Cockpit crashes trying to open /var/log/lastlog

dglanzman · May 8, 2025, 4:40am

Back again trying to get cockpit working on a vanilla microos install (Other thread: MicroOS cockpit install broken dependencies)

After getting cockpit-ws running, I create a user account and try to log in from the web console. Cockpit seems to crash; the login page prints “Internal error in login process”, and cockpit-session hits an exception:

journalctl:
May 07 23:00:26 vbox cockpit-session[1817]: cockpit-session: failed to open /var/log/lastlog: No such file or directory
May 07 23:00:26 vbox cockpit-session[1841]: Traceback (most recent call last):
...
May 07 23:00:26 vbox cockpit-session[1841]: PermissionError: [Errno 1] Operation not permitted

cockpit is trying to open lastlog, but lastlog isn’t installed by default on microos. Instead we have lastlog2 and aulastlog which use different files completely.

Anyone understand how this is supposed to work? If someone has journalctl output for a successful login on microos for comparison I’d be curious to see what the intended behavior is.

dglanzman · May 8, 2025, 5:03am

Actually this seems to be another selinux issue. If I make the user logging in unconfined, I still get the lastlog error, but it’s nonfatal. The following python PermissionError I guess is unrelated. Checking /var/log/audit/audit.log, I don’t see any obvious clues

arvidjaar · May 8, 2025, 9:00am

Read Portal:SELinux - openSUSE Wiki (search for “Report a SELinux bug”) what information is needed to troubleshoot SELinux.

McAsim · May 9, 2025, 7:34pm

A few days ago I had SELinux issues with cockpit in Leap 16-beta. In this case it was solved by forcing re-installing of package cockpit-selinux-policies and reboot,

sudo zypper install -f cockpit-selinux-policies

dglanzman · May 10, 2025, 12:50am

I’ll follow the steps and provide the info here

dglanzman · May 10, 2025, 1:54am

A few days ago I had SELinux issues with cockpit in Leap 16-beta. In this case it was solved by forcing re-installing of package cockpit-selinux-policies and reboot,

I don’t think this is the issue, because this is on microos which comes with selinux installed and enabled at first boot. From reading the attached thread it sounds specific to situations on TW or leap where selinux is installed after cockpit.

dglanzman · May 10, 2025, 2:17am

Filed a bug here: 1243023 – [SELinux] Cockpit permission denied with staff_u users

arvidjaar · May 10, 2025, 3:57am

Which documentation claims that this was expected to work? Does it work for a normal user not explicitly mapped to a SELinux user?

And your bug report does not provide the most vital part of information - SELinux denials.

dglanzman · May 10, 2025, 8:45pm

There is no opensuse documentation on what users are supported (in the section 8 pages on cockpit and selinux at least)

selinux denials are in the attachment

arvidjaar · May 11, 2025, 2:40pm

I cannot reproduce it in the Tumbleweed. Without cockpit SELinux policy module the cockpit services do not even start. With policy module and SELinux staff_u user the login fails early with “Internal error in login process” and without any non-hidden AVC. Enabling donotaudit rules is not really helpful as there are too many of them, but I suspect the default staff_u login context does not have access to the cockpit sockets at the very least.

In any case - I do not see anything that warrants bug report. openSUSE is using targeted policy that confines services. Nothing is prepared for additional user confinement. If you have convincing arguments why it is required, you need to discuss it with developers upstream as cockpit SELinux policy comes as part of the cockpit project.

dglanzman · May 11, 2025, 6:13pm

This is good to know, I assumed it was from opensuse. In this case the documentation really should be upstream, I’ll inquire there