Bug 383571
Summary: | gdm has trouble with selinux or vice versa | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Antonio A. Olivares <olivares14031> | ||||
Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | rawhide | CC: | maurizio.antillon | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-12-23 04:24:53 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Antonio A. Olivares
2007-11-14 22:52:12 UTC
Apparently gdm is running some shell that does if [ -x /bin/rpm ]; then ... or similiar. Since it's happening at start up, I'm guessing it's happening from this line: test -f /etc/profile && . /etc/profile in /usr/sbin/gdm Do you post the output of ls -l /etc/profile.d ? Also, can you post the output of grep rpm /etc/profile.d/* ? [olivares@localhost ~]$ ls -l /etc/profile.d total 216 -rw-r--r-- 1 root root 764 2007-02-26 07:04 colorls.csh -rw-r--r-- 1 root root 713 2007-02-26 07:04 colorls.sh -rw-r--r-- 1 root root 80 2007-09-18 04:12 cvs.csh -rw-r--r-- 1 root root 78 2007-09-18 04:12 cvs.sh -rw-r--r-- 1 root root 192 2004-09-09 00:17 glib2.csh -rw-r--r-- 1 root root 192 2005-12-11 23:58 glib2.sh -rwxr-xr-x 1 root root 629 2007-09-21 09:22 kde4.csh -rwxr-xr-x 1 root root 627 2007-09-21 09:22 kde4.sh -rwxr-xr-x 1 root root 548 2007-09-20 09:37 kde.csh -rwxr-xr-x 1 root root 428 2007-09-20 09:37 kde.sh -rw-r--r-- 1 root root 218 2004-09-09 02:12 krb5-devel.csh -rw-r--r-- 1 root root 229 2006-01-19 12:05 krb5-devel.sh -rw-r--r-- 1 root root 218 2004-09-09 02:12 krb5-workstation.csh -rw-r--r-- 1 root root 229 2006-01-19 12:05 krb5-workstation.sh -rwxr-xr-x 1 root root 77 2007-09-12 04:23 ktechlab.sh -rwxr-xr-x 1 root root 3006 2007-10-09 16:06 lang.csh -rwxr-xr-x 1 root root 3329 2007-10-09 16:06 lang.sh -rw-r--r-- 1 root root 122 2007-02-07 06:55 less.csh -rw-r--r-- 1 root root 108 2007-02-07 06:55 less.sh -rwxr-xr-x 1 root root 304 2007-11-08 10:26 qt.csh -rwxr-xr-x 1 root root 312 2007-11-08 10:26 qt.sh -rw-r--r-- 1 root root 83 2007-11-12 13:32 SDL_pulseaudio_hack.csh -rw-r--r-- 1 root root 83 2007-11-12 13:32 SDL_pulseaudio_hack.sh -rw-r--r-- 1 root root 74 2007-10-04 09:58 vim.csh -rw-r--r-- 1 root root 248 2007-10-04 09:58 vim.sh -rw-r--r-- 1 root root 162 2007-04-23 08:04 which-2.csh -rw-r--r-- 1 root root 170 2004-09-09 09:18 which-2.sh [olivares@localhost ~]$ [olivares@localhost ~]$ grep rpm /etc/profile.d/* /etc/profile.d/kde4.csh: set KDE4_LIBDIR = `/bin/rpm --eval %\{\?_kde4_libdir\}%\{\!\?_kde4_libdir:%\{_libdir\}\}` /etc/profile.d/kde4.sh: KDE4_LIBDIR=`/bin/rpm --eval '%{?_kde4_libdir}%{!?_kde4_libdir:%{_libdir}}' 2>/dev/null` [olivares@localhost ~]$ One problem I see in policy is that we are labeling /usr/sbin/gdm as gdm_exec_t which we should not do. We should only label the executable. Some of these problems might go away with that change. You can test this theory by executing chcon -t bin_t /usr/sbin/gdm I was able to get some of gdm to come up when changing enforcing to permissive. Summary SELinux is preventing /usr/libexec/gdm-simple-greeter (xdm_t) "getattr" to <Unknown> (inotifyfs_t). Detailed Description SELinux denied access requested by /usr/libexec/gdm-simple-greeter. It is not expected that this access is required by /usr/libexec/gdm-simple-greeter and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:inotifyfs_t Target Objects None [ dir ] Affected RPM Packages gdm-2.21.2-0.2007.11.20.2.fc9 [application] Policy RPM selinux-policy-3.0.8-53.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall_file Host Name HP-JCF7 Platform Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 athlon Alert Count 2 First Seen Wed 21 Nov 2007 06:17:22 PM EST Last Seen Wed 21 Nov 2007 08:18:41 PM EST Local ID 96b53fff-c2a6-421a-82dc-e4142c86d9d5 simple-greeter error: Line Numbers Raw Audit Messages avc: denied { getattr } for comm=gdm-simple-gree dev=inotifyfs egid=42 euid=42 exe=/usr/libexec/gdm-simple-greeter exit=0 fsgid=42 fsuid=42 gid=42 items=0 path=inotify pid=3527 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=42 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=42 tclass=dir tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=42 Summary SELinux is preventing gdm (xdm_t) "execute" to <Unknown> (rpm_exec_t). Detailed Description SELinux denied access requested by gdm. It is not expected that this access is required by gdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_exec_t Target Objects None [ file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-53.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name HP-JCF7 Platform Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 athlon Alert Count 122 First Seen Fri 16 Nov 2007 09:52:45 PM EST Last Seen Wed 21 Nov 2007 08:07:37 PM EST Local ID 030edbeb-8cef-4810-872c-1ee1860d64f6 Line Numbers Raw Audit Messages avc: denied { execute } for comm=gdm dev=sda6 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=rpm pid=2745 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0 What I am seeing is a small GUI in the center for the simple browser. The text is fairly large. There is no shutdown available from X when it starts. The small rendition of the browser allows login name and comes up with a password. What I posted on the test list before entering information.
>>>
>> If I boot with enforcing=0 I can get gdm to load successfully. The
>> problem with it once loaded is that the screen is small square in the
>> center of the screen.
>> I have no xorg.conf so that might be why the login for gdm is so messed
>
>> up. At least I can shut down now.
>> I then set SELinux back to enforcing. There are no browser popups for
>> SELinux and gdm. I expected something since gdm is killed with SELinux
>> in enforcing.
>>
>> --
No difference in enforcing after running chcon -t bin_t /usr/sbin/gdm and changing from runlevel 3, setting selinux to enforcing and then changing to runlevel 5 again. You need to change the context on /etc/X11/prefdm as well to get X going: chcon -t bin_t /etc/X11/prefdm /usr/sbin/gdm /sbin/prefdm will then bring up the desktop from the console, but telinit 5 will only get as far as starting the X server. It appears that gdm fails to acquire the system_dbusd_t service. Then the transition to system_dbusd_exec_t fails when launching the dbus-daemon. Then the transition to gconf_exec_t fails when the gconfd-2 is launched. Further problems might follow. In fact the change in context should be restricted to /etc/X11/prefdm. /usr/sbin/gdm should be left as is so that it uses the system dbus daemon. chcon -t bin_t /etc/X11/prefdm The xdm_t context still needs some additional abilities to enable it to talk to the dbus daemon: allow xdm_t system_dbusd_t:dbus acquire_svc; allow xdm_t self:dbus send_msg; After these changes gdm can get started. However, there are still problems launching the gconfd-2 daemon that prevent gdm-settings-daemon and gtk-window-decorator from getting going. Unless I go into permissive mode I still see the problems. I relabeled my filesystem and ran chcon -t bin_t /etc/X11/prefdm and still had the respawning error. With SELInux in permissive mode I could get the crippled browser. If I set selinux to enforcing before pressing enter for the password, all I get is X with no GNOME desktop. I have errors for xorg-x11-server-Xorg and also ConsoleKit to address those problems. I am also running kernel-2.6.23.1-49.fc8 since the console hangs at udev for even the latest kernel-2.6.24-0.41.rc3.git1.fc9 on the system. I see messages related to DBUS, rpm, SELinux policy also in the troubleshooter browser. kdm works but is not my choice in login managers with SELinux in enforcing. Alert count has increased dramatically. I turned off setroubleshoot service, with chkconfig. Upon bootup, it started again automatically warning me again. The alert count on this has increased dramatically and it is bothering me while I can ignore it, it comes back. Alert Count 10480 Summary SELinux is preventing gdm (xdm_t) "execute" to <Unknown> (rpm_exec_t). Detailed Description SELinux denied access requested by gdm. It is not expected that this access is required by gdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_exec_t Target Objects None [ file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.24-0.42.rc3.git1.fc9 #1 SMP Sat Nov 24 05:51:18 EST 2007 i686 athlon Alert Count 10480 First Seen Sun 11 Nov 2007 09:11:06 AM CST Last Seen Tue 27 Nov 2007 07:38:16 AM CST Local ID f3168196-46ac-4951-ab61-b3b218534bb2 Line Numbers Raw Audit Messages avc: denied { execute } for comm=gdm dev=dm-0 name=rpm pid=10023 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file tcontext=system_u:object_r:rpm_exec_t:s0 Created attachment 270461 [details]
Confirming error after several relabeling attempts
I can confirm that this error is still present with the current state of gdm.
See attached report from the troubleshooter browser.
The error is no longer being logged as with selinux-policy-3.2.5-3.fc9. Leaving the bug ticket since no longer causing problems on my system. |