117797 – Emergency root login on failed boot is broken in enforcing mode

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 117797 - Emergency root login on failed boot is broken in enforcing mode

Summary: Emergency root login on failed boot is broken in enforcing mode

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Blocker
TreeView+	depends on / blocked

Reported:	2004-03-08 18:26 UTC by Stephen Tweedie
Modified:	2007-11-30 22:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-05-07 15:55:36 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stephen Tweedie 2004-03-08 18:26:05 UTC

Description of problem:

In enforcing mode, if boot / root fsck fails, it is not possible to
continue into rescue mode by typing the root password: sulogin gets an
avc error:

audit(1078768449.589:0): avc:  denied  { read } for  pid=228
exe=/sbin/sulogin name=shadow dev=dm-0 ino=131894
scontext=system_u:system_r:sysadm_t
tcontext=system_u:object_r:shadow_t tclass=file

and passwords are then rejected in an infinite cycle of:

Give root password for maintenance
(or type Control-D to continue):
Login incorrect.

Version-Release number of selected component (if applicable):
rawhide-20040305
policy-1.7-8

How reproducible:
100%

Steps to Reproduce:
1. Arrange for root fsck to fail (tweaking rc.sysinit may be the
easiest way to force this on a test box)
2. Try to continue after the sulogin passwd prompt.
  
Actual results:
Root login impossible

Expected results:
Root passwd accepted.

Comment 1 Daniel Walsh 2004-03-08 23:18:37 UTC

Try 1.7-10

Comment 2 Stephen Tweedie 2004-03-09 08:50:24 UTC

No luck:

audit(1078822288.578:0): avc:  denied  { search } for  pid=230
exe=/sbin/sulogin name=root dev=dm-0 ino=32769
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:sysadm_home_dir_t tclass=dir
audit(1078822288.638:0): avc:  denied  { search } for  pid=230
exe=/sbin/sulogin name=bin dev=dm-0 ino=409601
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:bin_t tclass=dir
audit(1078822288.695:0): avc:  denied  { search } for  pid=230
exe=/sbin/sulogin name=bin dev=dm-0 ino=409601
scontext=system_u:system_r:system_chkpwd_t
tcontext=system_u:object_r:bin_t tclass=dir

No other avc errors appear.  Works fine with enforcing=0.

Comment 3 Daniel Walsh 2004-03-18 05:06:47 UTC

Fixed in policy-1.9-1

Comment 4 Seth Vidal 2004-05-07 15:55:36 UTC

closing.

Note You need to log in before you can comment on or make changes to this bug.