Bug 229039
Summary: | KDE/kdm session no longer runs in unconfined_t with pam_selinux 0.99.6.2-3.15 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | pam | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | apodtele, dwalsh, thoger |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-02-23 11:16:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2007-02-16 17:50:20 UTC
This looks like you had some bad transitions. IE You are logged in as xdm_t, instead of unconfined_t. I think you need the pam_selinux.so added to kdm pam file? Well, it used to work before I rebooted today (to get the new kernel) with the new selinux-policy installled. [root@cynosure pam.d]# cat kdm #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_selinux.so session optional pam_console.so Any other error (avc) messages? Just variations on the send_msg one: Feb 16 10:06:59 cynosure kernel: audit(1171645619.568:5): user pid=2156 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Manager member=GetAllDevices dest=org.freedesktop.Hal spid=2728 tpid=2415 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=dbus Feb 16 10:07:18 cynosure kernel: audit(1171645638.667:6): user pid=2156 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server member=GetAPIVersion dest=org.freedesktop.Avahi spid=2728 tpid=2403 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus Feb 16 14:10:07 cynosure kernel: audit(1171660207.804:644): user pid=2156 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Device member=PropertyModified dest=org.freedesktop.DBus spid=2415 tpid=2728 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus But they are all for dbus-system: system_u:system_r:system_dbusd_t dbus 2156 1 0 10:05 ? 00:00:00 dbus-daemon --system With debug argument for pam_selinux: Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): Open Session Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): Username= foo SELinux User = user_u Level= s0 Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): set foo security context to (null) Is that "(null)" something what is expected to appear there? I tried to revert back to pam-0.99.6.2-3.9.fc6.i386 from pam-0.99.6.2-3.15.fc6.i386 and it solves problem for me. Feb 22 16:26:57 localhost kdm: :0[4033]: pam_selinux(kdm:session): set foo security context to user_u:system_r:unconfined_t Session is started with unconfined_t domain. Looks like pam_selinux issue, not policy issue. *** Bug 229667 has been marked as a duplicate of this bug. *** pam-0.99.6.2-3.16.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. |