From: Luke Kearney <lukek@amazon.com>
To: selinux@tycho.nsa.gov
Subject: RHEL5 console login problem - pam_selinux cannot determine new context
Date: Thu, 21 Jun 2007 15:26:27 +0100 [thread overview]
Message-ID: <467A8A93.20807@amazon.com> (raw)
Hi there,
I'm getting a problem when logging in on a console on a RHEL5 box, I am
suspecting that the problem is somewhere in pam_selinux.so
I'm not sure if it's a misconfiguration of mine, or a bug...
I'm using:
RHEL5, with
pam-0.99.6.2-3.14.el5
libselinux-1.33.4-2.el5
selinux-policy-2.4.6-67.el5
With the default pam options, pam_selinux is unable to get the user
context, and so there is no transition when a user logs in on the
console, and they end up in the "system_u:system_r:local_login_t" context
Relevant line in /etc/pam.d/login:
session required pam_selinux.so open verbose debug
The console login with default pam options:
...
testhost login: root
Password:
Security Context (null) Assigned
Last login: Thu Jun 21 07:04:28 on tty1
[root@testhost ~]# id -Z
system_u:system_r:local_login_t:SystemLow-SystemHigh
And here is the syslogged debug info:
Jun 21 05:27:28 testhost login: pam_unix(login:session): session opened
for user root by LOGIN(uid=0)
Jun 21 05:27:28 testhost login: pam_selinux(login:session): Open Session
Jun 21 05:27:28 testhost login: pam_selinux(login:session): Username=
root SELinux User = root Level= s0-s0:c0.c1023
Jun 21 05:27:28 testhost login: pam_selinux(login:session): Warning!
Could not get new context for /dev/tty1, not relabeling: Invalid argument
Jun 21 05:27:28 testhost login: pam_selinux(login:session):
usercon=(null), prev_context=system_u:object_r:tty_device_t
Jun 21 05:27:28 testhost login: pam_selinux(login:session): Security
Context (null) Assigned
Jun 21 05:27:28 testhost login: pam_selinux(login:session): set root
security context to (null)
Jun 21 05:27:28 testhost login: ROOT LOGIN ON tty1
However if I change pam_selinux to use the select_context option, then
it *does* correctly determine the default context:
So changing /etc/pam.d/login:
session required pam_selinux.so open verbose select_context debug
And now the console login:
testhost login: root
Password:
Default Security Context root:sysadm_r:sysadm_t:SystemLow-SystemHigh
Would you like to enter a different role or level? [n]
Security Context root:sysadm_r:sysadm_t:SystemLow-SystemHigh Assigned
Last login: Thu Jun 21 07:06:21 on tty1
[root@testhost ~]# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
And here is the strace of the pam_selinux failure (stracing mingetty on
tty1):
send(3, "<87>Jun 21 05:27:28 login: pam_selinux(login:session):
Username= root SELinux User = root Level= s0-s0:c0.c1023", 111,
MSG_NOSIGNAL) = 111
gettid() = 3376
open("/proc/self/task/3376/attr/exec", O_RDONLY|O_LARGEFILE) = 4
read(4, "", 4095) = 0
close(4) = 0
getxattr("/dev/tty1", "security.selinux",
"system_u:object_r:tty_device_t:s0", 255) = 34
socket(PF_FILE, SOCK_STREAM, 0) = 4
connect(4, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"},
110) = 0
sendmsg(4, {msg_name(0)=NULL, msg_iov(5)=[{"\2\0\0\0", 4}, {"\"\0\0\0",
4}, {"\1\0\0\0", 4}, {"system_u:object_r:tty_device_t:s0\0", 34}, {"\0",
1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 47
readv(4, [{"\2\0\0\0", 4}, {"\37\0\0\0", 4}, {"\0\0\0\0", 4}], 3) = 12
readv(4, [{"system_u:object_r:tty_device_t\0", 31}], 1) = 31
close(4) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 4
connect(4, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"},
110) = 0
sendmsg(4, {msg_name(0)=NULL, msg_iov(5)=[{"\3\0\0\0", 4}, {"\37\0\0\0",
4}, {"\1\0\0\0", 4}, {"system_u:object_r:tty_device_t\0", 31}, {"\0",
1}], msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 44
readv(4, [{"\3\0\0\0", 4}, {"\"\0\0\0", 4}, {"\0\0\0\0", 4}], 3) = 12
readv(4, [{"system_u:object_r:tty_device_t:s0\0", 34}], 1) = 34
close(4) = 0
open("/selinux/relabel", O_RDWR|O_LARGEFILE) = 4
write(4, "(null) system_u:object_r:tty_device_t:s0 10", 43) = -1 EINVAL
(Invalid argument)
close(4) = 0
time(NULL) = 1182428848
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1037, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1037, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1037, ...}) = 0
send(3, "<85>Jun 21 05:27:28 login: pam_selinux(login:session):
Warning! Could not get new context for /dev/tty1, not relabeling:
Invalid argument", 138, MSG_NOSIGNAL) = 138
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2007-06-21 14:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-21 14:26 Luke Kearney [this message]
2007-06-21 15:01 ` RHEL5 console login problem - pam_selinux cannot determine new context Stephen Smalley
2007-06-21 16:00 ` Stephen Smalley
2007-06-22 13:03 ` RHEL5 console login problem - pam_selinux cannot determine newcontext Kearney, Luke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=467A8A93.20807@amazon.com \
--to=lukek@amazon.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.