Bug 422891

Summary: SELinux is preventing Xorg (xdm_xserver_t) "sys_ptrace" to (xdm_xserver_t).
Product: [Fedora] Fedora Reporter: Jim Cornette <jim.cornette>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: tcallawa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-22 04:49:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Forgot the attachment for error output.
none
SELinux Alert none

Description Jim Cornette 2007-12-13 04:43:05 UTC 
Description of problem:
X will not start in enforcing mode. gnome-settings-daemon crashes even in permissive

Version-Release number of selected component (if applicable):
control-center-2.21.2-2.fc9
selinux-policy-3.2.3-1.fc9
xorg-x11-server-Xorg - 1.4.99.1-0.13.fc9.i386


How reproducible:


Steps to Reproduce:
1. boot with enforcing=0
2. load gnome
3. notice gnome-settings-daemon crashed due to SELinux permissions.
  
Actual results:
Error message in popup for g-s-daemon

Expected results:
Normal functioning in enforcing.

Additional info:
I had to start the troubleshooter browser with the -S option. The -b option did
not load the browser
Comment 1 Jim Cornette 2007-12-13 04:44:31 UTC 
Created attachment 286561 [details]
Forgot the attachment for error output.
Comment 2 Daniel Walsh 2007-12-13 16:13:16 UTC 
Fixed in selinux-policy-3.2.3-2
Comment 3 Tom "spot" Callaway 2007-12-15 18:50:45 UTC 
selinux-policy-3.2.3-2.fc9 doesn't fix this, even with a filesystem relabel.
Comment 4 Tom "spot" Callaway 2007-12-15 18:53:57 UTC 
Created attachment 289702 [details]
SELinux Alert
Comment 5 Daniel Walsh 2007-12-17 22:37:55 UTC 
This avc is being generated due to a leaked file descriptor in gdm.  It has
already been reported and should not effect the login process.
Comment 6 Jim Cornette 2007-12-18 04:50:46 UTC 
It still fails in enforcing from spawning. I still see the original error. What
action can be taken to fix the leaked file descriptor?
Comment 7 Daniel Walsh 2007-12-18 14:41:09 UTC 
Are you saying that you still can log in, in enforcing mode?  This is probably
fixed in selinux-policy-3.2.4-3.fc9

The gdm avc needs to be fixed in GDM,  There is an open bug report.
Comment 8 Jim Cornette 2007-12-18 22:37:04 UTC 
No, I have to be in permissive. GDM fails to spawn in enforcing.
I'll wait for the fix for the gdm problem. Thanks!
Comment 9 Daniel Walsh 2007-12-19 17:07:42 UTC 
When you login what context are you getting?  

Updated policy has changed the default user to unconfined_u

You can do this on your machine by executing

# semanage login -m -s unconfined_u __default__
# semanage login -m -s unconfined_u root
Comment 10 Jim Cornette 2007-12-20 04:39:36 UTC 
Running those two commands did not make a difference for me. Currently SELInix
is even preventing me from logging in, performing commands like setenforce
without getting a setenforce () or something similar.
I relabeled the system, ran the commands followed by a reboot. No help.
Comment 11 Daniel Walsh 2007-12-20 21:28:52 UTC 
Ok this is the hal breakage.

Hal is reading a file from Policy Kit places in a bad directory.  A patch has
been sent to the hal/policykit maintainer.  to fix the location.  And as of
tonight selinux-policy-3.2.5-3.fc9  will allow hal to read from the bad
location.  Hopefully PolicyKit will fix the bug soon, so I can revert the policy.

Fixed for now in selinux-policy-3.2.5-3.fc9

Yo
Comment 12 Jim Cornette 2007-12-22 04:49:59 UTC 
selinux-policy-3.2.5-3.fc9 does patch the problem, Closing bug report and
waiting for real fix in hal.