Bug 787838 - no login for liveuser
Summary: no login for liveuser
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-06 21:56 UTC by nucleo
Modified: 2012-02-09 22:52 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-02-09 22:52:34 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
/var/log/messages (63.12 KB, text/plain)
2012-02-09 22:27 UTC, nucleo 		no flags Details
/var/log/audit/audit.log (32.63 KB, text/plain)
2012-02-09 22:29 UTC, nucleo 		no flags Details
View All

Description nucleo 2012-02-06 21:56:27 UTC 
Description of problem:
liveuser can't login on LiveCD.
There is "liveuser:!!:15376:0:99999:7:::" in /etc/shadow.
For root there is no "!!" in "root::15376:0:99999:7:::", so root login is possible but for liveuser asking password.
Comment 1 nucleo 2012-02-06 22:10:57 UTC 
Running "passwd -d liveuser" from root makes liveuser login working.
Comment 2 Kevin Fenzi 2012-02-09 21:15:07 UTC 
If you leave the login at the gdm screen, does the timed login work and log you in?

If you boot with 'enforcing=0' does it let you login?
Comment 3 nucleo 2012-02-09 21:55:40 UTC 
Can't tell anything about gdm because -desktop cd not starts So I tested only KDE live image.
Adding 'enforcing=0' makes liveuser login working both in kdm and in console.
If 'enforcing=0' added than no "!!" in "liveuser::15379:0:99999:7:::" in /etc/shadow.
If 'enforcing=0' omitted than "!!" appears in "liveuser:!!:15379:0:99999:7::: and no login possible.
Comment 4 Kevin Fenzi 2012-02-09 22:11:25 UTC 
Moving over to selinux policy. 

Is something preventing root from doing 'passwd -d liveuser' ?

Can you check for any avcs in the case where it doesn't work and attach them?
Comment 5 nucleo 2012-02-09 22:27:58 UTC 
Created attachment 560723 [details]
/var/log/messages
Comment 6 nucleo 2012-02-09 22:29:58 UTC 
Created attachment 560724 [details]
/var/log/audit/audit.log

There are a lot of avc messages but I don't know which is related to "passwd -d liveuser".
When I run "passwd -d liveuser" it just removes password as it should.
Comment 7 Kevin Fenzi 2012-02-09 22:33:43 UTC 
These look likely: 

type=AVC msg=audit(1328833300.266:52): avc:  denied  { create } for  pid=535 comm="passwd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1328833300.281:53): avc:  denied  { bind } for  pid=535 comm="passwd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1328833300.304:54): avc:  denied  { compute_av } for  pid=535 comm="passwd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
type=USER_AVC msg=audit(1328833300.314:55): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='avc:  denied  { passwd } for  scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=passwd : exe="/usr/bin/passwd" sauid=0 hostname=? addr=? terminal=?'
type=USER_CHAUTHTOK msg=audit(1328833300.328:56): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=change password id=1000 exe="/usr/bin/passwd" hostname=? addr=? terminal=? res=failed
Comment 8 Daniel Walsh 2012-02-09 22:52:34 UTC 
We need to remove the unconfined_permissive patch before we go to alpha, which is what I believe is breaking this.   

One question I have though is what is this not happening in the post install of the kick start rather then every boot?

Fixed in selinux-policy-3.10.0-86.fc17
Note You need to log in before you can comment on or make changes to this bug.