Bug 510230 - Booting system in enforcing mode stops graphical or tty console login
Booting system in enforcing mode stops graphical or tty console login
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-07-08 08:47 EDT by Quentin Armitage
Modified: 2009-07-21 10:08 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-21 10:08:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Quentin Armitage 2009-07-08 08:47:06 EDT
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)

If I boot the system with selinux in enforcing mode, attempting to login fails with no error message given, and the login prompt is re-presented. This applies to both the graphical and character based (tty) console login options.

Adding kernel parameter enforcing=0, or setting SELINUX=permissive in /etc/selinux.config allows logins to work.

Reproducible: Always

Steps to Reproduce:
1. Boot system in enforcing mode
2. Attempt to login
Actual Results:  
No login occurs, and login prompt represented

Expected Results:  
Login successful

selinux-policy version 3.6.20-2. Using selinux-policy-targeted
Comment 1 Daniel Walsh 2009-07-09 08:52:53 EDT
What AVC's are you seeing in /var/log/audit/audit.log or /var/log/messages?
Comment 2 Quentin Armitage 2009-07-20 18:01:29 EDT
If I execute setenforce enforcing, it causes all login sessions and the GUI to terminate, and I then cannot login. The following message appeared in /var/log/messages when I attempted to login following the above actions:

Jul 20 22:51:05 samson kernel: type=1400 audit(1248126665.035:28446): avc:  denied  { entrypoint } for  pid=2444 comm="login" path="/bin/bash" dev=dm-0 ino=15278 scontext=unconfined_u:system_r:hotplug_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Comment 3 Daniel Walsh 2009-07-20 21:15:29 EDT
Please relable you machine and see if this fixes the problem.

touch /.autorelabel; reboot

I think all your problems are caused by bad labeling.
Comment 4 Quentin Armitage 2009-07-21 03:02:38 EDT
This has resolved the problem. Many thanks for your help.

Note You need to log in before you can comment on or make changes to this bug.