Bug 166419

Summary: gdm can't start any sessions whatsoever with targeted policy in enforcing mode
Product: [Fedora] Fedora Reporter: Alexandre Oliva <oliva>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: bjohnson, fred.new2911, rstrode
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-targeted-1.25.4-8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-28 14:34:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexandre Oliva 2005-08-20 20:45:52 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8b3) Gecko/20050818 Fedora/1.1-0.2.7.deerpark.alpha2.1 Firefox/1.0+

Description of problem:
After upgrading to today's rawhide, I could no longer start a failsafe terminal from gdm.  After saying displaying the dialogue in which it informs terminating the xterm will terminate the session, when you press enter, a new dialogue opens up saying an internal error occurred and the session couldn't be started.

It then says the session has left a ~/.xsession-errors file with errors, but no such file was created.

A new gdm login screen shows up afterwards.

Version-Release number of selected component (if applicable):
gdm-2.8.0.2-1

How reproducible:
Always

Steps to Reproduce:
1.Try to start a fail safe terminal from gdm

Actual Results:  It triggers an internal error in gdm

Expected Results:  It worked with yesterday's rawhide

Additional info:
Comment 1 Alexandre Oliva 2005-08-20 20:51:48 UTC 
Turns out this is a selinux problem.  gdm-binary fails to exec xterm.  Here's
the audit.log snippet:

type=AVC msg=audit(1124569909.855:395): avc:  denied  { transition } for 
pid=4996 comm="gdm-binary" name="xterm" dev=dm-2 ino=1351752
scontext=system_u:system_r:init_t tcontext=user_u:system_r:unconfined_t
tclass=process
type=SYSCALL msg=audit(1124569909.855:395): arch=40000003 syscall=11 success=yes
exit=0 a0=892a780 a1=bff7eb30 a2=892a488 a3=891ad1c items=2 pid=4996
auid=4294967295 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404 sgid=404
fsgid=404 comm="xterm" exe="/usr/bin/xterm"
type=AVC_PATH msg=audit(1124569909.855:395):  path="/usr/bin/xterm"
type=CWD msg=audit(1124569909.855:395):  cwd="/l/home/aoliva"
type=PATH msg=audit(1124569909.855:395): item=0 name="/usr/bin/xterm" flags=101
 inode=1351752 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1124569909.855:395): item=1 flags=101  inode=266082
dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00

Should gdm-binary be running as init_t, or is this a fallout from changes in
file names in gdm that require changes in the selinux context specs?

A simple work-around to get a failsafe term is to setenforce 0.
Comment 2 Alexandre Oliva 2005-08-20 21:24:12 UTC 
It turns out that it's not only the failsafe terminal that's broken.  Starting a
default (gnome) session is broken in just the same way :-(
Comment 3 Alexandre Oliva 2005-08-20 21:28:39 UTC 
I forgot to post the audit logs for the default session, here they are:

type=AVC msg=audit(1124572643.945:81): avc:  denied  { transition } for 
pid=3518 comm="gdm-binary" name="Xsession" dev=dm-1 ino=362615
scontext=system_u:system_r:init_t tcontext=user_u:system_r:unconfined_t
tclass=process
type=SYSCALL msg=audit(1124572643.945:81): arch=c000003e syscall=59 success=yes
exit=0 a0=646350 a1=7fffffd3dcd0 a2=66bb60 a3=66c200 items=3 pid=3518
auid=4294967295 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404 sgid=404
fsgid=404 comm="Xsession" exe="/bin/bash"
type=AVC_PATH msg=audit(1124572643.945:81):  path="/etc/X11/xdm/Xsession"
type=CWD msg=audit(1124572643.945:81):  cwd="/l/home/aoliva"
type=PATH msg=audit(1124572643.945:81): item=0 name="/etc/X11/xdm/Xsession"
flags=101  inode=362615 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1124572643.945:81): item=1 flags=101  inode=1998886
dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1124572643.945:81): item=2 flags=101  inode=951472 dev=fd:01
mode=0100755 ouid=0 ogid=0 rdev=00:00
Comment 4 Tom London 2005-08-22 01:13:29 UTC 
Problem appears to be caused by the 'moving' of gdm-binary from /usr/bin to
/usr/sbin.

The following 'patch' made it work for me (of course, you need to 'make load'):

--- /tmp/xdm.fc 2005-08-21 18:12:10.000000000 -0700
+++ ./xdm.fc    2005-08-21 17:55:35.000000000 -0700
@@ -3,7 +3,7 @@
 /usr/X11R6/bin/[xgkw]dm        --      system_u:object_r:xdm_exec_t
 /opt/kde3/bin/kdm      --      system_u:object_r:xdm_exec_t
 /usr/bin/gpe-dm                --      system_u:object_r:xdm_exec_t
-/usr/bin/gdm-binary    --      system_u:object_r:xdm_exec_t
+/usr/(s)?bin/gdm-binary        --      system_u:object_r:xdm_exec_t
 /var/[xgk]dm(/.*)?             system_u:object_r:xserver_log_t
 /usr/var/[xgkw]dm(/.*)?                system_u:object_r:xserver_log_t
 /var/log/[kw]dm\.log   --      system_u:object_r:xserver_log_t
Comment 5 Fred New 2005-08-22 11:04:56 UTC 
So for now, one workaround that allows you to stay in enforcing mode is to
   chcon -t xdm_exec_t /usr/sbin/gdm-binary
and reboot.
Comment 6 Daniel Walsh 2005-08-25 13:31:56 UTC 
selinux-policy-targeted-1.25.4-8 has fix
Comment 7 Alexandre Oliva 2005-08-28 14:34:21 UTC 
Fixed, indeed.  Thanks!