[DSE-Dev] Bug#941045: selinux-policy-default: system-policy-default causes pam_selinux failure

Robert Senger rs-debian at microscopium.de
Tue Sep 24 00:24:52 BST 2019 

Package: selinux-policy-default
Version: 2:2.20190201-2
Severity: normal

Dear Maintainer,

In enforcing mode, selinux causes pam_selinux and systemd process user@<uid> to
fail when logging in via ssh.

root at prokyon:~# systemctl status user at 1000user at 1000.service - User Manager for UID 1000
   Loaded: loaded (/lib/systemd/system/user at .service; static; vendor preset:
enabled)
   Active: failed (Result: protocol) since Tue 2019-09-24 01:12:29 CEST; 40s
ago
     Docs: man:user at .service(5)
  Process: 6912 ExecStart=/lib/systemd/systemd --user (code=exited,
status=224/PAM)
 Main PID: 6912 (code=exited, status=224/PAM)

Sep 24 01:12:29 prokyon systemd[1]: Starting User Manager for UID 1000...
Sep 24 01:12:29 prokyon systemd[6912]: pam_selinux(systemd-user:session):
Unable to get valid context for rsenger
Sep 24 01:12:29 prokyon systemd[6912]: pam_selinux(systemd-user:session):
conversation failed
Sep 24 01:12:29 prokyon systemd[6912]: pam_unix(systemd-user:session): session
opened for user rsenger by (uid=0)
Sep 24 01:12:29 prokyon systemd[6912]: PAM failed: Cannot make/remove an entry
for the specified session
Sep 24 01:12:29 prokyon systemd[6912]: user at 1000.service: Failed to set up PAM
session: Operation not permitted
Sep 24 01:12:29 prokyon systemd[6912]: user at 1000.service: Failed at step PAM
spawning /lib/systemd/systemd: Operation not permitted
Sep 24 01:12:29 prokyon systemd[1]: user at 1000.service: Failed with result
'protocol'.
Sep 24 01:12:29 prokyon systemd[1]: Failed to start User Manager for UID 1000.

No other hints in the logs. No AVC logged, neither with or without dontaudit
rules. System is Debian 10 buster.



-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.8-1+b1
ii  libsemanage1     2.8-2
ii  libsepol1        2.8-1
ii  policycoreutils  2.8-1
ii  selinux-utils    2.8-1+b1

Versions of packages selinux-policy-default recommends:
pn  checkpolicy  <none>
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

More information about the SELinux-devel mailing list