Bug 439897

Summary: xdm* SELinux denials -- gdm crashes with SELinux enforcing
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: gdmAssignee: jmccann
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: cschalle, dwalsh, mcepl, rstrode
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-01 08:14:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log
none
output of find /tmp/ -context '*user_tmp*' none

Description Matěj Cepl 2008-03-31 21:58:24 UTC 
Description of problem:

Together with the module described in bug 439893 I had to create another SELinux
policy module for xdm* stuff:

module myxdm 1.0;

require {
        type user_tmp_t;
        type xdm_t;
        type rpm_var_lib_t;
        class dir { write rmdir read remove_name create add_name };
        class file { write getattr link read lock create };
}

#============= xdm_t ==============
allow xdm_t rpm_var_lib_t:file { read lock getattr };
allow xdm_t user_tmp_t:dir { write rmdir read remove_name create add_name };
allow xdm_t user_tmp_t:file { write getattr link read lock create };


Version-Release number of selected component (if applicable):
hal-0.5.11-0.2.rc2.fc9.i386
hal-docs-0.5.11-0.2.rc2.fc9.i386
selinux-policy-targeted-3.3.1-26.fc9.noarch
hal-devel-0.5.11-0.2.rc2.fc9.i386
xorg-x11-server-utils-7.3-3.fc9.i386
xorg-x11-server-debuginfo-1.4.99.901-13.20080314.fc9.i386
gdm-2.21.10-0.2008.03.26.3.fc9.i386
hal-info-20080317-2.fc9.noarch
xorg-x11-server-Xorg-1.4.99.901-13.20080314.fc9.i386
hal-debuginfo-0.5.11-0.2.rc2.fc9.i386
hal-libs-0.5.11-0.2.rc2.fc9.i386
xorg-x11-server-utils-debuginfo-7.3-3.fc9.i386
xorg-x11-server-common-1.4.99.901-13.20080314.fc9.i386


How reproducible:
100%

Steps to Reproduce:
1.login via gdm with SELinux in the Enforcing mode
2.
3.
  
Actual results:
crash

Expected results:
being logged-in
Comment 1 Daniel Walsh 2008-04-01 05:33:54 UTC 
What files is xdm creating in /tmp that are labeled for a user_tmp?  Why would
xdm ever need to use the rpm library?

I think we need the audit.log for these.
Comment 2 Matěj Cepl 2008-04-01 08:00:22 UTC 
Created attachment 299865 [details]
/var/log/audit/audit.log

I am not sure whether this is not residuum from my previous very screwed up
computer, but here is the /var/log/audit/audit.log
Comment 3 Matěj Cepl 2008-04-01 08:05:21 UTC 
Created attachment 299866 [details]
output of find /tmp/ -context '*user_tmp*'
Comment 4 Daniel Walsh 2008-04-01 08:14:45 UTC 
It looks to me like you logged in as gdm_t at some point in permissive mode and
this generated a lot of spurious avc message.

I am closing the Bug, if you continue to see errors, please reopen.