Bug 440431

Summary: SELinux is preventing gnome-power-man (xdm_t) "execstack" to <Neznámé> (xdm_t).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: gnome-power-managerAssignee: Richard Hughes <rhughes>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: dwalsh, mcepl, poelstra, rstrode
Target Milestone: ---Keywords: Reopened, SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-10 12:44:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2008-04-03 14:49:13 UTC 
Description of problem:

Souhrn:

SELinux is preventing gnome-power-man (xdm_t) "execstack" to <Neznámé>
(xdm_t).

Podrobný popis:

SELinux denied access requested by gnome-power-man. It is not expected that this
access is required by gnome-power-man and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:xdm_t:SystemLow-SystemHigh
Kontext cíle                 system_u:system_r:xdm_t:SystemLow-SystemHigh
Objekty cíle                 None [ process ]
Zdroj                         gnome-power-man
Cesta zdroje                  /usr/bin/gnome-power-manager
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          gnome-power-manager-2.22.1-1.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-27.0.mc.1.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz
                              2.6.25-0.185.rc7.git6.fc9.i686 #1 SMP Tue Apr 1
                              13:48:40 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Čt 3. duben 2008, 07:50:26 CEST
Naposledy viděno             Čt 3. duben 2008, 07:50:26 CEST
Místní ID                   60efc6a2-07f9-4813-aefe-16ea0b64ba5f
Čísla řádků              

Původní zprávy auditu      

host=viklef.ceplovi.cz type=AVC msg=audit(1207201826.587:5): avc:  denied  {
execstack } for  pid=2775 comm="gnome-power-man"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process

host=viklef.ceplovi.cz type=SYSCALL msg=audit(1207201826.587:5): arch=40000003
syscall=125 success=no exit=-13 a0=bfdbb000 a1=1000 a2=1000007 a3=fffff000
items=0 ppid=2770 pid=2775 auid=4294967295 uid=42 gid=42 euid=42 suid=42
fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295
comm="gnome-power-man" exe="/usr/bin/gnome-power-manager"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-04 21:06:13 UTC 
Your system is heavily mislabeled, causing xdm_t to try to run java apps.

I believe we finally got your machine labeling corrected and it fixed these
problems.
Comment 2 Matěj Cepl 2008-04-05 06:17:57 UTC 
Sorry, Dan, what Java app are you talking about? gnome-power-manager is
certainly not the one and it has all the business to run even inside of gdm.
Comment 3 Matěj Cepl 2008-04-05 06:18:57 UTC 
... and note also that this has happened well after heavy relabelling and couple
of days computer working in the Enforcing mode.
Comment 4 Daniel Walsh 2008-04-06 09:46:03 UTC 
Well when you login, if you bring up a terminal what does id -Z say?

If it says xdm_t you still have a problem.

If it says unconfined_t then that is correct, and if xdm_t is still asking for
execstack on gnome-power-manager we need to bring in the gdm guys.
Comment 5 Matěj Cepl 2008-04-06 21:17:29 UTC 
[matej@viklef ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[matej@viklef ~]$ id
uid=500(matej) gid=500(matej)
skupiny=4(adm),10(wheel),12(mail),14(uucp),51(smmsp),100(users),104(mock),106(pulse-rt),500(matej),501(src)
context=unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[matej@viklef ~]$ sudo -i
[sudo] password for root: 
[root@viklef ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[root@viklef ~]# id
uid=0(root) gid=0(root)
skupiny=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[root@viklef ~]# logout
[matej@viklef ~]$
Comment 6 Daniel Walsh 2008-04-08 12:48:06 UTC 
But is this still happening after we fixed up the machine?

Ray is xdm now running gnome-power-manager?
Comment 7 Matthias Clasen 2008-04-15 14:33:38 UTC 
xdm isn't
but gdm is
Comment 8 Daniel Walsh 2008-04-15 14:44:12 UTC 
That is what I meant,  gnome-power-manager should not be requiring execstack.
Comment 9 John Poelstra 2008-04-19 20:17:05 UTC 
Is this considered a bug that needs to be fixed for F9?
Comment 10 Daniel Walsh 2008-04-20 11:08:50 UTC 
Does the powermanagement code work in enforcing mode, from gdm?
Comment 11 Matthias Clasen 2008-04-21 02:41:37 UTC 
Doesn't look like g-p-m requires execstack

[mclasen@localhost Desktop]$ execstack -q /usr/bin/gnome-power-manager 
- /usr/bin/gnome-power-manager
Comment 12 Matěj Cepl 2008-04-21 22:42:51 UTC 
(In reply to comment #10)
> Does the powermanagement code work in enforcing mode, from gdm?

It seems like working -- icon is in the notification area and makes some
reasonably wild guesses. Matthias, how to test it's working?
Comment 13 Matthias Clasen 2008-04-22 03:33:59 UTC 
Matej, use the Suspend/Hibernate menu items that you get on the icon. Do these
work ?
Comment 14 Matěj Cepl 2008-04-22 13:29:30 UTC 
(In reply to comment #13)
> Matej, use the Suspend/Hibernate menu items that you get on the icon. Do these
> work ?

Yes, that's what I use -- too lazy for pm-suspend ;-).
Comment 15 Bug Zapper 2008-05-14 08:37:18 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 16 Richard Hughes 2008-09-10 12:44:46 UTC 
gnome-power-manager doesn't need execstack -- I think there's a corrupt file somewhere.