Bug 229039
| Summary: | KDE/kdm session no longer runs in unconfined_t with pam_selinux 0.99.6.2-3.15 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | pam | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6 | CC: | apodtele, dwalsh, thoger |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-02-23 11:16:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This looks like you had some bad transitions. IE You are logged in as xdm_t, instead of unconfined_t. I think you need the pam_selinux.so added to kdm pam file? Well, it used to work before I rebooted today (to get the new kernel) with the new selinux-policy installled. [root@cynosure pam.d]# cat kdm #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_selinux.so session optional pam_console.so Any other error (avc) messages? Just variations on the send_msg one:
Feb 16 10:06:59 cynosure kernel: audit(1171645619.568:5): user pid=2156 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied {
send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Manager
member=GetAllDevices dest=org.freedesktop.Hal spid=2728 tpid=2415
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:hald_t:s0 tclass=dbus
Feb 16 10:07:18 cynosure kernel: audit(1171645638.667:6): user pid=2156 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied {
send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server
member=GetAPIVersion dest=org.freedesktop.Avahi spid=2728 tpid=2403
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:avahi_t:s0 tclass=dbus
Feb 16 14:10:07 cynosure kernel: audit(1171660207.804:644): user pid=2156 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied {
send_msg } for msgtype=signal interface=org.freedesktop.Hal.Device
member=PropertyModified dest=org.freedesktop.DBus spid=2415 tpid=2728
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus
But they are all for dbus-system:
system_u:system_r:system_dbusd_t dbus 2156 1 0 10:05 ? 00:00:00
dbus-daemon --system
With debug argument for pam_selinux: Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): Open Session Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): Username= foo SELinux User = user_u Level= s0 Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): set foo security context to (null) Is that "(null)" something what is expected to appear there? I tried to revert back to pam-0.99.6.2-3.9.fc6.i386 from pam-0.99.6.2-3.15.fc6.i386 and it solves problem for me. Feb 22 16:26:57 localhost kdm: :0[4033]: pam_selinux(kdm:session): set foo security context to user_u:system_r:unconfined_t Session is started with unconfined_t domain. Looks like pam_selinux issue, not policy issue. *** Bug 229667 has been marked as a duplicate of this bug. *** pam-0.99.6.2-3.16.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. |
Description of problem: Trying to remove the debug kernels from my system fails with: audit(1171647763.891:112): avc: denied { transition } for pid=3757 comm="rpm" name="bash" dev=hda8 ino=883051 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process or audit(1171647636.054:104): avc: denied { transition } for pid=3690 comm="yum" name="bash" dev=hda8 ino=883051 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process rpm -e kernel-debug-2.6.19-1.2911.fc6.i686 error: %preun(kernel-debug-2.6.19-1.2911.fc6.i686) scriptlet failed, exit status 255 Version-Release number of selected component (if applicable): selinux-policy-2.4.6-37.fc6 How reproducible: Every time Other denials: audit(1171647730.099:111): user pid=2156 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Device member=PropertyModified dest=org.freedesktop.DBus spid=2415 tpid=2728 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus Looks like all of the desktop spawned processes are in the xdm_t context: system_u:system_r:xdm_t:SystemLow-SystemHigh root 2517 2489 0 10:06 ? 00:00:00 kdm -noda system_u:system_r:xdm_t:SystemLow-SystemHigh root 2549 2517 2 10:06 tty7 00:01:07 /usr/b system_u:system_r:xdm_t:SystemLow-SystemHigh root 2550 2517 0 10:06 ? 00:00:00 -:0 system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2566 2550 0 10:06 ? 00:00:00 -/bin/tc system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2641 2566 0 10:06 ? 00:00:00 /bin/sh system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2642 2641 0 10:06 ? 00:00:00 /usr/bin system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2645 1 0 10:06 ? 00:00:00 /usr/bin/ system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2646 1 0 10:06 ? 00:00:00 /bin/dbus system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2720 1 0 10:06 ? 00:00:00 start_kde system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2721 1 0 10:06 ? 00:00:00 kdeinit R system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2724 1 0 10:06 ? 00:00:00 dcopserve ........ As you can see, this is the KDE desktop launched from kdm.