Bug 192566

Summary: xfs AVC w/ nss_ldap breaks X
Product: [Fedora] Fedora Reporter: Ian Pilcher <arequipeno>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: mail
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-01 15:25:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 192555    
Attachments:
Description Flags
audit.log from xfs startup none

Description Ian Pilcher 2006-05-20 20:06:02 UTC 
Description of problem:

When nss_ldap is enabled, xfs attempts to contact the LDAP server when it
starts.  SELinux blocks the connection.  xfs attempts to contact the LDAP
server again when an X server connects; when xfs is unable to contact the
LDAP server, it refuses the connection from the X server, and X fails,
because it cannot find the 'fixed' font.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.2.40-1.fc5


How reproducible:

100%


Steps to Reproduce:
1. Enable nss_ldap and SELinux targeted policy.
2. service start xfs
3. telinit 5 (to start X server)
  
Actual results:

X fails to start


Expected results:

X should start successfully


Additional info:

Eventually, xfs appears to give up on contacting the LDAP server.  At this
point, it is possible to start X.
Comment 1 Ian Pilcher 2006-05-20 20:06:02 UTC 
Created attachment 129768 [details]
audit.log from xfs startup
Comment 2 Ian Pilcher 2006-05-20 20:23:03 UTC 
Workaround is to add 'xfs' user to nss_initgroups_ignoreusers in /etc/ldap.conf.
Comment 3 Daniel Walsh 2006-06-16 02:21:28 UTC 
Fixed in selinux-policy-2.2.47-3
Comment 4 Joachim Selke 2006-07-04 14:50:53 UTC 
It still does not work for me. I installed selinux-policy-targeted-2.2.47-3.fc5,
did a complete relabeling, but still get the following audit messages when
trying to start xfs (by "service xfs restart"):

type=AVC msg=audit(1152024317.140:105): avc:  denied  { read } for  pid=2973
comm="xfs" name="urandom" dev=tmpfs ino=1640 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1152024317.140:105): arch=40000003 syscall=5 success=no
exit=-13 a0=a055dc a1=900 a2=108 a3=bf814f34 items=1 pid=2973 auid=0 uid=0
gid=43 euid=0 suid=0 fsuid=0 egid=43 sgid=43 fsgid=43 tty=(none) comm="xfs"
exe="/usr/bin/xfs" subj=root:system_r:xfs_t:s0
type=CWD msg=audit(1152024317.140:105):  cwd="/"
type=PATH msg=audit(1152024317.140:105): item=0 name="/dev/urandom" inode=1640
dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09
obj=system_u:object_r:urandom_device_t:s0
type=AVC msg=audit(1152024317.140:106): avc:  denied  { read } for  pid=2973
comm="xfs" name="random" dev=tmpfs ino=1634 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1152024317.140:106): arch=40000003 syscall=5 success=no
exit=-13 a0=a2cc72 a1=900 a2=108 a3=bf814f34 items=1 pid=2973 auid=0 uid=0
gid=43 euid=0 suid=0 fsuid=0 egid=43 sgid=43 fsgid=43 tty=(none) comm="xfs"
exe="/usr/bin/xfs" subj=root:system_r:xfs_t:s0
type=CWD msg=audit(1152024317.140:106):  cwd="/"
type=PATH msg=audit(1152024317.140:106): item=0 name="/dev/random" inode=1634
dev=00:0f mode=020666 ouid=0 ogid=0 rdev=01:08
obj=system_u:object_r:random_device_t:s0
Comment 5 Joachim Selke 2006-08-01 14:20:30 UTC 
The bug seems to be fixed in selinux-policy-targeted-2.3.3-8.fc5. Thanks.