Bug 383571
| Summary: | gdm has trouble with selinux or vice versa | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Antonio A. Olivares <olivares14031> | ||||
| Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | maurizio.antillon | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2007-12-23 04:24:53 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Apparently gdm is running some shell that does if [ -x /bin/rpm ]; then ... or similiar. Since it's happening at start up, I'm guessing it's happening from this line: test -f /etc/profile && . /etc/profile in /usr/sbin/gdm Do you post the output of ls -l /etc/profile.d ? Also, can you post the output of grep rpm /etc/profile.d/* ?
[olivares@localhost ~]$ ls -l /etc/profile.d
total 216
-rw-r--r-- 1 root root 764 2007-02-26 07:04 colorls.csh
-rw-r--r-- 1 root root 713 2007-02-26 07:04 colorls.sh
-rw-r--r-- 1 root root 80 2007-09-18 04:12 cvs.csh
-rw-r--r-- 1 root root 78 2007-09-18 04:12 cvs.sh
-rw-r--r-- 1 root root 192 2004-09-09 00:17 glib2.csh
-rw-r--r-- 1 root root 192 2005-12-11 23:58 glib2.sh
-rwxr-xr-x 1 root root 629 2007-09-21 09:22 kde4.csh
-rwxr-xr-x 1 root root 627 2007-09-21 09:22 kde4.sh
-rwxr-xr-x 1 root root 548 2007-09-20 09:37 kde.csh
-rwxr-xr-x 1 root root 428 2007-09-20 09:37 kde.sh
-rw-r--r-- 1 root root 218 2004-09-09 02:12 krb5-devel.csh
-rw-r--r-- 1 root root 229 2006-01-19 12:05 krb5-devel.sh
-rw-r--r-- 1 root root 218 2004-09-09 02:12 krb5-workstation.csh
-rw-r--r-- 1 root root 229 2006-01-19 12:05 krb5-workstation.sh
-rwxr-xr-x 1 root root 77 2007-09-12 04:23 ktechlab.sh
-rwxr-xr-x 1 root root 3006 2007-10-09 16:06 lang.csh
-rwxr-xr-x 1 root root 3329 2007-10-09 16:06 lang.sh
-rw-r--r-- 1 root root 122 2007-02-07 06:55 less.csh
-rw-r--r-- 1 root root 108 2007-02-07 06:55 less.sh
-rwxr-xr-x 1 root root 304 2007-11-08 10:26 qt.csh
-rwxr-xr-x 1 root root 312 2007-11-08 10:26 qt.sh
-rw-r--r-- 1 root root 83 2007-11-12 13:32 SDL_pulseaudio_hack.csh
-rw-r--r-- 1 root root 83 2007-11-12 13:32 SDL_pulseaudio_hack.sh
-rw-r--r-- 1 root root 74 2007-10-04 09:58 vim.csh
-rw-r--r-- 1 root root 248 2007-10-04 09:58 vim.sh
-rw-r--r-- 1 root root 162 2007-04-23 08:04 which-2.csh
-rw-r--r-- 1 root root 170 2004-09-09 09:18 which-2.sh
[olivares@localhost ~]$
[olivares@localhost ~]$ grep rpm /etc/profile.d/*
/etc/profile.d/kde4.csh: set KDE4_LIBDIR =
`/bin/rpm --eval %\{\?_kde4_libdir\}%\{\!\?_kde4_libdir:%\{_libdir\}\}`
/etc/profile.d/kde4.sh:
KDE4_LIBDIR=`/bin/rpm --eval '%{?_kde4_libdir}%{!?_kde4_libdir:%{_libdir}}'
2>/dev/null`
[olivares@localhost ~]$
One problem I see in policy is that we are labeling /usr/sbin/gdm as gdm_exec_t which we should not do. We should only label the executable. Some of these problems might go away with that change. You can test this theory by executing chcon -t bin_t /usr/sbin/gdm I was able to get some of gdm to come up when changing enforcing to permissive.
Summary
SELinux is preventing /usr/libexec/gdm-simple-greeter (xdm_t) "getattr" to
<Unknown> (inotifyfs_t).
Detailed Description
SELinux denied access requested by /usr/libexec/gdm-simple-greeter. It is
not expected that this access is required by /usr/libexec/gdm-simple-greeter
and this access may signal an intrusion attempt. It is also possible that
the specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context system_u:object_r:inotifyfs_t
Target Objects None [ dir ]
Affected RPM Packages gdm-2.21.2-0.2007.11.20.2.fc9 [application]
Policy RPM selinux-policy-3.0.8-53.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name HP-JCF7
Platform Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
21:41:26 EST 2007 i686 athlon
Alert Count 2
First Seen Wed 21 Nov 2007 06:17:22 PM EST
Last Seen Wed 21 Nov 2007 08:18:41 PM EST
Local ID 96b53fff-c2a6-421a-82dc-e4142c86d9d5
simple-greeter error:
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm=gdm-simple-gree dev=inotifyfs egid=42 euid=42
exe=/usr/libexec/gdm-simple-greeter exit=0 fsgid=42 fsuid=42 gid=42 items=0
path=inotify pid=3527 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=42
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=42 tclass=dir
tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=42
Summary
SELinux is preventing gdm (xdm_t) "execute" to <Unknown> (rpm_exec_t).
Detailed Description
SELinux denied access requested by gdm. It is not expected that this access
is required by gdm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application
is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context system_u:object_r:rpm_exec_t
Target Objects None [ file ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-53.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name HP-JCF7
Platform Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
21:41:26 EST 2007 i686 athlon
Alert Count 122
First Seen Fri 16 Nov 2007 09:52:45 PM EST
Last Seen Wed 21 Nov 2007 08:07:37 PM EST
Local ID 030edbeb-8cef-4810-872c-1ee1860d64f6
Line Numbers
Raw Audit Messages
avc: denied { execute } for comm=gdm dev=sda6 egid=0 euid=0 exe=/bin/bash
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=rpm pid=2745
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0
What I am seeing is a small GUI in the center for the simple browser. The text is fairly large. There is no shutdown available from X when it starts. The small rendition of the browser allows login name and comes up with a password. What I posted on the test list before entering information.
>>>
>> If I boot with enforcing=0 I can get gdm to load successfully. The
>> problem with it once loaded is that the screen is small square in the
>> center of the screen.
>> I have no xorg.conf so that might be why the login for gdm is so messed
>
>> up. At least I can shut down now.
>> I then set SELinux back to enforcing. There are no browser popups for
>> SELinux and gdm. I expected something since gdm is killed with SELinux
>> in enforcing.
>>
>> --
No difference in enforcing after running chcon -t bin_t /usr/sbin/gdm and changing from runlevel 3, setting selinux to enforcing and then changing to runlevel 5 again. You need to change the context on /etc/X11/prefdm as well to get X going: chcon -t bin_t /etc/X11/prefdm /usr/sbin/gdm /sbin/prefdm will then bring up the desktop from the console, but telinit 5 will only get as far as starting the X server. It appears that gdm fails to acquire the system_dbusd_t service. Then the transition to system_dbusd_exec_t fails when launching the dbus-daemon. Then the transition to gconf_exec_t fails when the gconfd-2 is launched. Further problems might follow. In fact the change in context should be restricted to /etc/X11/prefdm. /usr/sbin/gdm should be left as is so that it uses the system dbus daemon. chcon -t bin_t /etc/X11/prefdm The xdm_t context still needs some additional abilities to enable it to talk to the dbus daemon: allow xdm_t system_dbusd_t:dbus acquire_svc; allow xdm_t self:dbus send_msg; After these changes gdm can get started. However, there are still problems launching the gconfd-2 daemon that prevent gdm-settings-daemon and gtk-window-decorator from getting going. Unless I go into permissive mode I still see the problems. I relabeled my filesystem and ran chcon -t bin_t /etc/X11/prefdm and still had the respawning error. With SELInux in permissive mode I could get the crippled browser. If I set selinux to enforcing before pressing enter for the password, all I get is X with no GNOME desktop. I have errors for xorg-x11-server-Xorg and also ConsoleKit to address those problems. I am also running kernel-2.6.23.1-49.fc8 since the console hangs at udev for even the latest kernel-2.6.24-0.41.rc3.git1.fc9 on the system. I see messages related to DBUS, rpm, SELinux policy also in the troubleshooter browser. kdm works but is not my choice in login managers with SELinux in enforcing. Alert count has increased dramatically. I turned off setroubleshoot service,
with chkconfig. Upon bootup, it started again automatically warning me again.
The alert count on this has increased dramatically and it is bothering me while
I can ignore it, it comes back.
Alert Count 10480
Summary
SELinux is preventing gdm (xdm_t) "execute" to <Unknown> (rpm_exec_t).
Detailed Description
SELinux denied access requested by gdm. It is not expected that this access
is required by gdm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application
is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context system_u:object_r:rpm_exec_t
Target Objects None [ file ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-44.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost
Platform Linux localhost 2.6.24-0.42.rc3.git1.fc9 #1 SMP
Sat Nov 24 05:51:18 EST 2007 i686 athlon
Alert Count 10480
First Seen Sun 11 Nov 2007 09:11:06 AM CST
Last Seen Tue 27 Nov 2007 07:38:16 AM CST
Local ID f3168196-46ac-4951-ab61-b3b218534bb2
Line Numbers
Raw Audit Messages
avc: denied { execute } for comm=gdm dev=dm-0 name=rpm pid=10023
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file
tcontext=system_u:object_r:rpm_exec_t:s0
Created attachment 270461 [details]
Confirming error after several relabeling attempts
I can confirm that this error is still present with the current state of gdm.
See attached report from the troubleshooter browser.
The error is no longer being logged as with selinux-policy-3.2.5-3.fc9. Leaving the bug ticket since no longer causing problems on my system. |
Description of problem: When booting computer, I get the message Id "x" respawning too fast: disabled for 5 minutes I have to press any key, then login manually and type startx to get GNOME. gdm fails to initiate. Version-Release number of selected component (if applicable): gdm-2.21.2-0.2007.11.09.1.fc9 ?? How reproducible: Start machine up and one can see the messages. Steps to Reproduce: 1. Start computer 2. Wait about 2 minutes maybe less 3. see the message on your screen Id "x" respawning too fast: disabled for 5 minutes Actual results: Id "x" respawning too fast: disabled for 5 minutes login manually Expected results: login correctly to X as it was configured to login automatically. Additional info: Applying what setroubleshoot recommends does nothing to cure problem. ./touch autorelabel does not help either. bug in gdm something with getattr /bin/* Summary SELinux is preventing gdm (xdm_t) "getattr" to /bin/rpm (rpm_exec_t). Detailed Description SELinux denied access requested by gdm. It is not expected that this access is required by gdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /bin/rpm, restorecon -v /bin/rpm If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_exec_t Target Objects /bin/rpm [ file ] Affected RPM Packages rpm-4.4.2.2-7.fc9 [target] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 athlon Alert Count 4401 First Seen Sun 11 Nov 2007 09:11:06 AM CST Last Seen Mon 12 Nov 2007 06:09:42 PM CST Local ID e1676a84-c6d0-45b8-97d7-c7cae2d755c1 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=gdm dev=dm-0 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/bin/rpm pid=4958 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0