Bug 500525

Summary: gdm denials on livecd boot
Product: [Fedora] Fedora Reporter: Kevin Fenzi <kevin>
Component: LiveCD - XfceAssignee: Kevin Fenzi <kevin>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: davidz, dcantrell, dwalsh, jkubin, katzj, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-06 05:50:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kevin Fenzi 2009-05-13 04:46:31 UTC 
Xfce i686 live media as of today (2009-05-12) has some gdm denials on boot: 

type=AVC msg=audit(1242203547.059:24642): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203551.058:24643): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203555.059:24644): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203559.059:24645): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203563.059:24646): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203567.058:24647): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203571.058:24648): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203575.059:24649): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203579.059:24650): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203583.058:24651): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203587.059:24652): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203591.058:24653): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203595.058:24654): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203599.058:24655): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.060:24656): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.952:24662): avc:  denied  { read write } for  pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.952:24663): avc:  denied  { write } for  pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.952:24664): avc:  denied  { write } for  pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.953:24665): avc:  denied  { write } for  pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
Comment 1 Daniel Walsh 2009-05-13 14:00:31 UTC 
The liveuser directory is mislabeled.  It should not be home_root_t it should be user_home_dir_t?
Comment 2 Jeremy Katz 2009-05-13 15:45:22 UTC 
The x86 desktop image I built yesterday has things labeled fine.  I'll kick off an XFCE one while I'm gone to lunch, but there shouldn't be anything different.

Have a log of the image build?  Any errors during boot (especially during the live initscript)?
Comment 3 Kevin Fenzi 2009-05-13 16:14:59 UTC 
yeah, I do have a log. Nothing leaps out there.

We do a: 

chown -R liveuser:liveuser /home/liveuser

at the end of the livesys, because we add some files (which get owned by root by default). 
Perhaps thats resetting the context?
Comment 4 Jeremy Katz 2009-05-13 17:02:09 UTC 
Aha, that's exactly it.  You're adding things in %post and not on boot.  So yes, you'll also need a restorecon in the %post as well if that's how you want to do things in addition to the chown.

That said, you also really probably don't _want_ to be doing that as part of %post and instead want to do it on each boot in the livesys initscript.  Otherwise, the files are on the image that gets dd'd to the user's hard drive after they install rather than just being present in the overlay.
Comment 5 Kevin Fenzi 2009-05-13 17:09:16 UTC 
I'm not sure I understand. 

How can we modify the livesys initscript script except in %post?

Its created in the post in fedora-live-base.ks, you want us to add our special cases there?
Comment 6 Jeremy Katz 2009-05-13 17:25:32 UTC 
You can append to it with

cat >> /etc/init.d/livesys << EOF
[do stuff here]
EOF

in your %post (much as is already done for screensaver disabling)
Comment 7 Rahul Sundaram 2009-05-13 17:47:52 UTC 
Kevin, please ask whoever is responsible for bugzilla administration to reassign yourself instead of me as the owner of fedora xfce live component in bugzilla.  Thanks.
Comment 8 Kevin Fenzi 2009-05-13 20:19:49 UTC 
ok. I did the one-liner fix for F11 here, and we will do the more proper fix for f12. 

Rahul: will do.
Comment 9 Kevin Fenzi 2009-06-06 05:50:56 UTC 
This was fixed for f11.