Bug 118997
| Summary: | avc denied: firstboot: "use network login" does not launch config tool | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ben Levenson <benl> |
| Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | bfox, pgraner |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-05-07 03:57:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 114961 | ||
Possible dupe of bug #118061? I don't think so, but I've added a comment to bug# 118061. I have fixed this problem with policy-1.9-12 But their are probably more. Could you run it in non enforcing mode and see what happens. Then grab the AVC messages. It turns out that I broke the first rule of SELinux testing: I forgot
to verify that "use network login" worked as expected while in
permissive mode. It didn't.
Anyway, here are all of the denials I get with firstboot:
(still using policy-1.9-11)
stage 1: firstboot starts X
avc: denied { unix_read unix_write } for pid=16537
exe=/usr/X11R6/bin/XFree86 key=0
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm
avc: denied { read write } for pid=16537 exe=/usr/X11R6/bin/XFree86
key=0 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm
avc: denied { getattr associate } for pid=16537
exe=/usr/X11R6/bin/XFree86 key=0
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm
stage2: clicking "use network login"
avc: denied { use } for pid=16616 exe=/usr/sbin/userhelper
path=/dev/console dev=hdb1 ino=459355
scontext=system_u:system_r:userhelper_t
tcontext=system_u:system_r:init_t tclass=fd
avc: denied { sys_tty_config } for pid=16616
exe=/usr/sbin/userhelper capability=26
scontext=system_u:system_r:userhelper_t
tcontext=system_u:system_r:userhelper_t tclass=capability
stage 3: adding a user
avc: denied { use } for pid=16618 exe=/usr/sbin/useradd
path=/dev/console dev=hdb1 ino=459355
scontext=system_u:system_r:useradd_t tcontext=system_u:system_r:init_t
tclass=fd
avc: denied { write } for pid=16619 exe=/usr/bin/chfn name=fscreate
dev= ino=1089142806 scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:initrc_t tclass=file
opened bug# 119008 for tracking related (non-SELinux) issue. *** Bug 119008 has been marked as a duplicate of this bug. *** Issue w/ launching config tool appears to be SELinux-related afterall: Could not set exec context to system_u:sysadm_r:sysadm_t Put lots of fixed in policy-1-9-15 that might fix this. Dan Closing. Reopen if you still see it. |
Description of problem: received the following avc denials while trying to launch the network login config tool from GUI firstboot ("use network login" button): avc: denied { use } for pid=3192 exe=/usr/sbin/userhelper path=/dev/console dev=hdb1 ino=459355 scontext=system_u:system_r:userhelper_t tcontext=system_u:system_r:init_t tclass=fd Version-Release number of selected component (if applicable): policy-1.9-11