Bug 468976

Summary: Unable to login to guest account
Product: [Fedora] Fedora Reporter: James Morris <jmorris>
Component: xguestAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: rawhideCC: david, dwalsh, mgrepl, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-03 19:34:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Morris 2008-10-29 10:29:26 UTC 
Description of problem:

I'm unable to login to the guest account with current rawhide.  I'm trying to document xguest for a talk in Malaysia next week, where I also plan to demo it.

See AVC below.

Version-Release number of selected component (if applicable):
xguest-1.0.6-7.fc9.noarch
selinux-policy-3.3.1-99.fc9.noarch


How reproducible:

Always.

Steps to Reproduce:
1. Attempt to login as Guest.
2.
3.
  
Actual results:

Doesn't work.

Expected results:

Works.

Additional info:

type=AVC msg=audit(1225275841.827:93): avc:  denied  { read write } for  pid=4602 comm="dbus-daemon" path="socket:[43294]" dev=sockfs ino=43294 scontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
Comment 1 James Morris 2008-10-29 22:58:56 UTC 
I used audit2allow to fix the AVC, but it's still not working.

syslog:

Oct 30 09:55:06 macbook gconfd (gdm-3004): Exiting
Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer
Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer
Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer
Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer
Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer
...
Oct 30 09:55:06 macbook kernel: Not cloning cgroup for unused subsystem ns
Oct 30 09:55:07 macbook gconfd (xguest-3167): starting (version 2.22.0), pid 3167 user 'xguest'
Oct 30 09:55:07 macbook gconfd (xguest-3167): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Oct 30 09:55:07 macbook gconfd (xguest-3167): Resolved address "xml:readwrite:/home/xguest/.gconf" to a writable configuration source at position 1
Oct 30 09:55:07 macbook gconfd (xguest-3167): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct 30 09:55:07 macbook ssh-agent[3185]: error: setrlimit RLIMIT_CORE: Permission denied

audit log:

type=USER_AUTH msg=audit(1225321107.764:43): user pid=3302 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1225321107.769:44): user pid=3302 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1225321107.803:45): user pid=3302 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=LOGIN msg=audit(1225321107.835:46): login pid=3302 uid=0 old auid=4294967295 new auid=501 old ses=4294967295 new ses=5
type=USER_ROLE_CHANGE msg=audit(1225321107.844:47): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='pam: default-context=xguest_u:xguest_r:xguest_t:s0 selected-context=xguest_u:xguest_r:xguest_t:s0: exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=? res=success)'
type=USER_START msg=audit(1225321108.408:48): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_LOGIN msg=audit(1225321108.409:49): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=501: exe="/usr/libexec/gdm-session-worker" (hostname=, addr=?, terminal=/dev/tty7 res=success)'
type=CRED_DISP msg=audit(1225321108.559:50): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_END msg=audit(1225321108.567:51): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)
Comment 2 Daniel Walsh 2008-10-30 17:47:12 UTC 
Strange works for me with, with selinux-policy-3.5.13-11.fc10 in koji.  Does /var/log/secure show anything?
Comment 3 David Nalley 2008-11-02 03:15:38 UTC 
I successfully used xguest in September - then in mid and late October I began having similar problems. 
My occurrences have been on F9. 

I don't want to hijack this bug - but I'll contribute some info to it. 

Moreover, I tried showing off xguest today on a fresh install (and freshly updated) machine. Attempting to login as xguest did the same thing. 
 


from /var/log/secure: 

./secure-20081005:Oct  3 15:09:28 nalleyt61 gdm-session-worker[5995]: pam_unix(gdm:session): session opened for user xguest by (uid=0)
./secure-20081005:Oct  3 15:09:28 nalleyt61 gdm-session-worker[5995]: pam_unix(gdm:session): session closed for user xguest



From /var/log/messages:
./messages-20081005:Oct  3 15:09:27 nalleyt61 gconfd (xguest-6120): starting (version 2.22.0), pid 6120 user 'xguest'
./messages-20081005:Oct  3 15:09:27 nalleyt61 gconfd (xguest-6120): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
./messages-20081005:Oct  3 15:09:27 nalleyt61 gconfd (xguest-6120): Resolved address "xml:readwrite:/home/xguest/.gconf" to a writable configuration source at position 1
./messages-20081005:Oct  3 15:09:27 nalleyt61 gconfd (xguest-6120): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
./messages-20081005:Oct  3 15:09:28 nalleyt61 setroubleshoot: SELinux is preventing dbus-daemon (xguest_dbusd_t) "read write" to socket (xguest_t). For complete SELinux messages. run sealert -l f6b0c362-dbe2-47bf-bb22-830f5e1bc89b
./messages-20081005:Oct  3 15:09:28 nalleyt61 setroubleshoot: SELinux is preventing tpb (xguest_t) "read" to nvram (nvram_device_t). For complete SELinux messages. run sealert -l 1d190bab-972a-4c8a-9422-125f169bbd82



[root@nalleyt61 log]# sealert -l 1d190bab-972a-4c8a-9422-125f169bbd82

Summary:

SELinux is preventing tpb (xguest_t) "read" to nvram (nvram_device_t).

Detailed Description:

SELinux denied access requested by tpb. It is not expected that this access is
required by tpb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for nvram,

restorecon -v 'nvram'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                xguest_u:xguest_r:xguest_t:s0
Target Context                system_u:object_r:nvram_device_t:s0
Target Objects                nvram [ chr_file ]
Source                        tpb
Source Path                   /usr/bin/tpb
Port                          <Unknown>
Host                          nalleyt61.keymark.dom
Source RPM Packages           tpb-0.6.4-10.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-91.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     nalleyt61.keymark.dom
Platform                      Linux nalleyt61.keymark.dom 2.6.26.3-29.fc9.x86_64
                              #1 SMP Wed Sep 3 03:16:37 EDT 2008 x86_64 x86_64
Alert Count                   13
First Seen                    Tue Sep  9 15:28:31 2008
Last Seen                     Fri Oct  3 15:09:28 2008
Local ID                      1d190bab-972a-4c8a-9422-125f169bbd82
Line Numbers                  

Raw Audit Messages            

host=nalleyt61.keymark.dom type=AVC msg=audit(1223060968.101:29): avc:  denied  { read } for  pid=6141 comm="tpb" name="nvram" dev=tmpfs ino=4363 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:nvram_device_t:s0 tclass=chr_file

host=nalleyt61.keymark.dom type=SYSCALL msg=audit(1223060968.101:29): arch=c000003e syscall=2 success=no exit=-13 a0=1bc9030 a1=800 a2=0 a3=3372167a70 items=0 ppid=6123 pid=6141 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=3 comm="tpb" exe="/usr/bin/tpb" subj=xguest_u:xguest_r:xguest_t:s0 key=(null)
Comment 4 James Morris 2008-11-02 22:13:21 UTC 
Turns out my system was only partially updated to rawhide for some reason and works ok now that it's updated.