[solved] selinux login lightdm problem after 1127

Issues related to applications and software problems
Post Reply
User avatar
trevor14smith
Posts: 34
Joined: 2017/02/25 16:51:35
Contact:

[solved] selinux login lightdm problem after 1127

Post by trevor14smith » 2020/04/28 13:25:39

I am using Centos7, lightdm and cinnamon - after update to 3.10.0-1127 I was unable to login.
LightDm login screen appeared OK but adding password looped it back to login screen.
After starting non graphical I was also unable to login at the command line!
After adding "selinux=0" to the grub line on boot, everything worked OK - logged in with lightdm and I am now on this forum..

As a newbie - how do I now configure selinux so that it allow logins, and I do not have edit the grub line every time??
Last edited by trevor14smith on 2020/04/28 15:54:56, edited 1 time in total.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux login lightdm problem after 1127

Post by TrevorH » 2020/04/28 14:18:40

Unfortunately selinux=0 was the wrong solution, it would have been better to use "enforcing=0" to come up in permissive mode. Now you will need to relabel your entire filesystem via touch /.autorelabel and reboot in permissive mode to get that bit fixed. So change the config file to permissive, touch the file, reboot and wait while it relabels everything then see if your login works. If it does (which it should since you're still permissive) then examine the output from aureport -a to see details of whatever it was that selinux was blocking that caused the original problem. Use ausearch -a nnnn to get more details where nnnn in the number from the right hand end of each aureport -a line that looks to be around the right time.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
trevor14smith
Posts: 34
Joined: 2017/02/25 16:51:35
Contact:

Re: selinux login lightdm problem after 1127

Post by trevor14smith » 2020/04/28 14:53:02

>>permissive, touch the file, reboot and wait while it relabels everything then see if your login works.
Yes worked..Not sure what any of this means??
aureport -a ..A bunch of entries like this:
6. 04/28/2020 06:43:38 lightdm system_u:system_r:kernel_t:s0 59 process transition unconfined_u:unconfined_r:unconfined_t:s0 denied 133
7. 04/28/2020 06:43:38 ? system_u:system_r:kernel_t:s0 0 service start system_u:system_r:kernel_t:s0 denied 134
8. 04/28/2020 06:43:38 ? system_u:system_r:kernel_t:s0 0 service start system_u:system_r:kernel_t:s0 denied 135
9. 04/28/2020 06:43:38 lightdm system_u:system_r:kernel_t:s0 59 process transition unconfined_u:unconfined_r:unconfined_t:s0 denied 138
10. 04/28/2020 06:43:40 ? system_u:system_r:kernel_t:s0 0 service start system_u:system_r:kernel_t:s0 denied 143
11. 04/28/2020 06:43:40 ? system_u:system_r:kernel_t:s0 0 service start system_u:system_r:kernel_t:s0 denied 144
12. 04/28/2020 06:43:53 lightdm system_u:system_r:kernel_t:s0 59 process transition unconfined_u:unconfined_r:unconfined_t:s0 denied 154
13. 04/28/2020 06:43:53 ? system_u:system_r:kernel_t:s0 0 service start system_u:system_r:kernel_t:s0 denied 155
14. 04/28/2020 06:43:53 ? system_u:system_r:kernel_t:s0 0 service start system_u:system_r:kernel_t:s0 denied 156

This is details on 133
----
time->Tue Apr 28 06:43:38 2020
type=PROCTITLE msg=audit(1588070618.613:133): proctitle=6C69676874646D002D2D73657373696F6E2D6368696C64003132003139
type=SYSCALL msg=audit(1588070618.613:133): arch=c000003e syscall=59 success=no exit=-13 a0=7f183c8b9607 a1=7ffe69d1b410 a2=13011f0 a3=3 items=0 ppid=3400 pid=4157 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="lightdm" exe="/usr/sbin/lightdm" subj=system_u:system_r:kernel_t:s0 key=(null)
type=AVC msg=audit(1588070618.613:133): avc: denied { transition } for pid=4157 comm="lightdm" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=29219 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
----
time->Tue Apr 28 06:46:59 2020
type=USER_ROLE_CHANGE msg=audit(1588070819.477:133): pid=2349 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
----
time->Tue Apr 28 06:48:34 2020
type=PROCTITLE msg=audit(1588070914.518:133): proctitle=6C69676874646D002D2D73657373696F6E2D6368696C64003132003139
type=SYSCALL msg=audit(1588070914.518:133): arch=c000003e syscall=59 success=no exit=-13 a0=7fe7332d9607 a1=7ffc4ad0f090 a2=23d1220 a3=3 items=0 ppid=3649 pid=4116 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="lightdm" exe="/usr/sbin/lightdm" subj=system_u:system_r:kernel_t:s0 key=(null)
type=AVC msg=audit(1588070914.518:133): avc: denied { transition } for pid=4116 comm="lightdm" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=29219 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
----
time->Tue Apr 28 06:51:09 2020
type=USER_ROLE_CHANGE msg=audit(1588071069.281:133): pid=2346 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
----
time->Tue Apr 28 06:53:48 2020
type=LOGIN msg=audit(1588071228.193:133): pid=2342 uid=0 subj=system_u:system_r:kernel_t:s0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=1 res=1
----
time->Tue Apr 28 07:04:03 2020
type=CRED_DISP msg=audit(1588071843.342:133): pid=2291 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_permit acct="lightdm" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'
----
time->Tue Apr 28 07:09:24 2020
type=USER_AUTH msg=audit(1588072164.517:133): pid=2275 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:authentication grantors=? acct="?" exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=tty1 res=failed'
----
time->Tue Apr 28 07:30:20 2020
type=SERVICE_STOP msg=audit(1588073420.542:133): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Tue Apr 28 07:49:39 2020
type=SERVICE_START msg=audit(1588074579.691:133): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=tuned comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Tue Apr 28 07:53:28 2020
type=SERVICE_START msg=audit(1588074808.757:133): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=nmb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Tue Apr 28 07:56:00 2020
type=SERVICE_START msg=audit(1588074960.076:133): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=nmb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Tue Apr 28 08:02:52 2020
type=PROCTITLE msg=audit(1588075372.708:133): proctitle=2F7573722F7362696E2F69707461626C6573002D773130002D77002D2D7461626C650066696C746572002D2D696E7365727400494E505554002D2D696E2D696E7465726661636500766972627230002D2D70726F746F636F6C00746370002D2D64657374696E6174696F6E2D706F7274003637002D2D6A756D70004143434550
type=SYSCALL msg=audit(1588075372.708:133): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=e905f0 items=0 ppid=999 pid=2129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:kernel_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1588075372.708:133): table=filter family=2 entries=88
----
time->Tue Apr 28 09:04:08 2020
type=PROCTITLE msg=audit(1588079048.544:133): proctitle=2F7573722F7362696E2F69707461626C6573002D773130002D77002D2D7461626C650066696C746572002D2D696E7365727400494E505554002D2D696E2D696E7465726661636500766972627230002D2D70726F746F636F6C00756470002D2D64657374696E6174696F6E2D706F7274003637002D2D6A756D70004143434550
type=SYSCALL msg=audit(1588079048.544:133): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=17548b0 items=0 ppid=1002 pid=2183 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" key=(null)
type=NETFILTER_CFG msg=audit(1588079048.544:133): table=filter family=2 entries=89
----
time->Tue Apr 28 09:11:29 2020
type=SERVICE_START msg=audit(1588079489.966:133): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='unit=autofs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Tue Apr 28 09:14:30 2020
type=PROCTITLE msg=audit(1588079670.749:133): proctitle=2F7573722F7362696E2F69707461626C6573002D773130002D77002D2D7461626C650066696C746572002D2D696E7365727400494E505554002D2D696E2D696E7465726661636500766972627230002D2D70726F746F636F6C00756470002D2D64657374696E6174696F6E2D706F7274003637002D2D6A756D70004143434550
type=SYSCALL msg=audit(1588079670.749:133): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=0 a2=40 a3=c4d8b0 items=0 ppid=1050 pid=2163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" key=(null)
type=NETFILTER_CFG msg=audit(1588079670.749:133): table=filter family=2 entries=89
----
time->Tue Apr 28 10:35:12 2020
type=SERVICE_START msg=audit(1588084512.625:133): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux login lightdm problem after 1127

Post by TrevorH » 2020/04/28 15:04:28

I'm not able to make sense of that lot since I don't know what time it was when you last rebooted. If it was 06:43 then I suspect you still have a problem. If it was later than that and everything is working and the last entries in the aureport -a output are still 06:43 then I think the relabel has already fixed the problem that you originally had. If so then it should be safe to go back to enforcing mode. If you do that and it does not work then boot with enforcing=0 and it will come up in permissive mode and you can look at the logs again.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
trevor14smith
Posts: 34
Joined: 2017/02/25 16:51:35
Contact:

Re: selinux login lightdm problem after 1127

Post by trevor14smith » 2020/04/28 15:54:10

Everything working as it should!
Thank you..
I always have a little glitch like this when doing a major update...but it is almost the only time I reboot!

Post Reply