Bug 727678 - SELinux prevents login on rawhide
Summary: SELinux prevents login on rawhide
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-02 20:31 UTC by Josh Boyer
Modified: 2011-08-02 21:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-02 21:04:45 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
/var/log/messages from bad boot (183.83 KB, text/plain)
2011-08-02 20:35 UTC, Josh Boyer 		no flags Details
View All

Description Josh Boyer 2011-08-02 20:31:49 UTC 
Description of problem:

With the latest selinux-policy, udev, and systemd packages from rawhide, I can no longer login to the system, even as root.

Version-Release number of selected component (if applicable):

systemd-32-1.fc17.x86_64
udev-173-1.fc17.x86_64
selinux-policy-3.10.0-11.fc17.noarch
selinux-policy-targeted-3.10.0-11.fc17.noarch


How reproducible:

Always

Steps to Reproduce:
1. Install
2. Boot
3. Try to login via GDM or VT
  
Actual results:

It looks like the login works, then GDM restarts or the VT goes back to the login prompt

Expected results:
login works

Additional info:

If I add enforcing=0 to the kernel command line, I can login just fine.  Here are some early avc denials:

Aug  2 16:15:04 localhost kernel: [    7.389050] type=1400 audit(1312316090.250:4): avc:  denied  { dyntransition } for  pid=1 comm="systemd" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process
Aug  2 16:15:04 localhost kernel: [   10.752448] type=1400 audit(1312316093.615:5): avc:  denied  { write } for  pid=378 comm="udevd" name="notify" dev=tmpfs ino=8918 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Aug  2 16:15:04 localhost kernel: [   11.178286] type=1400 audit(1312316094.041:6): avc:  denied  { use } for  pid=393 comm="loadkeys" path="/dev/null" dev=devtmpfs ino=4278 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd
Aug  2 16:15:04 localhost kernel: [   11.185978] type=1400 audit(1312316094.048:7): avc:  denied  { use } for  pid=393 comm="loadkeys" path="socket:[9779]" dev=sockfs ino=9779 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd
Aug  2 16:15:04 localhost kernel: [   11.188895] type=1400 audit(1312316094.050:8): avc:  denied  { use } for  pid=393 comm="loadkeys" path="socket:[9779]" dev=sockfs ino=9779 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd
Aug  2 16:15:04 localhost kernel: [   11.643555] type=1400 audit(1312316094.506:9): avc:  denied  { sigchld } for  pid=1 comm="systemd" scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process

The majority of them are of the sigchld kind.  I'll attach the boot log for the failed boot shortly.  I tried touching ./autorelabel and that didn't do anything.
Comment 1 Josh Boyer 2011-08-02 20:35:06 UTC 
Created attachment 516389 [details]
/var/log/messages from bad boot
Comment 2 Miroslav Grepl 2011-08-02 21:04:45 UTC 
Fixed in selinux-policy-3.10.0-13.fc17.noarch
Note You need to log in before you can comment on or make changes to this bug.