Bug 468976
Summary: | Unable to login to guest account | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Morris <jmorris> |
Component: | xguest | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | CC: | david, dwalsh, mgrepl, sgrubb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-03 19:34:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Morris
2008-10-29 10:29:26 UTC
I used audit2allow to fix the AVC, but it's still not working. syslog: Oct 30 09:55:06 macbook gconfd (gdm-3004): Exiting Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer Oct 30 09:55:06 macbook gdm-simple-greeter[3001]: WARNING: Failed to send buffer ... Oct 30 09:55:06 macbook kernel: Not cloning cgroup for unused subsystem ns Oct 30 09:55:07 macbook gconfd (xguest-3167): starting (version 2.22.0), pid 3167 user 'xguest' Oct 30 09:55:07 macbook gconfd (xguest-3167): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Oct 30 09:55:07 macbook gconfd (xguest-3167): Resolved address "xml:readwrite:/home/xguest/.gconf" to a writable configuration source at position 1 Oct 30 09:55:07 macbook gconfd (xguest-3167): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Oct 30 09:55:07 macbook ssh-agent[3185]: error: setrlimit RLIMIT_CORE: Permission denied audit log: type=USER_AUTH msg=audit(1225321107.764:43): user pid=3302 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1225321107.769:44): user pid=3302 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1225321107.803:45): user pid=3302 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1225321107.835:46): login pid=3302 uid=0 old auid=4294967295 new auid=501 old ses=4294967295 new ses=5 type=USER_ROLE_CHANGE msg=audit(1225321107.844:47): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='pam: default-context=xguest_u:xguest_r:xguest_t:s0 selected-context=xguest_u:xguest_r:xguest_t:s0: exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=? res=success)' type=USER_START msg=audit(1225321108.408:48): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_LOGIN msg=audit(1225321108.409:49): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=501: exe="/usr/libexec/gdm-session-worker" (hostname=, addr=?, terminal=/dev/tty7 res=success)' type=CRED_DISP msg=audit(1225321108.559:50): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_END msg=audit(1225321108.567:51): user pid=3302 uid=0 auid=501 ses=5 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="xguest" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success) Strange works for me with, with selinux-policy-3.5.13-11.fc10 in koji. Does /var/log/secure show anything? I successfully used xguest in September - then in mid and late October I began having similar problems. My occurrences have been on F9. I don't want to hijack this bug - but I'll contribute some info to it. Moreover, I tried showing off xguest today on a fresh install (and freshly updated) machine. Attempting to login as xguest did the same thing. from /var/log/secure: ./secure-20081005:Oct 3 15:09:28 nalleyt61 gdm-session-worker[5995]: pam_unix(gdm:session): session opened for user xguest by (uid=0) ./secure-20081005:Oct 3 15:09:28 nalleyt61 gdm-session-worker[5995]: pam_unix(gdm:session): session closed for user xguest From /var/log/messages: ./messages-20081005:Oct 3 15:09:27 nalleyt61 gconfd (xguest-6120): starting (version 2.22.0), pid 6120 user 'xguest' ./messages-20081005:Oct 3 15:09:27 nalleyt61 gconfd (xguest-6120): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 ./messages-20081005:Oct 3 15:09:27 nalleyt61 gconfd (xguest-6120): Resolved address "xml:readwrite:/home/xguest/.gconf" to a writable configuration source at position 1 ./messages-20081005:Oct 3 15:09:27 nalleyt61 gconfd (xguest-6120): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 ./messages-20081005:Oct 3 15:09:28 nalleyt61 setroubleshoot: SELinux is preventing dbus-daemon (xguest_dbusd_t) "read write" to socket (xguest_t). For complete SELinux messages. run sealert -l f6b0c362-dbe2-47bf-bb22-830f5e1bc89b ./messages-20081005:Oct 3 15:09:28 nalleyt61 setroubleshoot: SELinux is preventing tpb (xguest_t) "read" to nvram (nvram_device_t). For complete SELinux messages. run sealert -l 1d190bab-972a-4c8a-9422-125f169bbd82 [root@nalleyt61 log]# sealert -l 1d190bab-972a-4c8a-9422-125f169bbd82 Summary: SELinux is preventing tpb (xguest_t) "read" to nvram (nvram_device_t). Detailed Description: SELinux denied access requested by tpb. It is not expected that this access is required by tpb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for nvram, restorecon -v 'nvram' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context xguest_u:xguest_r:xguest_t:s0 Target Context system_u:object_r:nvram_device_t:s0 Target Objects nvram [ chr_file ] Source tpb Source Path /usr/bin/tpb Port <Unknown> Host nalleyt61.keymark.dom Source RPM Packages tpb-0.6.4-10.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-91.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name nalleyt61.keymark.dom Platform Linux nalleyt61.keymark.dom 2.6.26.3-29.fc9.x86_64 #1 SMP Wed Sep 3 03:16:37 EDT 2008 x86_64 x86_64 Alert Count 13 First Seen Tue Sep 9 15:28:31 2008 Last Seen Fri Oct 3 15:09:28 2008 Local ID 1d190bab-972a-4c8a-9422-125f169bbd82 Line Numbers Raw Audit Messages host=nalleyt61.keymark.dom type=AVC msg=audit(1223060968.101:29): avc: denied { read } for pid=6141 comm="tpb" name="nvram" dev=tmpfs ino=4363 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:nvram_device_t:s0 tclass=chr_file host=nalleyt61.keymark.dom type=SYSCALL msg=audit(1223060968.101:29): arch=c000003e syscall=2 success=no exit=-13 a0=1bc9030 a1=800 a2=0 a3=3372167a70 items=0 ppid=6123 pid=6141 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=3 comm="tpb" exe="/usr/bin/tpb" subj=xguest_u:xguest_r:xguest_t:s0 key=(null) Turns out my system was only partially updated to rawhide for some reason and works ok now that it's updated. |