Bug 468530

Description of problem: no gdm greeter on rawhide


Version-Release number of selected component (if applicable): 
selinux-policy-3.5.13-5.fc10.noarch

How reproducible: always


Steps to Reproduce:
1. try to boot into X
2. end up with black screen, resort to using a VT, then start X manually
3.
  
Actual results: 
as above

Expected results:
to see gdm's username/password display

Additional info:

I fixed it (temporarily) by running this:

   restorecon /var/spool/gdm/force-display-on-active-vt

SELinux is preventing gdm-binary (xdm_t) "unlink" to
./force-display-on-active-vt (var_spool_t). The SELinux type var_spool_t, is a
generic type for all files in the directory and very few processes (SELinux
Domains) are allowed to write to this SELinux type. This type of denial usual
indicates a mislabeled file. By default a file created in a directory has the
gets the context of the parent directory, but SELinux policy has rules about the
creation of directories, that say if a process running in one SELinux Domain
(D1) creates a file in a directory with a particular SELinux File Context (F1)
the file gets a different File Context (F2). The policy usually allows the
SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for
some reason a file (./force-display-on-active-vt) was created with the wrong
context, this domain will be denied. The usual solution to this problem is to
reset the file context on the target file, restorecon -v
'./force-display-on-active-vt'. If the file context does not change from
var_spool_t, then this is probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v
'./force-display-on-active-vt'

Fix Command:

restorecon './force-display-on-active-vt'

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_spool_t:s0
Target Objects                ./force-display-on-active-vt [ file ]
Source                        gdm-binary
Source Path                   /usr/sbin/gdm-binary
Port                          <Unknown>
Host                          vv.meyering.net
Source RPM Packages           gdm-2.24.0-11.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-5.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mislabeled_file
Host Name                     vv.meyering.net
Platform                      Linux vv.meyering.net 2.6.27.3-39.fc10.x86_64 #1
                              SMP Wed Oct 22 21:04:28 EDT 2008 x86_64 x86_64
Alert Count                   295
First Seen                    Mon 20 Oct 2008 09:28:36 AM CEST
Last Seen                     Sat 25 Oct 2008 06:07:45 PM CEST
Local ID                      c8d5ca79-7c6f-4d9e-865f-2894f611277d
Line Numbers                  

Raw Audit Messages            

node=vv.meyering.net type=AVC msg=audit(1224950865.447:64): avc:  denied  { unlink } for  pid=2840 comm="gdm-binary" name="force-display-on-active-vt" dev=sda1 ino=262311 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file

node=vv.meyering.net type=SYSCALL msg=audit(1224950865.447:64): arch=c000003e syscall=87 success=no exit=-13 a0=41bbe8 a1=0 a2=1 a3=8101010101010100 items=0 ppid=1 pid=2840 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-binary" exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)