Bug 480847

Summary: SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:1-greeter.log (xserver_log_t).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: gdmAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: acme, drago01, dwalsh, faithinfamilies, jbastian, jmccann, john.mellor, mcepl, mstuff, rstrode, silver_fox786, vikigoyal
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-23 17:07:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Here's another selinux_alert fyi
none
selinux_is_preventing_polkit-read-aut (polkit_auth_t) "gettattr" fs_t.txt none

Description Matěj Cepl 2009-01-20 21:12:14 UTC
SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to
/var/log/gdm/:1-greeter.log (xserver_log_t).

Detailed Description:

SELinux denied access requested by polkit-read-aut. It is not expected that this
access is required by polkit-read-aut and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/log/gdm/:1-greeter.log,

restorecon -v '/var/log/gdm/:1-greeter.log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_auth_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:xserver_log_t
Target Objects                /var/log/gdm/:1-greeter.log [ file ]
Source                        polkit-read-aut
Source Path                   /usr/libexec/polkit-read-auth-helper
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           PolicyKit-0.9-4.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-39.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     viklef.ceplovi.cz
Platform                      Linux viklef.ceplovi.cz 2.6.27.10-168.fc10.i686 #1
                              SMP Wed Jan 7 18:33:32 EST 2009 i686 i686
Alert Count                   5
First Seen                    Mon Jan 19 18:23:41 2009
Last Seen                     Mon Jan 19 18:24:07 2009
Local ID                      b330152c-e02f-40f6-bd55-0fdfd1093d14
Line Numbers                  927, 928, 929, 930, 940, 941, 942, 943, 1040, 1041

Raw Audit Messages            

type=AVC msg=audit(1232385847.306:3365): avc:  denied  { write } for  pid=5535 comm="polkit-read-aut" path="/var/log/gdm/:1-greeter.log" dev=dm-0 ino=1306922 scontext=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file

type=SYSCALL msg=audit(1232385847.306:3365): arch=40000003 syscall=11 success=yes exit=0 a0=5217fb4 a1=bf9160e0 a2=bf916afc a3=bf9160e0 items=0 ppid=5406 pid=5535 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 key=(null)

==========================

Summary:

SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to
/var/log/gdm/:0-greeter.log (xserver_log_t).

Detailed Description:

SELinux denied access requested by polkit-read-aut. It is not expected that this
access is required by polkit-read-aut and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/log/gdm/:0-greeter.log,

restorecon -v '/var/log/gdm/:0-greeter.log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_auth_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:xserver_log_t
Target Objects                /var/log/gdm/:0-greeter.log [ file ]
Source                        polkit-read-aut
Source Path                   /usr/libexec/polkit-read-auth-helper
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           PolicyKit-0.9-4.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-39.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     viklef.ceplovi.cz
Platform                      Linux viklef.ceplovi.cz 2.6.27.10-168.fc10.i686 #1
                              SMP Wed Jan 7 18:33:32 EST 2009 i686 i686
Alert Count                   5
First Seen                    Mon Jan 19 23:38:33 2009
Last Seen                     Mon Jan 19 23:38:41 2009
Local ID                      893e7a70-3438-4b61-9bb6-c5d533d80619
Line Numbers                  6187, 6188, 6189, 6190, 6191, 6192, 6193, 6194,
                              6195, 6196

Raw Audit Messages            

type=AVC msg=audit(1232404721.753:10): avc:  denied  { write } for  pid=2914 comm="polkit-read-aut" path="/var/log/gdm/:0-greeter.log" dev=dm-0 ino=1306908 scontext=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file

type=SYSCALL msg=audit(1232404721.753:10): arch=40000003 syscall=11 success=yes exit=0 a0=5217fb4 a1=bfccc480 a2=bfccce9c a3=bfccc480 items=0 ppid=2863 pid=2914 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 key=(null)

=========================

From #desktop:

(21:17:59) mcepl: Jan 19 07:56:31 viklef setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:0-greeter.log (xserver_log_t).
(21:18:27) halfline: ah
(21:18:47) halfline: i wonder why policykit is trying to read :0-greeter.log
(21:18:52) halfline: err write to !
(21:19:16) halfline: oh
(21:19:34) halfline: actually makes sense
(21:19:57) halfline: :0-greeter.log should be xserver_log_t
(21:20:08) mcepl: yes, it is (see the message)
(21:20:30) halfline: *shouldn't
(21:20:34) halfline: it's not an xserver log
(21:20:36) mcepl: oh
(21:20:42) halfline: it's the greeter session stdout
(21:20:44) mcepl: no, /var/log/messages
(21:20:55) mcepl: oh I see
(21:21:53) halfline: should probably be a new xdm_var_log_t or some such
(21:22:04) halfline: worth filing if you haven't already

Comment 1 Daniel Walsh 2009-01-21 14:06:08 UTC
Is this a leaked file descriptor or are you setting stdout of polkit-read-auth to /var/log/gdm/:0-greeter.log?

Comment 2 Matěj Cepl 2009-01-21 15:54:52 UTC
(In reply to comment #1)
> Is this a leaked file descriptor or are you setting stdout of polkit-read-auth
> to /var/log/gdm/:0-greeter.log?

Halfline thought that it might be just wrong label for the file (should be xdm_var_log_t instead of xserver_log_t).

Comment 3 Daniel Walsh 2009-01-21 19:39:15 UTC
There is no xdm_var_log_t.

This is the correct label.

Or I can add a new one, but the question is whether this is intentional that we want to grab the output from polkit-read-auth, or is it a leak.

Comment 4 Ray Strode [halfline] 2009-01-21 22:01:55 UTC
right, I wasn't saying there was a xdm_var_log_t, was saying there should be one:

"(21:21:53) halfline: should probably be a new xdm_var_log_t or some such"

See the irc conversation Matej pasted.

:0-greeter.log is akin to ~/.xsession-errors but for the gdm user.  It's where all programs in the greeter session (including things that use policykit) output their debug spew.

Comment 5 morgan read 2009-02-04 09:16:11 UTC
Created attachment 330841 [details]
Here's another selinux_alert fyi

Comment 6 morgan read 2009-02-04 09:17:23 UTC
Summary for above attachment:
SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to
/var/log/gdm/:0-greeter.log (xserver_log_t).

Comment 7 Daniel Walsh 2009-02-04 14:57:07 UTC
Ray and I have talked about making this append and relabeling /var/log/gdm

to xdm_log_t.


Then we can allow the confined domains to append to the log, rather then write.

write allows you to truncate the log files.


But for F10 this app should be able to write xserver_log_t.

In F11 it will append to xdm_log_t.

Miroslav and you fix this?

Comment 8 Miroslav Grepl 2009-02-06 16:50:23 UTC
Fixed in selinux-policy-3.5.13-44.fc10

Comment 9 John Mellor 2009-02-08 19:35:05 UTC
This looks like the same bug as 484564

Comment 10 John Mellor 2009-02-08 19:41:09 UTC
Can we get this rolled over into fedora-updates-testing, so that we can actually get this fixed version?

Comment 11 Miroslav Grepl 2009-02-09 09:50:48 UTC
*** Bug 484564 has been marked as a duplicate of this bug. ***

Comment 12 Miroslav Grepl 2009-02-09 09:54:02 UTC
*** Bug 484451 has been marked as a duplicate of this bug. ***

Comment 13 Miroslav Grepl 2009-02-09 10:03:03 UTC
It was pushed on Friday last week. I tested today and works fine.

# yum install --enablerepo=updates-testing selinux-policy-targeted

Comment 14 Miroslav Grepl 2009-02-13 10:13:22 UTC
*** Bug 485326 has been marked as a duplicate of this bug. ***

Comment 15 faith 2009-08-03 08:19:11 UTC
Created attachment 355968 [details]
selinux_is_preventing_polkit-read-aut (polkit_auth_t) "gettattr" fs_t.txt

mine looks slightly different; should I worry about this?  linux newbie: so far I've only used Firefox & T-bird but will be doing other work incl web dev and adjusting network access, documents.  **Haven't been able to print since upgrade from F10 to F11**

Comment 16 faith 2009-08-03 08:25:57 UTC
add'l notes:  was having all kinds of problems, think before F11 upgrade, like constant dropped connection, couldn't read or save text anywhere but text editor, 30 min boot - now just have to login twice and about 10 min boot but lost printing after F11 upgrade.  newbie not sure if has anything to do w/this. many more SELinux alerts since F11 but will check/file rpts separately. thanks

Comment 17 Daniel Walsh 2009-08-04 10:14:21 UTC
Faith, please send me email, and I will work with you on fixing your problem.

dwalsh

Comment 18 faith 2009-08-23 14:03:00 UTC
I sent the email, but I don't know that anything ever got fixed.  Remember, my error was slightly different (see above comment from me) than the original error filed in this bug report.  Please advise how I can tell if my problem has been fixed.  Last time my SELinux reported this error was on 8/17.  Computer is used daily.  Thanks

Comment 19 Daniel Walsh 2009-08-23 17:07:16 UTC
Sounds good Faith.   You are probably all set.  Reopen bug if you see any more problems.