On Wed, 2008-05-07 at 14:29 -0700, Scally, Katrina-P54861 wrote:
My original problem was With the default pam options, pam_selinux is unable to get the user context, during login it would default to system_u:system_r:local_login_t context. I got around this problem for some time by changing /etc/pam.d/login line to
Session required pam_selinux.so open verbose select_context. I found on http://www.nsa.gov/selinux/list-archive/0706/21321.cfm that this was a bug in pam and by upgrading from pam-0.1.77-66.23.i386.rpm (or earlier versions) to pam-0.1.99.6.2-3.26.el5.i386.rpm would get rid of the problem. This upgrade has actually caused more problems. I can no longer even log into my virtual machine with my install in enforcing, in permissive mode it is fine. Unfortunately there are no AVC denials when.
My Virtual Machine is running RHEL5, libselinux-1.1.33.4-4.el5.i386.rpm, and reference policy that came with the Bedrock tool from Tresys refpolicy-20070417.tar.bz2
Possibly I missed something while upgrading pam? I have looked through all of the files the pam-0.1.99.6.2-3.26.el5.i386.rpm has installed and they all seem correct.
Can you provide more information? Are you logging in at the console, ssh, or gdm? I can't find much difference between the RHEL5 policy and refpolicy for local logins. Have you tried the stock RHEL5 policy to see if it stil fails?