Bug 455584

Summary: SELinux prevents xdm working correctly
Product: [Fedora] Fedora Reporter: Adam Tkac <atkac>
Component: xorg-x11-xdmAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: jkubin, mcepl, ovasik, pertusus
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-17 12:03:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC denials none

Description Adam Tkac 2008-07-16 13:10:24 UTC 
Description of problem:
I decided to start using SELinux on my laptop but it prevents execution of my
favourite destop

Version-Release number of selected component (if applicable):
# rpm -qa |grep selinux-policy
selinux-policy-3.3.1-78.fc9.noarch
selinux-policy-targeted-3.3.1-78.fc9.noarch

How reproducible:
always

Steps to Reproduce:
# cat /etc/sysconfig/desktop 
DISPLAYMANAGER=XDM
PREFERRED=/usr/bin/startfluxbox

and then try log into your desktop
  
Actual results:
fails due missing TE rules

Expected results:
successful login

Additional info:
I will attach commented file with AVC denials
Comment 1 Adam Tkac 2008-07-16 13:22:53 UTC 
Created attachment 311949 [details]
AVC denials
Comment 2 Daniel Walsh 2008-07-16 13:48:20 UTC 
/etc/X11/xdm/authdir/authfiles directory should be writable (file "A:0-EQRIz0"
is created in this case)

I have no idea what these files are, none of these files/directrories exist when
I install fluxbox?  They are in a horrible location.  Variable files should be
in /var/run/fluxbox?  /var/lib/fluxbox?

If this is authorization data, you could choose:

/var/lib/abl(/.*)?	system_u:object_r:var_auth_t:s0
/var/run/xauth(/.*)?	system_u:object_r:xdm_var_run_t:s0
/var/lib/pam_ssh(/.*)?	system_u:object_r:var_auth_t:s0
/var/run/pam_ssh(/.*)?	system_u:object_r:var_auth_t:s0
/var/run/saslauthd(/.*)?	system_u:object_r:saslauthd_var_run_t:s0
/var/cache/coolkey(/.*)?	system_u:object_r:auth_cache_t:s0

Or create a new one.

/var/log/[kw]dm\.log.*	--	system_u:object_r:xserver_log_t:s0
/var/log/gdm(/.*)?	system_u:object_r:xserver_log_t:s0
/var/log/Xorg.*	--	system_u:object_r:xserver_log_t:s0
/var/log/XFree86.*	--	system_u:object_r:xserver_log_t:s0
/var/log/nvidia-installer\.log.*	--	system_u:object_r:xserver_log_t:s0

xserver log should match one of these I would think?  /var/log/Xorg.0.log seems
to be the way gdm does it.

What pam module does fluxbox use?  Does it include pam_selinux?
Comment 3 Adam Tkac 2008-07-17 11:52:55 UTC 
Moving to proper component
Comment 4 Matěj Cepl 2008-07-17 12:03:43 UTC 

*** This bug has been marked as a duplicate of 388431 ***