Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 614317 - SELinux is preventing /bin/login "entrypoint" access on /bin/bash.
SELinux is preventing /bin/login "entrypoint" access on /bin/bash.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:3a5e0caca0d...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-14 02:21 EDT by Michal Nowak
Modified: 2013-03-07 21:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-14 08:29:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Nowak 2010-07-14 02:21:42 EDT
Summary:

SELinux is preventing /bin/login "entrypoint" access on /bin/bash.

Detailed Description:

SELinux denied access requested by login. It is not expected that this access is
required by login and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
Target Context                system_u:object_r:shell_exec_t:s0
Target Objects                /bin/bash [ file ]
Source                        login
Source Path                   /bin/login
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-ng-2.18-1.fc14
Target RPM Packages           bash-4.1.7-3.fc14
Policy RPM                    selinux-policy-3.8.6-1.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35-0.27.rc4.git0.fc14.x86_64 #1 SMP Wed Jul 7
                              07:04:53 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 08 Jul 2010 11:01:57 AM CEST
Last Seen                     Thu 08 Jul 2010 11:02:02 AM CEST
Local ID                      c3239289-eaa4-46de-bd43-f9652970905f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1278579722.621:29): avc:  denied  { entrypoint } for  pid=1488 comm="login" path="/bin/bash" dev=dm-0 ino=267020 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1278579722.621:29): arch=c000003e syscall=59 success=no exit=-13 a0=a61dd0 a1=7fffe49b5b48 a2=ac1300 a3=7fffe49b5620 items=0 ppid=1482 pid=1488 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=2 comm="login" exe="/bin/login" subj=system_u:system_r:kernel_t:s0 key=(null)



Hash String generated from  catchall,login,abrt_helper_t,shell_exec_t,file,entrypoint
audit2allow suggests:

#============= abrt_helper_t ==============
allow abrt_helper_t shell_exec_t:file entrypoint;
Comment 1 Daniel Walsh 2010-07-14 08:29:34 EDT
This is either a very screwed up labeled system or I have no idea what is going on.  Your login program is running as abrt_helper_t?

You can relabel the entire system by doing

# touch /.autorelabel
# reboot

If this does not fix the problem, or you believe this is not the problem please reopen the bug.
Comment 2 Frank Murphy 2010-08-07 13:45:22 EDT
It doesn't appear to happen if I pass init=/sbin/upstart as a kernel arg.
If all is left to systemd?
login keeps repeating sometimes not even allowing more than 1 character to be entered.

There is a corresponding gdm avc, that I have just entered, maybe? some more useful info there:
https://bugzilla.redhat.com/show_bug.cgi?id=622143
Comment 3 Daniel Walsh 2010-08-13 11:42:37 EDT
I have a fully updated system in F14 and I am using systemd and selinux fine.

systemd-7-3.fc14.x86_64

selinux-policy-3.8.8-10.fc14.noarch

Note You need to log in before you can comment on or make changes to this bug.