Description of problem: As of today (which is the first time I logged off since last week, so it could be caused by any update in the last week or so) I can no longer login graphically using any user (both local and winbind). Login through text terminal or SSH still works well as well as sudo (I haven't tried anything else). I haven't found anything interesting in the logs, except this from /var/log/secure: ---8<--- Apr 19 16:34:49 chen pam: gdm-password[2626]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=oded.a ---8<--- (Which interestingly enough reports failures for any user except root - failing to log in as root does not generate a failure line in /var/log/secure). And this from /var/log/messages: ---8<--- Apr 19 16:34:38 chen setroubleshoot: SELinux prevented kde4-config from writing .kde. For complete SELinux messages. run sealert -l a08e9abb-f598-4ebb-b47a-d9c6557ab07d Apr 19 16:34:46 chen setroubleshoot: SELinux is preventing gdm-session-wor (xdm_t) "read" home_root_t. For complete SELinux messages. run sealert -l 763f61fe-92b2-4add-ab04-a98dbd91d2d3 Apr 19 16:35:51 chen setroubleshoot: SELinux is preventing gdm-simple-gree (xdm_t) "read" to oded.a (home_root_t). For complete SELinux messages. run sealert -l a5f3b4e5-46de-4f37-a088-ecc07b152a53 ---8<--- I get similar errors about sshd trying to "read" from home_root_t but logins through ssh work, so I'm not sure that is related. Here is the complete sealert report anyway, for completion: Summary: SELinux is preventing gdm-session-wor (xdm_t) "read" home_root_t. Detailed Description: SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:home_root_t:s0 Target Objects .dmrc [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host chen.office.taboola.com Source RPM Packages gdm-2.26.1-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-4.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name chen.office.taboola.com Platform Linux chen.office.taboola.com 2.6.29.1-68.fc11.x86_64 #1 SMP Sat Apr 11 02:20:46 EDT 2009 x86_64 x86_64 Alert Count 7 First Seen Mon Apr 13 14:29:14 2009 Last Seen Sun Apr 19 16:30:27 2009 Local ID 763f61fe-92b2-4add-ab04-a98dbd91d2d3 Line Numbers Raw Audit Messages node=chen.office.taboola.com type=AVC msg=audit(1240147827.179:1012): avc: denied { read } for pid=23167 comm="gdm-session-wor" name=".dmrc" dev=dm-1 ino=4882 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file node=chen.office.taboola.com type=SYSCALL msg=audit(1240147827.179:1012): arch=c000003e syscall=2 success=no exit=-13 a0=18d61e0 a1=0 a2=0 a3=2 items=0 ppid=22344 pid=23167 auid=4294967295 uid=0 gid=0 euid=16777216 suid=0 fsuid=16777216 egid=16777216 sgid=0 fsgid=16777216 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): 2.26.1 How reproducible: Always Steps to Reproduce: 1. Log off 2. try to log in by choosing "other", typing the user name and password Actual results: GDM reports "Unable to authenticate the user" Expected results: GDM should start the desktop session properly. Additional info: I'm using winbind to authenticate against an active directory domain, which normally works great.
Sorry, updated severity as currently I can't log in to my system and I have no workaround for this (maybe log in through console and use startx? sounds like 90s)
I found a workaround - I replaced my display manager to KDM and now I can login. I'll leave the severity as "urgent" as changing the display manager is not really trivial and the default configuration is severely broken.
Are you trying to login via the console as root? This is not allowed, via SELinux rules.
I tried both as root and as a normal user. A normal user logs in successfully through the text console or with KDM but fails with GDM. I haven't tried to log in as root using KDM, and I don't remember if I tried using the console - I only tried to log in through GDM to see if it works (and it doesn't - and reports the same error as a normal user). I currently can't try to login with the text console, as for some reason under a KDM login I can't CTRL-ALT-F* to a text console. Weird. I do succeed in logging in as root through ssh.
I just confirmed - I can log in as root using the text console. can't with GDM though because of the same error as when logging in with a normal user. Funny thing with KDM though - I can't switch to a virtual terminal when KDM is the display manager, I can with GDM though. On the other hand, I can zap the X server (CTRL-ALT-Backspace) with KDM and can't with GDM (which is on purpose IIRC). Still, that is another bug report.
Could you attach the output of #semanage login -l #semanage user -l Your problem could be described here: http://danwalsh.livejournal.com/2008/07/10/
---8<--- # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r ---8<--- This is a new installation, not an upgrade of a previous Fedora (as the first time I tried to upgrade F10 it didn't work very well for me). Not that I can read the output of semanage, but compared to danwalsh's journal mentioned above, it looks OK.
Yes this is fine. What avc messages are you seeing in /var/log/audit/audit.log?
Nothing seems relevant - a lot of stuff about root getting permissions to run crond or ssh logs. It doesn't look like normal (non-root) logins generate lines in audit.log.
And you are able to login with SELinux in permissive mode? Anything in /var/log/secure?
Hey guys, run authconfig --updateall to work around this bug *** This bug has been marked as a duplicate of bug 495924 ***
I don't think this is the same problem, as I can't use gdm to log in with local accounts as well, but I'll try.
Well, apparently that was the problem - after running authconfig --updateall, I could log in fine.