Bug 166419
Summary: | gdm can't start any sessions whatsoever with targeted policy in enforcing mode | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Alexandre Oliva <oliva> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | bjohnson, fred.new2911, rstrode |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-targeted-1.25.4-8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-08-28 14:34:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexandre Oliva
2005-08-20 20:45:52 UTC
Turns out this is a selinux problem. gdm-binary fails to exec xterm. Here's the audit.log snippet: type=AVC msg=audit(1124569909.855:395): avc: denied { transition } for pid=4996 comm="gdm-binary" name="xterm" dev=dm-2 ino=1351752 scontext=system_u:system_r:init_t tcontext=user_u:system_r:unconfined_t tclass=process type=SYSCALL msg=audit(1124569909.855:395): arch=40000003 syscall=11 success=yes exit=0 a0=892a780 a1=bff7eb30 a2=892a488 a3=891ad1c items=2 pid=4996 auid=4294967295 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404 sgid=404 fsgid=404 comm="xterm" exe="/usr/bin/xterm" type=AVC_PATH msg=audit(1124569909.855:395): path="/usr/bin/xterm" type=CWD msg=audit(1124569909.855:395): cwd="/l/home/aoliva" type=PATH msg=audit(1124569909.855:395): item=0 name="/usr/bin/xterm" flags=101 inode=1351752 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1124569909.855:395): item=1 flags=101 inode=266082 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 Should gdm-binary be running as init_t, or is this a fallout from changes in file names in gdm that require changes in the selinux context specs? A simple work-around to get a failsafe term is to setenforce 0. It turns out that it's not only the failsafe terminal that's broken. Starting a default (gnome) session is broken in just the same way :-( I forgot to post the audit logs for the default session, here they are: type=AVC msg=audit(1124572643.945:81): avc: denied { transition } for pid=3518 comm="gdm-binary" name="Xsession" dev=dm-1 ino=362615 scontext=system_u:system_r:init_t tcontext=user_u:system_r:unconfined_t tclass=process type=SYSCALL msg=audit(1124572643.945:81): arch=c000003e syscall=59 success=yes exit=0 a0=646350 a1=7fffffd3dcd0 a2=66bb60 a3=66c200 items=3 pid=3518 auid=4294967295 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404 sgid=404 fsgid=404 comm="Xsession" exe="/bin/bash" type=AVC_PATH msg=audit(1124572643.945:81): path="/etc/X11/xdm/Xsession" type=CWD msg=audit(1124572643.945:81): cwd="/l/home/aoliva" type=PATH msg=audit(1124572643.945:81): item=0 name="/etc/X11/xdm/Xsession" flags=101 inode=362615 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1124572643.945:81): item=1 flags=101 inode=1998886 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1124572643.945:81): item=2 flags=101 inode=951472 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 Problem appears to be caused by the 'moving' of gdm-binary from /usr/bin to /usr/sbin. The following 'patch' made it work for me (of course, you need to 'make load'): --- /tmp/xdm.fc 2005-08-21 18:12:10.000000000 -0700 +++ ./xdm.fc 2005-08-21 17:55:35.000000000 -0700 @@ -3,7 +3,7 @@ /usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t /opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t /usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t -/usr/bin/gdm-binary -- system_u:object_r:xdm_exec_t +/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t /var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t /usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t /var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t So for now, one workaround that allows you to stay in enforcing mode is to chcon -t xdm_exec_t /usr/sbin/gdm-binary and reboot. selinux-policy-targeted-1.25.4-8 has fix Fixed, indeed. Thanks! |