, in <module>
    from setroubleshoot.analyze import *
  File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 43, in <module>
    from setroubleshoot.avc_audit import *
  File "/usr/lib/python2.5/site-packages/setroubleshoot/avc_audit.py", line 54, in <module>
    my_context = AvcContext(selinux.getcon()[1])
OSError: [Errno 22] Invalid argument
[root@ls2ka ~]# 9da225d5-acdd-4a40-bbe7-1049e9ddc0a0
-bash: 9da225d5-acdd-4a40-bbe7-1049e9ddc0a0: command not found
[root@ls2ka ~]# sealert -l 9da225d5-acdd-4a40-bbe7-1049e9ddc0a0
Traceback (most recent call last):
  File "/usr/bin/sealert", line 108, in <module>
    from setroubleshoot.analyze import *
  File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 43, in <module>
    from setroubleshoot.avc_audit import *
  File "/usr/lib/python2.5/site-packages/setroubleshoot/avc_audit.py", line 54, in <module>
    my_context = AvcContext(selinux.getcon()[1])
OSError: [Errno 22] Invalid argument
[root@ls2ka ~]# sealert -l 13e1c676-1d74-4a05-b4a5-69e3b0d577f7
Traceback (most recent call last):
  File "/usr/bin/sealert", line 108, in <module>
    from setroubleshoot.analyze import *
  File "/usr/lib/python2.5/site-packages/setroubleshoot/analyze.py", line 43, in <module>
    from setroubleshoot.avc_audit import *
  File "/usr/lib/python2.5/site-packages/setroubleshoot/avc_audit.py", line 54, in <module>
    my_context = AvcContext(selinux.getcon()[1])
OSError: [Errno 22] Invalid argument

IT SEEMS SOMETHING PYTHON IS REALY BROKEN HERE.

  
Actual results:
Unable to login


Expected results:
Should be able to lgin

Additional info:

This is worse then Microsofts security implementations!

BTW: If you try the SYSTEM-CONFIG-SELINUX tool and you change the settings of selinux with it from i.e. disabled to enforcing, a warning/question pops up if you enable it you have to re- label. 

HAS ANYONE NOTICED WHAT THIS UTIL DOES WHEN YOU SAY "NO" TO THAT QUESTION?
Comment 1 Eddie Lania 2009-03-26 14:40:31 UTC 
It also fucked up the zone files by setting the rights on the /var/named/chroot/var/named folder from named:named to root:named

After disabling selinux, I had to set this back manually myself again.

I am still checking the filesystem rights at this moment.

I really hope that it's my own fault and not Fedora's.
Comment 2 Miroslav Grepl 2009-03-26 16:31:34 UTC 
Context file_t means you need to relabel the machine.

Could you try to execute

vi /etc/selinux/config

Change the SELINUX field to say permissive
touch /.autorelabel
reboot

to fix the labeling.
Comment 3 Eddie Lania 2009-03-26 18:38:29 UTC 
Is this going to change permissions on certain folders and/or files as well?

It's a new production machine which services the network's dhcp, (d)dns, mail and proxy services. Right now it is working well and I would not want this configuration to be screwed.
Comment 4 Daniel Walsh 2009-03-27 00:49:02 UTC 
It will change the SELinux labels only.  It will not change any permissions.
Note You need to log in before you can comment on or make changes to this bug.