Successful installation but cannot login.

[rickyj250]

I had been able to successfully install all packages within archlinuxhardened/selinux onto my linux hardened but I had to switch the pam-selinux/Linux-PAM-1.3.1.tar.xz and pam-selinux/Linux-PAM-1.3.1.tar.xz.asc with the updated 1.4.0 version inside of pam-selinux directory. After doing this I disabled the pgp check in the selinux/build_and_install_all.sh and also disable the check().

All selinux packages were successfully installed but on reboot I could not login again. I have an ISO on USB that I use and can chroot into my directory and still use my user account with the same password but I cannot login from a login like SDDM or GDM, or while they are systemctl disabled.

Has anyone else run into this problem? I had made a backup of my old pam folder and have tried the pwconv option to create a /etc/shadow from the /etc/passwd with no luck either.

Any help appreciated. I will attempt to reinstall with fresh install and repeat methods to get pictures of errors to help.

[tqre]

Journalctl logs?

Most likely you have to update pambase-selinux too: pam 1.4.0 doesn't use pam_tally2.so anymore. Tally is responsible with logging failed login attempts, and is replaced with pam_faillock.so in the new version.

If you can edit /etc/pam.d/system-login manually, you can either completely remove the old pam_tally2.so entries or replace them with pam_faillock.so (with no options).

For example: https://github.com/tqre/selinux/blob/develop/pambase-selinux/system-login

[fishilico]

It sounds like the same issue as the one I encountered in https://github.com/archlinuxhardened/selinux/pull/38#issuecomment-665865612. If I misunderstood, please tell me so.

If I understand things correctly, pambase-selinux also needs to be updated in order to replace pam_tally2.so with pam_faillock.so, like pambase did in https://github.com/archlinux/svntogit-packages/commit/7afa3fb3a9e74c27f4c2af85c8ff624123c830e1#diff-8d0411b338c83cd8cd8ad9d9db127101 (this commit belongs to pambase 20200721.1-1, currently in testing). Unfortunately pam_faillock.so does not exist in pam 1.3.1-2 (neither in pam-selinux 1.3.1-2) so it is not possible to "upgrade pambase-selinux now and think about pam-selinux later": pambase-selinux and pam-selinux will need to be upgraded together (pam 1.4.0-2 in testing provides pam_faillock.so but not pam_tally2.so, according to https://www.archlinux.org/packages/testing/x86_64/pam/files/).

Moreover, I see another annoying issue: there does not seem to be an easy way to "make a smooth upgrade" for the next version of pambase-selinux and pam-selinux (versions 20200721.1 and 1.4.0), because the PAM stack will be broken between the makepkg -i for pambase-selinux and makepkg -i for pam-selinux. This is not an issue for the official Arch Linux packages, as pambase and pam will be updated together, but for packages in the AUR, this is serious as su, login, sudo... will likely be broken after pambase-selinux is upgraded but not pam-selinux.

If you want to contribute into finding a solution for this issue, please share your thoughts in this GitHub issue.

And if anyone feels like contacting the upstream PAM developers about this issue in the upgrade path for distributions that "build and install packages one after another", please share here a reference to the mailing list/bug tracker/... that is used.

[fishilico]

In PAM, there seems to be an option to build the deprecated pam_tally2.so module: https://github.com/linux-pam/linux-pam/blob/v1.4.0/configure.ac#L687-L694.

A possible solution to get a smooth upgrade path could be to add --enable-tally2 to the ./configure command-line of pam-selinux package.

[shammancer]

Would it work to build pambase-selinux and pam-selinux without installing them right away and then installing them together or does one need to be installed to build the other?

[fishilico]

Would it work to build pambase-selinux and pam-selinux without installing them right away and then installing them together or does one need to be installed to build the other?

Yes it would work, but I am not aware of any AUR helper that does this, and people who do not use AUR helper but makepkg -i do not do this. The only kinds of users who would not be impacted would be those who build AUR packages in their own repo and perform upgrades from this repo, and users who are using the scripts in this repository (which can be modified to do specific build/install sequences). So relying on users doing "build then install pam-selinux and pam-selinux together" on their own does not sound nice to me.

[shammancer]

I use aura for the rest of my AUR packages and it seems to bunch builds and installs together. But that doesn't help everyone else.

[shammancer]

How about adding a pre installation hook warning about the issues allowing people to cancel the installation?

[fishilico]

I have upgraded the packages, inverting dependencies in order to force upgrading pam-selinux before pambase-selinux.

By the way, other people complains about broken systems, when using Arch Linux without SELinux (https://lists.archlinux.org/pipermail/arch-general/2020-August/048089.html). So I expect users to become aware that they need to be more careful than usual when upgrading their system... Anyway I tried to mitigate the incompatibility of PAM 1.4 with existing configuration by adding --enable-tally2 (cf. https://github.com/archlinuxhardened/selinux/commit/b3e2b77c32cc7d57822ad6e94dc79c2b1a96dd4f#diff-dfa7cdd9c34798e1af82f172b0822f08R58).

How about adding a pre installation hook warning about the issues allowing people to cancel the installation?

I will not implement this idea myself (it would takes some time to test it properly and I prefer spending my "SELinux time" on other tasks), but will gladly review and eventually accept pull requests that add such a warning.